The cyber threat – and a smart response, great advice shared at our round table
You don’t have to look too far to find scary stories about the threats to your business from cyber breaches.
But along with law firm CMS we wanted to get together and discuss smart cyber responses, along with a selected group with direct experience of strategic responses to a problem that isn’t going away but has crept up the corporate agenda.
Setting the scene was Mihaela Jembei, Director of Cyber Security Regulation at the Information Commissioner’s Office (ICO) over Zoom (securely, of course).
She said: “We’re still seeing ransomware attacks, and although the numbers are increasing, it’s not as quickly and as large as we’ve seen in the past. We’re also seeing unauthorised access and malware attacks.
“We want to develop our own internal capabilities, but we’re also looking at our external position as a regulator both domestically and internationally, to provide regulatory certainty to organisations,
“We are aiming to publish a piece of guidance in 2024, looking at learning from the mistakes of either a retrospective review of a similar product published in 2014.”
“We also work with the NCSC on this kind of wider strategic piece.”
Picking up on the regulatory risks, Inspector Chris Maddocks, the head of economic crime at the National Cyber Resilience Centre said that a lot of the focus is on what gets reported, either to the police directly or through Action Fraud.
“What we would typically expect to happen in a journey like this following a cyber attack, it’s reported through Action Fraud, they will triage that report, because sometimes a company might not appreciate what’s going on with their service and whether it’s a ransomware attack, or hacking, or whatever, and then they will send that to the National Crime Agency.”
He says they’ll then ascertain whether this is an attack on critical national infrastructure requiring a big governmental response or if it’s a lower level case? “To be the local response, my organisation is in between that. With a cyber incident response, some of my staff might go out and try and capture the ransomware. We can also test it and try and do our best to try and help other people out with those.”
One organisation that meets the definition of critical national infrastructure is Manchester Airport. For Pete Williams, Chief information security officer at Manchester Airports Group it’s not a matter of if, but when.
“It’s not even if I get breached, it’s when you’re going to discover you’ve been breached, because you’re already breached, you have to have that mentality that you’re already breached, and eventually, it will come to the fore. So we practice and rehearse. And you have to practice and rehearse at every level, your IT teams, it may manifest itself in very physical means, you know, for us that means passengers wouldn’t be able to get on planes.”
But he’s also clear that most cyber attacks are about getting money. To get into an email system, find a procurement person, then pretend to be head of procurement, and send an email to the CEO.
“90% of all cybercrime is essentially about money. But touch wood we’ve not had anything significant. But when I say that we learned a significant way up to somebody trying the door every day, every single day.”
Paul Vlissidis, Technical Director at NCC Group, and author of ‘How To Survive The Internet’ and is hugely experienced in this field. He also makes the point that it’s not just big companies that get targeted.
“We ran the cyber adviceline for the Federation of Small Business for a number of years. So we got a lot of useful some intelligence from people who’ve been on the wrong end of a cyber attack. I would say most businesses now recognise the threat. Larger businesses certainly recognise that cyber has moved in the risk register. It used to be a pure compliance risk. And actually, all anyone was ever really worried about was a fine from the ICO, that’s changed, it’s now become an operational risk because it can stop you dead in the water. The whole ransomware threat now has changed the mindset around it. So a lot of companies are now putting more time into what are called pre breach activities. So they’re worried about things like backups, what if all the systems get encrypted. And I agree that most attacks do happen from a known issue.
“The mindset that says you’ve got to assume you’re going to be breached means that measures like making sure your backups are working, are absolutely fundamental.”
However, paying off a ransom attack isn’t just a financial hit, but potentially a legal problem in the making, if it involves paying money to a rogue state, for example.
“Nowadays by paying that ransom might be committing a criminal act, because you might be sanction busting, because you might be paying a ransom to someone that’s been officially sanctioned. So it’s becoming really so complicated. And equally, your insurance may not pay out in that situation as well. They won’t pay a ransom if it’s a criminal act. So it’s a really complicated conversation, and I’m much better to have those conversations well in advance of being breached than you are, within the 24 hours after all your systems have stopped working, right?”
Nick Guite, a technology specialist from SysGroup agrees. “The challenge that we have is convincing small organisations that it is worth investing in controls, processes and technology to mitigate those risks. And a lot of our essentially distressed purchases come through companies that have been impersonated and then are now looking for some kind of secure email gateway to fix that problem. So that tells me that security and cyber security specifically is not necessarily on the risk register.
