“Cyber-security is moving relentlessly higher in terms of businesses’ priorities”, is how the newspaper The Scotsman, opened its recent article on cyber security.
They discussed how a warning to the insurance industry by the Prudential Regulation Authority (PRA) illustrated the need for insurers to assess and anticipate the cyber-risk to which they are exposed through the policies they write. Which sounds par for the course as the cyber security threat continues to mature and boardrooms take up the mantle of this issue, knowing that after a handful of years of high profile and well publicised attacks this threat to their business shows no sign of abating.
However, it was the discussion on the role of non-executive directors with regard to cyber security that caught particularly caught my eye in this piece. They stated that in the PIA report that non-executive directors in particular should be held accountable for any failures to properly challenge management as they deal with cyber-security issues.
As we know a non-executive director role is to provide a creative contribution and improvement to the board by providing dispassionate and objective criticism and to monitor the executive activity. Thus, holding the board to account for their actions, or perhaps in many cases its inaction. My only comment on this is that although this appears to be a sound strategy, I wouldn’t limit it to just cyber security, but would suggest that non-executives are held accountable for the wider issue of GDPR compliance and the financial pitfalls of falling foal of it.
The business level responsibilities of cyber security continued in a post on the website ‘London Loves Business’, who in the wake of the Petya ransomware attack discussed how to get an entire business behind it.
They offered up a useful list of six topics, from ‘Build cyber security in from the ground up’ to ‘Hire specialist expertise’, which are well worth reviewing but it was fifth in this list that was my personal favourite.
It suggested that businesses should ’Encourage a positive cyber security culture’, saying that for example making the first Friday of every month Cyber Awareness Day, where employees and management get together to discuss what they are and should be doing to make the business secure.
Getting everybody involved to discuss it is a great start point as it acknowledges that cyber security is an issue and that is very different from it being labelled a ‘failure’, as it often is, and any failure can then apportion blame! Open discussion as with any challenging topic in life, in a non-judgemental and open way, is the best way to commence a process of resolution and that’s what many businesses could benefit from.
That is assuming you have a business left get caught up in a cyber incident.
The BBC posted a story about how a Ukrainian accountancy company, have had its server fleet seized by Police as they investigate a recent ransomware attack. The firm in question was using MeDoc, the Ukraine’s most popular accounting software, which due to a malicious software update spread the initial infections.
This small company denied that its servers were responsible, but this was challenged by a statement from the head of the country’s national Cyberpolice unit who said that the company in question had ignored repeated warnings that it needed to improve its security in advance of the attack. Adding that “For this neglect, the people in this case will face criminal responsibility”
So, it sounds like The Scotsman is right, Cyber-security ‘is’ moving relentlessly higher in terms of businesses’ priorities, to the point that if you (potentially) ignore warnings and then even unwittingly aid a cyber-attack then the owners are going to be held responsible. It doesn’t get any higher than that.
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.