The most effective weapon against a digital security breach is leadership, not a magic technology bullet, says Paul Taylor, KPMG in the UK's Head of Cyber. He shares his insights on what boards can do to create a cyber-resilient organisation.
Few business risks today have the destructive capability of cyber crime. Yet, for many boardrooms, cyber risks remain hard to understand and are even low priority, delegated to IT departments to manage.
Pre-emptive action is the key to protection. There are several harsh lessons for the C-suite to learn from the attack on Sony Pictures Entertainment’s network in 2015, starting with the necessity to make a detailed assessment of potential vulnerabilities. Sony are one of many business hit by hackers and these concerns apply to most large organisations.
The Sony attack was much broader than just having customer data compromised, highlighting the potentially wide-ranging nature of these incidents. The company lost valuable data and, along with it, both the business and its most senior executives suffered significant reputational damage.
Sony reportedly had at least 100 terabytes of data stolen, with some of it clearly identified as intellectual property (IP). It appears the attackers also used malware to destroy information.
While the leaked James Bond film script dominated headlines, some of the company’s internal email conversations on strategy, assets and acquisitions were laid bare for customers, partners, competitors and regulators.
Also emerging in the public domain were personal conversations concerning family and friends. After the breach, former employees whose personal information was compromised instituted legal action. There will likely be many more law suits and, at some point, we might see a board sued for inadequate oversight and response.
So what can a board do to prevent these incidents? How can executives mitigate and minimise damage and disruption to normal business operations?
The first step is to develop a cyber security policy that the leadership team can collectively understand, take seriously and enforce. This will be far more effective than delegating responsibility to a beleaguered Chief Information Officer.
Simply setting 15 minutes aside in a boardroom meeting to discuss cyber threats will not allow you to develop a robust approach to ensuring the organisation’s digital security.
You’ll need focused work-streams that give a clear picture of the threats at hand and you’ll need support and training from experts who can guide you through a fast-changing cyber landscape.
You may wish to consider appointing a board member with cyber expertise to continually guide the organisation. The critical shortage of cyber training and experience has led to a flood of new entrants in this area – take extra care to make sure you get the right person to take forward your strategy.
Also make sure that your internal team shows you, in understandable terms, what is being done across the organisation to improve cyber resilience. Insist on all the news, good and bad.
Ask naïve questions and don’t be afraid to ask for the answers in layman’s terms. Cyber terminology can be technical and complex –messages from the experts should be distilled down to what you and the board need to know.
Once you think you know what you’re doing, get some qualified people from outside to shoot holes in your plans. Find a firm that will tell you the hard uncomfortable truths your staff may not.One of the worst ways to get attacked is through a risk that was already known to others. Communicate regularly with organisations and government bodies that can help you to keep pace with emerging threats.
It’s not just IT, but legal, PR, HR, operations and all other relevant areas of the company that are required to work towards mitigating cyber risks. This will help to integrate your response into your business continuity and disaster recovery plans.
There are many aspects to an effective corporate battle-plan to defend against an attack, but success is dependent on direction from the top. Business leaders have a responsibility to master this growing risk arena and create cyber-resilient organisations.