“They’re also getting pushed by insurance companies who are now saying that if you want cyber insurance from us, substantial protection is an absolute minimum requirement. And they’re starting to ratchet up the things that are required by an organisation to function.
“How you get that kind of vernacular on the board agenda is the challenge.”
Guite raises a good point. Compliance is one thing, reaction is quite another, preparedness another thing altogether.
Jessica Maddox, a lawyer at CMS had a client which suffered a cyber attack that created the horrendous prospect of not being able to meet payroll obligations such was the chaos the attack caused.
Then there are the legal obligations a client has to report to police, ICO and insurers.
“In one instance, the client didn’t have cyber insurance, so there’s the issue of when they refer the difficulty to the police or Action Fraud. But there were notifications to the employees and to the individuals potentially affected by the breach, and another big issue was the ordering of it all. And because you don’t know what information has been taken, you don’t know who you should be told, so you don’t want to over notify and scare people unnecessarily.”
Which then brings into play the importance of getting communications right, not setting too many hares running and being straight with customers. Some of it is legally necessary, but business risk also is a factor.
Pete Williams at Manchester Airport is mindful of this in their scenario planning. “Tell it all, tell it early, you shouldn’t be ashamed, you shouldn’t hang your head down, we’re all gonna get hammered at some point. And the more we share, the more we tell stronger, we all get that kind of philosophy, you know, we’re only gonna be as strong as the weakest link.”
Chris Maddocks broadly agrees but explains that the North West Cyber Resilience Centre was set up precisely to give SME businesses the guidance to bridge the resource gap.
Dan Keating, a lawyer with CMS recognises the balance. “You said it’s a very, very tricky balance, but you’re going to be judged in the court of public opinion. And if you’ve been basically seem to be holding back and not providing information that you could have provided at an early stage, which would then could have actually helped individuals to avoid harm. That’s going to be severely damaging to your reputation.”
Lucy Giles, a crisis communications expert at agency MC2 agrees. “Like Jess was saying, make sure you have the right people in the room and understand exactly what information has been compromised, who has it affected, what the impact might be, and go from there. I think your response needs to be appropriate to the severity of the situation. And and in some cases, it might be that you don’t necessarily go out and say everything immediately. I think that businesses should want to respond and communicate to their customers and to the media. But they shouldn’t feel forced to respond before they know exactly what’s going on and understand the situation because that will make things worse.”
Both Martha Wilkinson and Dec McHugh have worked in the heart of government comms, McHugh on the political side, having served as a Special Adviser to Jack Straw when he was Justice Secretary in the Labour government of 2005-2010. He knows from experience what it’s like seeing an organisation being judged by MPs in front of a select committee.
And Wilkinson urges leaders to be ready for that scenario. “If you don’t have the hardware, you aren’t adequately equipped as a leader to talk about this and you don’t understand what’s happening. But you also don’t understand how to communicate it effectively, you’re going to look awful in front of a select committee. It’s been really interesting actually to hear that the things that have been thrown for about transparency and shared language, it does feel like the conversation has moved on. In the last few years, I worked on the board toolkit when it was published by the NCSC in 2018. And it does feel like those messages are getting out there. Although I’m seeing cyber as business risk is still, it’s progress, but it’s still maybe not moving as fast as needed.
“Shared language is so important,” Wilkinson says, because when you’re communicating to your customers, your staff, whatever, whether it’s at a holding statement, or in a more detailed statement, you need to convey it in such a way so that everyone can understand what’s happened, and what you’re doing to to fix it, and what a customer needs to do to be able to keep themselves safe.”
Now running his own consultancy Helm Partners, McHugh says you need to have a communications plan on the stocks, with the caveat that nothing can really prepare you for the emotional stress.
“I’m reminded of that famous Mike Tyson line that everyone’s got a plan until they get punched in the mouth. So part of the planning actually needs to be the testing. So you need to go through the different simulations. And as part of that, to pick up on another point, because in the end, it’s going to be senior people on boards that have to make really difficult judgments and those stages, they need to be exposed to what might happen. It’s very hard to create the conditions of crisis, but they need to be exposed to some sense of what it feels like to be in that mainstream. When you do mock up front page, explain what a Twitter pile on actually looks like, this is what the politicians are going to be saying.”
But he summarises, you have to look through the prism of the consumer, because depending on the nature of the organisation or the company that’s been breached, and if the victims are members of the public who will influence those politicians on that select committee. In the end, they will come to it primarily because they have constituents who want to know what’s happening to their bank details.