Cyber attack – it’s not ‘if’ it’s ‘when’
When cyber breaches occur for big business, it makes front pages – Sony, Ashley Madison, Target and TalkTalk have all made the news for the wrong reasons over the last few years.
What the media frenzy often disguises is that all businesses are affected when it comes to cyber security, however big or small.
According to UK government figures, 74% of small businesses in the UK had some sort of cyber incident last year and I’ve had first-hand experience of just such an incident.
I work with a coach who was due to send me a proposal recently ahead of our next engagement.
Unfortunately, she was unable to send it because her network had been attacked. Most of her company documentation had been encrypted by a hacker who had got into their IT system and was demanding a ransom in return for ‘unlocking’ their data.
That’s a company of less than ten people. A small business with a public profile to match. For larger organisations, reputational damage is a real risk, too.
The lesson: We will get hacked
One of the key priorities for every business – of any size – is to challenge their existing mindset when it comes to cyber security.
I believe it’s the wrong approach when businesses think that it’s a case of ‘if’ we have a cyber incident rather than ‘when’.
Central to our cyber security strategy here at Hiscox is the assumption that cyber security breaches are unavoidable – they will happen. We will get hacked.
It may sound alarming to hear the chief information officer of a FTSE-250 company admit we can’t prevent an attack. However, it's only once you recognise this that you can try to prepare your business in the right way.
Yes, you need good protection around your most sensitive data – and we aim to adopt market leading practice in this area – but it is just as important to focus on how you detect, respond and recover from an incident in a timely manner.
Companies can find themselves unofficially black-listed if their data and cyber insurance isn’t up to scratch, or risk being penalised when their response is inadequate and can find. Perhaps they don’t respond quickly enough or they respond with incomplete or – even worse – contradictory information.
It’s not IT’s problem
As well as the inevitability of an attack, it’s important to recognise this is not just an IT problem.
One of the best things that stands out for me from the last nine months was my CEO saying, "this is a business risk and I am the owner of that risk. It’s not IT’s responsibility, it’s not compliance’s responsibility – it’s my responsibility. It is a business problem and I am ultimately responsible for that."
People around the business respond to that ownership. In fact, perhaps my CEO should be writing this blog!
Four steps for dealing with cyber threat
With these factors in mind, our strategy for dealing with cyber risk revolves around four key areas. Although they’ve been developed for Hiscox, I think they’re relevant for any size business, no matter how small.
1. Raise awareness across the organisation
We are raising awareness regarding cyber security from people on the front line of the business right up to board level.
The importance of password policies and awareness of phishing emails is being emphasised in internal communications. And we’re also developing a set of computer-based training modules across the cyber area that staff will need to complete.
We can invest a lot of money trying to increase our perimeter defence through firewalls, anti-viruses, and network protection but if one staff member opens the door by clicking on the wrong link or putting their credentials on a suspect website, then all that perimeter security is useless.
2. Know your data
It is important to protect our IT perimeter but that perimeter is ever-shifting with the use of mobile devices for employees – tablets, smartphones, laptops – as well as working with third parties who have access to our network.
Instead of trying to reinforce our perimeter all the time and building bigger walls around Hiscox, we have reshaped our strategy to a more data-centric approach.
We have identified those core pieces of sensitive data we hold (i.e. our crown jewels), whether it’s customer or employee data, and we’re building stronger defences around those data sets.
3. Get ready – have a response plan
As an IT function we get the opportunity to practise some elements of our response plan on an occasional basis due to the nature of our work and the environment we operate in.
However, a proper response plan goes well beyond the technology and includes good coordination across the company communication to the media, clients and employees for instance, as well as how we deal with the regulators and other stakeholders.
Ask yourself how ready would you be if there was an incident at 8am on a Sunday morning?
4. Get certified
There isn’t much information sharing among companies when it comes to cyber security because it is such a sensitive area. So it can be hard to benchmark ourselves against others.
The best alternative is to engage an external third party to look at your defences and processes and do an external assessment.
We are currently going through the Cyber Essentials scheme – part of the government’s cyber security strategy and open for any size business to participate in.
We’re working with a specialist firm whose report will tell us where we are good and where we are weak. This is much more powerful than relying on internal assessment alone.
Companies expect their trading partners to be secure
It is also worth emphasising that many organisations – like us – will do due diligence on suppliers to assess how cyber secure they are, given they are often part of our perimeter.
We will put a relationship on hold if we are not satisfied by a supplier’s cyber security.
A constantly evolving threat
Cyber crime is like drug smuggling. Just as the traffickers get more sophisticated all the time, so do the hackers.
It is a constantly evolving landscape where companies like us get more sophisticated at protecting ourselves and hackers get more sophisticated in their attempts to penetrate us.
The type of threat you see is changing all the time. Ten years ago it was the badly written email scam from Nigeria and today it could be the well informed CEO fraud (external link).
Whatever the tactic, if every business – no matter what size – assumes an attack is inevitable, it will be in a better place to manage the incident, with as little impact to its business and its clients as possible.
Stephane Flaquet is Hiscox’s CIO.