Andrew Bonfield, the outgoing CFO of National Grid, takes cyber security very seriously. The group’s key role in gas and electricity transmission and distribution, makes it vulnerable to the possibility of attack from individuals or groups.
“We have the usual suspects, including state-sponsored terrorists, trying to get into our systems almost ad infinitum, it’s just part of the world that everybody lives in, power distribution grids are obviously key to that,” he says.
He says that as the group has assets in the north-eastern states of the US as well as in the UK, it liaises with authorities on both side of the Atlantic to mitigate cyber threats. “We have people who are attached to the security services on both sides. We work very closely with them to understand what those threats are and how to manage them as best as we can,” he says.
Although risk does not sit specifically within his portfolio of responsibilities, cyber security is part of Bonfield’s wider finance brief, given the size of the challenge. “No system is failsafe and there’s always risk,” he says, acknowledging the possibility a rogue employee could create havoc. “Until somebody leaves, sometimes you don’t know who has attacked you,” he says.
He has learnt from this role and other senior positions he has held, including CFO of confectionary group Cadbury’s, energy group BG Group and pharma groups Bristol-Myers Squibb and SmithKline Beecham, that finance directors need to be asking key questions on cyber.
Posing the questions
Bonfield says FDs need to be asking generalist questions such as: How is the organisation currently being protected? How does that system work? How is that risk mitigated as best as possible?
But he adds that finance can play a key role in determining how any defence against the threat of cyber-attack by ensuring the org is properly funded in this area. “You could always spend more, but is there always value in that approach? We’re trying to make sure we’re spending the right money by understanding what the real threats are,” he informs.
John Lyons, chairman and founder of the International Cyber Security Protection Alliance (ICSPA), says that part of the problem is new points of attack cyber criminals are starting to exploit. “As companies put more effort into their security it has the effect of pushing the attack vectors towards company employees, staff and customers and, most importantly, to their supply chains.”
Lyons says he has seen in a build-up in more sophisticated attacks in the years since he was Crime Reduction Coordinator in the UK’s National Hi-Tech Crime Unit.
As chair of the ICSPA, a not-for-profit organisation aiming to provide private sector funding and support globally to law enforcement organisations engaged in the fight against cyber-crime, he is aware of how sizeable the problem has become.
Part of the problem is that many organisations are reluctant to take the necessary measures to combat cyber-crime, insists Lyons. “As long as the banks reimburse customers for their losses, there’s no real incentive for people to secure themselves, so we all end up paying,” he adds. “Even if you offer them free anti-virus software they still don’t use it, and incur losses.”
Lyons says: “At board level it’s often treated as a technology problem- which of course it isn’t- it’s a business issue. If you want to secure your business, your data and your customers’ data, you’ve really got to take the cybercrime threat seriously.”
He believes that boards often fail to make the visionary leap of putting in sufficient protective measures, what he considers is an investment in the future of the company. He believes that is often because senior directors are often unwilling to ask the right questions on cyber issues. “Although you may not be technically savvy, you should be able to ask the right questions of the people who do know,” he advises.
In his experience, many CISOs (chief information security officers) have never been invited to give a presentation to their company’s board on cyber security. “These men and woman are responsible for securing the enterprise from cyber-attack, yet they don’t have a voice on the board, they’re probably reporting in the main to the CIO who in turn reports to the CFO. Main board directors need to ask the right questions and ensure they’ve got some good independent advice, and make sure they’ve got the right people,” he says.
Lyons believes protection from cyber-attack can be achieved if a company invests in the right people and is willing to spend the right amount of money. The approach also requires buy-in at the highest levels. “It should be on the agenda of every board meeting and someone has to carry the can. The buck has to stop with one of those board members, who says I’m going to take responsibility for information security in our business,” says Lyons.
Board directors and senior managers still regard cyber security as an essentially technical matter to be left to middle ranking management or consultants, says Baroness Pauline Neville-Jones, UK Special Representative to Business on Cyber Security.
She says failing to understand the vulnerability to cyber enabled theft and compromise of key assets for which they are directly responsible to shareholders or embedding appropriate company procedures and behaviour to increase cyber security.
“The fact that perfect cyber security is not possible does not excuse failure to manage risk properly in this increasingly vital aspect of business management,” says Baroness Neville-Jones, who was previously the UK’s Minister for Security and before that headed up the Joint Intelligence Committee.
“Active cyber security should these days be seen as integral to company success, justifying top level management attention and adequate financial resources. Action taken to enhance cyber security should form part of the Board’s annual report to shareholders on their stewardship of the company,” adds the former chairman of the part Government-owned defence technology company QinetiQ.
Managing the consultants
Nicholas Banks, who runs a consultancy advising on cyber called InfoTrade Security says whats’ needed at every organisation is a robust security level, not just for regulatory reasons but for customer satisfaction, safety and confidence. “You need it to be robust, to be overlapping and multi-layered,” he says.
At the same time it needs to be simple enough for staff to understand, says Banks. “What I find amazing is that when companies on board staff there’s an induction period where you’re shown where the fire escapes are, who your fire marshals are, but there’s little about security training, given it is the biggest weakness. It’s also amazing how few C-suite members adhere to these policies,” he says.
When it comes to monitoring cyber security consultants, Banks says: “With anyone that’s doing work for you, you’ve got to have NDAs, your contract has to be watertight so you have to make sure you’re covering yourself as well as possible, you have to make sure you do as much due diligence as possible.
“Ask who ows the IP in the company, because if they leave the IP goes with them. Does the company have the right level of backing? Is it through a VC or a private individual? If they’re relying on private individuals, there’s a fair chance the money is going to run out, which will have an impact on the product you are in the process of purchasing. So there’s a number of company health checks FDs need to do on cyber security consultants,” he says.