• About us
  • Raising The Bar
  • Risk Committees
  • Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising The Bar
  • Risk Committees
  • Team
  • Events
  • Blog
  • Contact
photo-of-person-peeking-through-the-hole-3820281.jpg

Guess who’s back? 

July 22, 2020

Hard to imagine as it is with Covid-19 still dominating the headlines, but cyber risk is back on the agenda in a big way.  The recent ‘Twitter-takeover’ attack and the continued malign activities of the Russian intelligence services remind us that the ‘new normal’ probably includes an increased exposure to cyber risk.  

Huge numbers of employees continue to work from home, some using technologies, such as Zoom or Microsoft Teams, implemented in a hurry by their IT departments.  Firms are relying on control frameworks never designed to cope with this scale of remote access and homeworking.  

Boards understand the potential for damage.  But what they really want to know is: how exposed is the business, and what can be done to mitigate the risks?  

As with explaining all technical matters, it’s important to provide board members with a frame of reference they can understand and that will support exploration of the issues.  In the case of cyber, it’s useful to introduce the idea of cyber security objectives – the primary ones being confidentiality, integrity and availability of information.    

The next step is to use these objectives to explore a range of cyber scenarios.  Take, for example, the case of a US defence contractor that discovered that for a number of years every time someone in the organisation printed a document, a copy was also sent to an IP address in China.  

In this case there was no impact on integrity or availability of information.  However, confidentiality was blown.  This case provides several lessons:

  1. The old model of building ‘onion ring’ defences – increasing strength through layers of security – is no longer sufficient.  Your business will, at some point, face a breach.  So what are you going to do? 

  2. Think the unthinkable.  In the example above, existing state of the art anti-malware software didn’t pick up the rogue code on the network because “it was like nothing we had ever seen before.”  (A big hello to People’s Liberation Army Unit 61398 in Shanghai.  Nice job.) In a world where state (or state-like) resources can be applied to finding holes in your defences, you’re going to spring a leak.  So board member discussions need to change from a prevent model to one of harm-reduction and accelerated recovery.  This is an area where the strategic expertise of non-executives can add real value.  

  3. Think the unthinkable - again.  Cyber-terrorism and malign state actors are real.  It’s not hard to imagine a scenario whereby a terrorist organisation or hostile state actor seeks to place sleepers in your and other financial sector organisations, waiting for the signal to launch a concerted attack on the UK’s financial infrastructure.  Think about it – in this scenario the baddies don’t need to penetrate your firewalls.  They are already on your network and have spent a long time preparing.  And they don’t care about getting caught.  

If nothing more, a high-quality board discussion on cyber risk should ensure that board members have their eyes opened to the cyber challenges facing the business.  It should also be possible to help them focus on what can be done relatively quickly and easily to manage the risks - like encrypting sensitive data.

Chris Burt - Risk Coalition

Tags: Chris Burt
Prev / Next

Blog

Featured
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson
Sep 25, 2023
Chris Burt
The implications of the revised UK Corporate Governance Code
Sep 25, 2023
Chris Burt
Sep 25, 2023
Chris Burt
Sep 13, 2023
Andrew Cunningham
Financial regulators take aim at crypto-finance
Sep 13, 2023
Andrew Cunningham
Sep 13, 2023
Andrew Cunningham