Why the cyber attack on TalkTalk should be a wake up call for all organisations
Nick Wilding, head of cyber resilience, AXELOS, explains why cyber security is not just about bits and bytes, it's about behaviour
Dido Harding. If you hadn't heard of the name before the 23rd October, the likelihood is that you have now. The CEO of TalkTalk stepped into the media spotlight when her company became the latest in a long line of organisations to fall victim to what she describes as "the crime of our generation."
Dido announced that there was a chance that all their four million customers' personal data may have been compromised following a cyber attack. The company later revealed that hackers had accessed 21,000 unique bank account numbers and sort codes, 15,000 customer dates of birth and 1.2 million customer email addresses, names and phone numbers.
While the scale of this attack is shocking, it is far from unusual. The harsh reality of our totally connected world is that all organisations - both in the public and private sectors - are at risk from cyber attack. No matter how much money, people, resources, and technology you apply to the cyber threat, no-one can ever be bullet-proof.
Recent PWC research highlights the scale and impact of the risk - in 2014 over 42 million security incidents were detected, a 48% increase on the previous year. The 2015 Information Security Breaches Survey published earlier this year in the UK noted that 90% of large organisations and 74% of small organisations had a security breach last year.
The role of the boardroom
It was refreshing to see and hear, Dido Harding, a well known CEO, stand in front of the media during the recent crisis. The board should not only be leading from the front in the aftermath of an attack, but also setting the 'tone from the top' in its efforts to increase cyber resilience during 'business as usual' not just during crisis.
Any board needs to demonstrate that it has a real understanding of the key cyber risks and how these will impact their organisation's strategic ambitions and critical information. While effective cyber resilience will look different in any organisation, what needs to be the same is the boards' cyber literacy - knowing they will be breached at some time, and guiding programmes to protect, detect, respond, and recover from an attack effectively.
However, I believe there remains a large gap between awareness of cyber risks and true insight and action. UK government research of CEOs, non-executive directors and chairs of audit committees of FTSE350 organisations, published earlier in 2015, shows that over 70% reported that they receive 'very little' or only 'some' cyber risk management information and 75% believe they have limited understanding of how to prevent being the victim of a cyber-attack themselves. The challenge appears to be what 'cyber literate' actually should mean for a Board Director.
Cyber literacy comes with learning and experience combined with effective collaboration and best practice. It starts with the board understanding and owning the particular cyber risks they face to the critical information and capabilities they need to deliver their business strategy. It matures in developing the collaboration and common language required with peers and colleagues in designing and managing what good organisational cyber resilience looks like across the organisation.
We all need to play our role
Organisations are missing a golden opportunity if they fail to take advantage of the most powerful force that can help protect their reputation, safeguard their information and keep customers close - their people. Effective cyber resilience isn't only about 'bits and bytes', it's about behaviour.
We often hear about sophisticated cyber-attacks - the reality is often very different. It is far easier to trick a user into providing access to a computer system than it is to get malicious software onto the network. The challenge is understanding how best to get users, regardless of their role or position in the company, to know when they are being tricked into providing that information and what they should do next.
Many organisations still rely on annual information security awareness training. This is typically computer based training that fails to properly involve the user in understanding the consequences of poor behaviour. A simple multiple-choice test, taken once a year and then swiftly forgotten, is not enough to be confident that your system is as secure as it can be.
Organisations need to focus more on making their cyber or information security awareness learning engaging and fun. All too often, it's dull and fails to drive new behaviours. The learning should also be carried out on a regular basis and in actively involving your people in developing their own ideas for content and learning in ways that work best for them.
Organisations need to build an environment where we're all happy to openly discuss and share our concerns and experiences, to report incidents and to suggest creative ideas for building awareness. The goal - to help keep the value of our business, in our business.
The role of best practice
To enable the organisation to 'pull together' on multiple fronts the adoption of best practice management processes is essential. There are a number of approaches, from formal management standards like the ISO 27000 series, to portfolios of best practice like RESILIA, which we launched earlier this year. Each business needs to decide which strategy and approach fits their model best.
We believe that RESILIA is a good starting point. Based on ITIL, the world's most widely recognised framework for IT service management, it takes a lifecycle approach to effective cyber resilience in describing five stages for managing cyber resilience. Foundation and practitioner training and certification, designed primarily for the IT and security professional community, provides the practical guidance required in assessing, deploying and efficiently managing good cyber resilience within business operations.
In addition, the portfolio includes cyber resilience awareness learning - multiple learning modules in different formats and via multiple channels to get the right information to the right people at the right time across all parts of an organisation to make the right decisions. Finally, a cyber pathway tool l that will quickly assess an organisation's current cyber resilience capability and map out an improvement plan based on a desired level of maturity.
In conclusion, in the wake of the attack on TalkTalk and other organisations it is vital that business leaders concentrate on decreasing the risk of attack as well as designing and testing their response and recovery plan as and when an attack occurs. I believe there are some important questions any board must know the answers to:
- Do we have a cyber resilience strategy and does it support our agreed business strategy?
- Do we understand what are our most valuable information and capabilities, and are we investing in protecting them?
- Do we have an effective information security awareness programme in place across our organisation?
- Do we have a well-defined, tried and tested incident response plan in the event of a significant data breach?
- Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?