This year’s IoD Digital Strategy Summit was held in central London. One particularly thought-provoking and eye-opening session focused on cyber security and why business must take this global threat very seriously, indeed...
“What is the biggest threat to your business?” That was the question posed to the audience at the IoD Digital Strategy Summit by Royce Curtin, the MD of Global Intelligence for Barclays.
“Is it a terrorist attack on your physical facilities?” he asked. “Is it a physical assault on your workers as they travel to work? Is a data breach? Or is it major disruption that is not going to affect the service you give to your customer and clients but also your reputation?
I would submit to you that the biggest threat is a loss of trust in your ability to deliver those world-class services; the innovation people expect and the ability to do that securely. The threat is global, dynamic and ever-changing.”
How the bad guys attack a business
Curtin highlighted a series of landmark cyber crimes carried out during the past 18 months. Last year, a fake 101-page report by a fake company relating to financial fraud caused shares in German payment processer Wirecard to drop by 25%.
Another way that a company can be attacked is known as CEO fraud.
Curtin explained, “This is when bad guys are able to generate fictitious email messages that look legitimate from the CEO or CFO of an organisation and send it to somebody that the bad guys know is responsible for financial transaction because they’ve derived all this information about the people who work for that organisation from social media liked LinkedIn.
“£5bn was lost last year globally (to CEO fraud) and that is just what was reported. I guarantee you that type of fraud was exponentially higher and a lot of it goes unreported due to the damage to a brand’s reputation.”
He added, “Should we be worried about a data breach that happens halfway around the world? Yes, because it’s highly likely that your customers and clients data are part of those breaches.
“The bad guys are really, really good at what they do.
“You can pay somebody else to steal the data, you can pay somebody else to launder the funds. You can do it while you’re in your pyjamas at home drinking a cup of coffee and you will never meet these people.”
How do we win?
Curtin said: “Over 90% of these attacks start with an employee clicking on a link that looks like a legitimate email. So the employees are the weakest link.
“Training and awareness are really important. Barclays is spending a month on cyber security awareness, where we bombard our employees, globally in 170 countries with 40,000 people. And we’re constantly testing them. If somebody clicks on a link then, boom, they are automatically re-routed into training and one of cyber security team will go and talk to that employee no matter where they are in the world. It’s so that we build awareness into our DNA.
“You need to be innovative, agile and dynamic.”
The Panel Session
Curtin was joined by leading figures in the fight against cyber crime, including…
Chair, Darren Wray – CEO of Fifth Step, his team includes senior information technologists and IT management professionals.
Gary Peace: Runs a cyber security consultancy around threat management. He spent 18 years a police officer before moved into high tech crime.
Anne Duncan: Member of the IoD France Executive Committee. Anne is also the Founder and Chair of the Digital & Technology Leadership Initiative.
Oliver Gower: Deputy director for Cyber at the National Crime Agency. Gower was Gold Commander for the Police in response to the ‘wannacry’ attack on the NHS.
Sandy Forrest: Client executive for Cyber Security firm ATOS. He previously oversaw the delivery of IT Services to the UK’s National Security and Intelligence organisations.
How to convince their board to take cyber security more seriously…
Curtin: “I would say turn on the news. This is in our faces, it’s a global threat and it doesn’t care who it targets.”
Peace: “I think we’ve got to rid of the term ‘cyber’, it brings up the wrong connotations of men in dark rooms with matrix-like screens in front of them. It’s crime. It’s theft, it’ fraud, it’s criminal damage. We have call it a business risk not a cyber risk.”
Duncan: “In France, I heard the latest statistic is that 82% of organisations surveyed by MEDEF (The Mouvement des entreprises de France) want to invest but they didn’t know where, with who or how. This is where the industry itself, who are working as consultants, can put together a plan that meets the test of an investment plan for the board or C-Suite.”
Forrest: “It’s like terrorism. You’re unlikely to stop it happening but you will be judged on how hard you tried, how well you prepared, how quickly you recovered, how able you were to contain the damage to as small an area as possible.”
Darren: “Make a plan. Those who have a plan tend to recover more quickly and they tend to be better respected and better regarded and have less reputational damage from such an attack.”
Why businesses need to think about cyber insurance
Forrest: “It is very difficult finding affordable cyber insurance because companies either don’t have a claims history in the market or the expense of bringing them up to a standard that would allow them to be insured is too prohibitive.”
Gower: “It’s important that businesses look at what’s right for them. What is the right balance between better protection and money spent on insurance and with that the extent to which you insure yourself. Is it just for the money you’ve lost? Should it also be to get your services up and running? Should it cover the impact upon your customers? There is a decision there to the extent to which you want to insure yourself.”
Peace: “We all have buildings and fire insurance and we all have public indemnity insurance and you’re going to have to look at cyber. One of the biggest expenses of when a breach happens is clearing up the mess afterwards. It’s bringing in people like me to investigate that data breach or it’s looking at reputational damage limitation.”
Duncan: ‘Inside the IoD, there are people who are working on this, the Independent Insurers Group. This (the IoD) is a great network to have an influence on this industry and how it evolves.”