Pavel Ignatov - Fotolia

Calls for UK boards to be better educated on cyber threats

While there is increased focus on cyber security education for young people in the UK, the latest government reports have prompted calls for better education at board level

The latest government cyber governance health check and a survey of the UK’s top 350 companies have revealed that more than two-thirds of boards have not received training to deal with a cyber incident, but this is no surprise, according to security commentators.

The reality that information security professionals are witnessing on a daily basis is that many organisations in the UK and worldwide are still unprepared for dealing with the impact of a cyber attack, despite increased awareness of the risk presented by cyber crime.

“I am constantly surprised by the lack of preparation we experience in the corporate world when it comes to cyber security,” said Mike Simmonds, managing director at Axial Security Systems.

“We see a relaxed attitude to securing hardware, data and communications almost every day in interactions with existing and new customers,” he said.

One of the most worrying aspects is the lack of understanding of the serious nature that ignorance brings, said Simmonds. This ignorance has led to a lack of basic cyber hygiene, with companies typically lacking basic security controls and processes, and failing to train employees at all levels from the board down on how to deal with cyber threats.

“This has been a consistent theme of Verizon’s annual Data breach investigations report over the past 10 years,” said Laurance Dine, managing principal of investigative response at Verizon.

“We’ve seen that the majority of data breaches could so easily have been prevented if basic measures and protocols had been in place. For example, we often see that around two-thirds of breaches are traced back to weak, stolen or lost passwords, which could easily be prevented using two-factor authentication.

“Ultimately, we’ll continue to experience the same problems until organisations start to take cyber security more seriously; treating it as a business-level concern, rather than an IT problem. The fact that less than a third of boards receive comprehensive cyber risk information clearly shows that this just isn’t the case today,” he said.

Staff awareness can prevent attacks

Although large-scale attacks are increasing in frequency, many are often preventable, according to Stuart Clarke, chief technology officer of cyber security at Nuix.

“In the case of attacks such as WannaCry and Petya, both attacks took advantage of the same vulnerabilities – a technical vulnerability that had already been patched and the human vulnerability, which is of critical importance,” he said.

If organisations had practiced good cyber hygiene and developed a cyber aware organisation, Clarke said both attacks could have easily been prevented.

“CEOs must understand that a rigorous employee awareness training programme for every employee helps reduce overall cyber security risk. It helps people understand when they are being asked to bend the rules – or when other users are compromising critical information – as well as how and to whom they should report this behaviour,” he said.

“It also helps protect the organisation’s information ‘crown jewels’ – including credit card information, personal details and intellectual property – and control the number of users who can access this important data,” he added.

Board and CEO must set ‘good example’, says expert

Board members with diverse job functions in an organisation have struggled in the past to understand how serious a cyber incident can be, according to Marco Cova, senior security researcher at Lastline.

“While large-scale incidents such as Not Petya may have gone some way towards remedying this, there is still something of a disconnect between the security team, the CISO, and the board,” he said.

“This is a problem which requires a top-down solution, with the board and the CEO engaging more with how to respond appropriately to cyber incidents to set a good example for all employees below them in the business.”

The government reports clearly show the lack of cyber security skills and even basic knowledge at a boardroom level, said Rob Norris, vice-president and head of enterprise and cyber security for Europe, Middle East, India and Africa (Emea) at Fujitsu.

“Despite global ransomware cyber attacks having plunged businesses all over the world into chaos, many organisations remain out of their depth when it comes to properly protecting themselves against these growing threats,” he said.

“Addressing the security skills gap through initiatives, such as the new T-Levels and apprenticeships, is vital, but it’s clear there is work to be done to educate the upper echelons of the business world to ensure our industries are at once competitive and secure.

“With cyber attacks increasing in severity, and with the GDPR [General Data Protection Regulation] carrying the potential to affect an organisation’s reputation and bottom line, cyber security is definitely a C-suite issue,” he said.

Norris said a study by Fujitsu shows that almost half of UK businesses believe they will not exist in their current form by 2021, and therefore the digital landscape will need a new brand of cyber security conscious leaders adequately equipped to navigate it.

Day-to-day security maintenance

While the findings of the government reports are not surprising, Jon Geater, CTO at Thales e-Security, said it is surprising that year-on-year rise in cyber attacks have not yet propmpted every board to recognise the dangers of hacking for companies’ bottom lines, reputation, customer retention and employee confidence.

“Awareness among executives is critical in today’s digital age,” he said. “Every business needs C-Level functional leaders to take responsibility for keeping the business running in these difficult circumstances.”

According to Geater, the stakes are simply too high for organisations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy.

“A concerted focus on robust encryption and key management strategies needs to exist from the top down in companies of all sizes and across all industries. For companies to prevent the sensitive data from falling into the hands of a malicious hacker, and becoming tomorrow’s headlines, boardrooms need to ensure that cyber and data security feature prominently on their day-to-day agendas.”

Back to basics

According to Piers Wilson, head of  product management at Huntsman Security, the failings highlighted by the report largely stem from the limited resources that many organisations have when it comes to dealing with cyber security, but it ultimately comes back to a poor understanding of cyber security and the need to get the basics right.

“Basic cyber security hygiene and increasing use of automation should form the basis of every company’s cyber security arsenal,” he said.

“This will mean the basic, low-level threats that take up the majority of the security teams’ time can be eliminated from the picture, leaving them free to concentrate on making security more of a strategic business priority.”

As a result, said Wilson, there will be less time spent on fire-fighting and more opportunity to build comprehensive security strategies or invest time in training others in the business on how to deal with cyber security threats.

Brian Lord, former deputy director GCHQ for cyber and intelligence, now managing director of risk management company Protection Group International, said boards tend to shy away from cyber security.

“Many individuals perceive it as a subject where their lack of knowledge will be exposed, and perhaps challenging to their individual status on a 21st century board. Or they perceive it as being a deeply technical subject, and so not really a topic for boards to consider or an amalgam of both. Neither is accurate, but it is the cause for the continued statistics shown today,” said Lord.

“My experience shows that education, awareness and training in this area, when presented in a particular way, and is neither technical nor incomprehensible, plays into the strengths of nearly all existing board members and quickly can increase the maturity and efficacy of organisational 21st century risk management

“Rather unfortunately, many boards have been put off the subject by poor awareness, education and training that plays into, rather than counters, their intuitive fears. The fear and nervousness often leads to board level decision-making paralysis,” he said.

Read more about cyber security

Read more on Data breach incident management and recovery