The world of cyber security for businesses is one fraught with risks. Not unlike the surfer who vowed never to surf again after enduring 31 hours adrift in cold Scottish waters. He knew the risks before he went out, he could have mitigated the risks and he could have assessed the environment more fully prior to going out.
In much the same way, businesses that fell victim to the recent Wannacry attack need to be motivated by risk; nine out of 10 of those businesses affected were probably aware there were risks to their organisations but did they react before the attack to reduce the risk. Unlike the surfer, though, businesses cannot just decide not to trade.
There are lessons for Guernsey businesses to learn and learn fast. Cybercrime pays and, as long as it does, businesses will continue to be at risk. Add in the growing sophistication of tools available to cyber criminals, not to mention the vast resources of nation states that dabble in cybercrime, and we should expect much worse in the future.
There is a heavy reliance on IT “experts” to tell businesses what to do rather than the business knowing what should be done or what needs protecting. Business leaders and boards of directors need to upskill quickly. They need to be able to understand what the experts are telling them and interpret those lessons effectively to ensure systems are more robust and are able to continually reduce risks of attack; they need to be actively involved in this process and that requires skills sets boards and business leaders, on the whole, do not yet possess. The role of their advisors may also be a factor. Advisors should be qualified (not something that always happens in Guernsey) and should be taking and passing industry-recognised exams at a high levels and in specific areas around cyber security.
It could be argued that the lack of expertise at board is the greatest risk to cyber security. People generally do not like to admit what they don’t know but if they did they could seek those who will help them learn. Simply relying on the experts to fix the problem will not, on its own, future-proof the business or guard it against cyber-attack.
It is time to look at board makeup and competencies. In my view, there needs to be is at least one non-executive that not only asks the right security questions but understands, interprets the responses, elaborates and interacts with those responsible for technology and security. Without these skills at this level we will continue to see boards making bad decisions based on ignorance.
Yes good advisors are important but boards need to understand what they’re being told. Understanding technology has long been missing on boards; we are at the stage where such deficits should be seen as bad corporate governance.
The internet is a dodgy neighbourhood. Businesses are connected to this neighbourhood and, unless protected, their valuables will be compromised.
The lessons not learnt from Wannacry
The latest attack dubbed “NotPetya” by Kaspersky Labs is taking advantage of similar known weaknesses used by the recent Wannacry attack, however, it is also looking for weaknesses in already patched system configurations, seeking areas where best practice has not been followed by the IT department and suppliers.
This is a double whammy, there are many IT departments that are proud that there estates are up to date, but scratch the surface and you often find that best practice has not been followed on all elements of the configuration.
This is a critical issue for boards. The fact that at the Russian nuclear site of Chernobyl, the radiation sensors are down and they are leaning out of windows to manually sample says it all. Complacency rules even in critical environments so boards need to take the FCA recommended approach and deal with cybersecurity proactively, intervening before an attack happens and before it is too late.