AdSlot 1 (Leaderboard)

Don’t wake the cyber shark

IN ONE recent Financial Director profile interview, National Grid CFO Andrew Bonfield discussed Channel 4 docu-drama Blackout, which depicted the levels of chaos Britain might descend into if co-ordinated hackers were to successfully infiltrate and knock out the company’s – and ergo, the United Kingdom’s – power network.

It showed widespread looting of shops; car crashes in the absence of reliable traffic lights and street lamps; deaths, both accidental and deliberate; and rioting up and down the nation. Despite the flippancy and artistic licence the programme took, there is a kernel of truth to the post-apocalyptic desolation it painted.

At least, there is a real concern among the biggest businesses that hackers in their various forms have the ability to wreak utter havoc, if not necessarily on a national scale. Companies that have fallen foul of hackers’ opprobrium include the Bank of America, Microsoft’s Xbox Live, Sony’s PlayStation Online and, most recently, the Canadian Bitcoin trader Flexcoin – which totally closed down after an attack.

Under siege
And so, keen to ensure such fantasy remains just that, Britain’s financial, transport and energy industries are to strengthen their defences against cyber attacks, building on a war-game simulation dubbed Waking Shark II in which banks came under assault from “a hostile nation state”.

The operation saw the financial sector simulate a major cyber attack: workers at firms were subjected to a series of announcements designed to imitate a co-ordinated attack on their computer systems.

The simulations were led by the Bank of England, Treasury and Financial Conduct Authority, which watched every large bank keenly to see if they could withstand a sustained cyber attack.

It’s a practice becoming more widespread, and one which Richard Anning, head of ICAEW’s IT faculty, says is key to understanding where weaknesses lie. The ICAEW, as it happens, regularly employs ethical hackers to test its systems, but Anning is keen for businesses to ensure they take care of the basics.

“It’s relatively cheap,” he says, noting simulations can be done for as little as £2,000. “Activities like practice simulations can highlight which areas are weak and allow businesses to prepare. It has to look at areas like supply chain, too, because you’re only as strong as your weakest link.”

Better hygiene
As soon as Waking Shark II was completed, the Department of Business, Innovation and Skills released a response to a call for evidence on a preferred standard in cyber security, which acknowledged the need for better “cyber hygiene”.

“Government will now work with industry to develop a new implementation profile, which will become the government’s preferred standard,” the document said.

“This will do more than fill the accessible cyber hygiene gap that industry has identified in the standards landscape; it will be a significant improvement to the standards currently available in the UK.”

Cyber risk graphIn particular, the government noted that effective cyber security must be internationally recognised, promote international trade, and allow systems to exchange and use information as well as impose a basic level of required security. That, however, will take time to implement and enforce, and so it is vital to regularly assess suppliers and their security regimes.

There can be a tendency among smaller entities to believe they are unlikely to be targeted, but those who take such a view are “kidding themselves” if they believe they do not hold information of interest to a would-be hacker, says Anning.

Of course, it is largely true that a small graphic design business in Derby will attract a different group of hackers to, for example, Goldman Sachs, but letting one’s guard down on that basis is foolhardy, Steve O’Neill, chief financial officer of IT storage company EMC, tells Financial Director“It’s best to be professionally paranoid,” he explains. 

“Small businesses have occasionally been attacked simply for fun, and you should always consider who might have a motive to attack you. It might depend on what line of work you’re in or who your clients are.”

That said, O’Neill adds, “it shouldn’t consume all you do”, but it should be borne in mind and given regular due consideration. Indeed, having the basics covered goes a long way and will keep out the bulk of breach attempts.

“Keeping anti-virus software up to date will get you 80% there,” Anning says, although he admits larger firms can find doing so more difficult, especially if they are building upon existing systems.

As far as the FD’s role is concerned, however, it’s about addressing the culture and treating the cyber threat as a business issue, rather than an IT one.

“We’ve all received errant e-mails and clicked on something that’s led to a virus,” explains KPMG’s cyber security senior manager Ruth Anderson. “Employees have to understand the risk if a company is to protect itself, but executives have to realise they’re more likely to be targeted as they have access to more sensitive data.”

Broad awareness
With that in mind, ensuring staff have a broad awareness of the risks and best practice is imperative, according to KPMG cyber security partner Stephen Bonner.

“It is a mistake to think of it as just a technical issue. Instead, an integrated approach to preparing, protecting, detecting and responding to cyber incidents is critical,” he wrote in a recent blog.

For some, it’s about realising that the IT systems used by businesses actually are the business, and not simply a tool used to run it. Finance directors are key to making the board and their fellow directors realise the business issue that is cyber security.

“Once confidence in your brand evaporates, it’s very hard to win back,” O’Neill says. “That sits on the FD’s shoulders – they are the steward of the company. They generate value to shareholders. They have to look after information and monetise it.”

The deterrent to fully engaging in cyber security for some is the intangibility of establishing stringent defences, O’Neill adds.

“It’s a sunk cost … but if you’ve been compromised, you’ll wish you had invested in proper defences. The risk is potentially catastrophic,” he says.

A significant element of the FD’s role in cyber defences is determining which information is protected and to what level. Indeed, failure to differentiate the value of different pieces of information to a business can mean that cyber security spending can be tantamount to “throwing money into a vacuum”, Anderson warns.

Accept the inevitable
Pragmatism is required, as is a degree of acceptance that some attacks and breaches will be inevitable, Anning and O’Neill both suggest.

As such, the most sensitive and pivotal information should receive the highest protection, with less important information given lower fortification, right down to expendable information receiving little or no coverage.

Cyber attacks graphSuch a strategy will be less demanding on resources and will also mean hackers are less likely to sustain attacks once they’ve found information considered auxiliary by the attacked business. That extends as far as involving the audit committee in testing defences and whether the right information has been prioritised, Bonner says.

“To succeed, the board, the audit committee and [executives] need to work closely with their IT and security teams to understand the real risks to the business. Surveys suggest that more than 10% of IT budgets are now spent on cyber security, and I doubt this figure will fall, meaning boards and their audit committees are right to demand clarity on what the investment is delivering,” explains Bonner.

Most importantly, though, there needs to be a means of monitoring the effectiveness of companies’ cyber security controls, independently testing, reviewing and assuring such controls, he continues.

Given the proliferation of information, focus groups and best-practice documents, articles like this one and government directives, visions such as the one shown in Blackout are hopefully – and in all likelihood – a long way from actually happening, but vigilance is pivotal.

“Technical recovery can be simple enough and relatively straightforward in general, but restoring a brand’s reputation is a much more difficult proposition,” O’Neill says. ?

Related reading