By Jessica Tasman-Jones
Companies should run “shields up” on cyber security, say experts
Directors’ attention has turned back to cybersecurity after a dip during the pandemic, says the UK government.
A survey carried out in late March by the Department for Digital, Culture, Media and Sport shows that 82 per cent of organisations believe that cybersecurity is a priority.
This compared with 77 per cent in 2021, when the effects of Covid-19 meant that companies focused on business continuity.
Cyber criminals did not rest, however. UK businesses lost £374mn from cyber breaches linked to staff working from home, says Diligent, a global expert in governance, risk and compliance.
The stronger interest in cybersecurity could not be more timely. Last month Moody’s, the ratings agency, warned that Russia’s invasion of Ukraine had raised the risk of cyber attacks worldwide. It said critical infrastructure would be a key target, although private companies were also at a higher risk of attack.
In March, Britain’s National Cyber Security Centre called on all UK organisations to bolster online defences in response to the war.
In the US, the Department of Homeland Security stressed to company directors the importance of including chief information security officers in decision-making. Officials also urged companies to lower the threshold for reporting cyber incidents to the authorities.
“During this period of heightened risk, companies must use time wisely to make sure their house is in order on cyber,” says Susannah Odell, head of digital policy at the Confederation of British Industry. While there have been no reports of specific threats to UK business, cyber-attacks are inevitable, Odell says.
While UK boards rightly acknowledge the importance of cybersecurity, few have acted on it, says DCMS. It blames a lack of expertise at board level and directors’ fears about the complexity of cyber issues.
Only 62 per cent of large British enterprises have a board member who is responsible for cyber security, the DCMS survey found, and this was more likely in finance, insurance. information and communications companies.
Odell says boards must learn to ask the right questions. She points to the NCSC toolkit as a helpful starting point.
In extraordinary times, companies should be “shields up” with a heightened awareness about cybersecurity, says Catherine Allen, chair of the Santa Fe Group, a consultancy that briefs companies working in critical infrastructure.
Allen emphasises the importance of 24/7 monitoring, multi-factor authentication, changing of passwords and increased training and phishing exercises. She recalls that her former employer, El Paso Electric, the US public utility, suffered daily cyberattacks from nation states.
Britain’s NCSC works in all areas of critical national infrastructure to maintain resilience, says Paul Maddinson, its director of national resilience. Russia is a constant presence in nation-state cyber activity, alongside China, Iran and North Korea.
For most UK organisations, however, Maddinson says the biggest threat is from cyber criminals, not nation states. Ransomware is a particular problem. This malicious software is used by hackers to take users’ data hostage and demand a ransom for its return or to prevent dissemination.
In 2021 researchers at SonicWall, a US cybersecurity company, recorded 620mn ransomware attacks globally — more than double 2020’s total and three times that of 2019. In the UK, 56 per cent of companies have a policy not to pay up, says DCMS.
Because boards often lack cyber expertise, directors need management to give them clear information about the key risks. Directors and managers should create a template that identifies the risks and the ideal state of security, says Eric Friedberg, co-founder of Stroz Friedberg, a cyber consultancy owned by Aon, the professional services firm.
Board and management should then lay out the company’s plan for how and when targets are to be reached.
By being clear about interim risks, says Friedberg, the board can better decide how aggressive it wants to be in aiming for remediation. “A board presentation on cyber should identify which remediation programmes are on track, delayed or at risk: a green, yellow, red system is helpful,” he says.
DCMS is concerned that IT staff often lack the skills to make the case for why investment should be directed towards cybersecurity, meaning that risks are given a low priority and funds spent elsewhere. It is critical, therefore, that boards balance their trust in IT staff with their own ability to judge a business case on its technical merits.
Not doing so can hurt. The average cost of each cyber attack in the past 12 months was £19,400 for medium and large businesses, says DCMS.
“Sometimes cyber security is dismissed as ‘just a technical issue’ for IT professionals,” says Maddinson. “But this misunderstands how serious cyber incidents can be – potentially impacting an organisation’s operations, finances and reputation.”