Boardroom oversight of Cyber is rapidly becoming a business imperative given the increasing pressure from Regulators and ongoing Cyber attacks. A report this year by the World Economic Forum highlights the ‘key role that business leadership must play’ to ‘ build a more effective Cyber strategy and incorporate it into overall strategic thinking.’ However, it also noted that becoming Cyber resilient is gaining traction relatively slowly amongst many Board members. This is still surprising given Boards are increasingly being held to account for security breaches, with Cyber risk having the potential to be a ‘tail risk’ provoking irrecoverable damage to reputation and the ability to operate as a successful business.
One of the key reasons for this may be the traditional misconception that Cyber Security is the remit of the IT function. However, whilst this is beginning to change, with organisations starting to cite Cyber Security as one of their top business risks, there is also acknowledgment that many Board members do not have sufficient knowledge or expertise to address this area and provide effective oversight.
Earlier this year the National Association of Corporate Directors (NACD) highlighted that ‘Directors don’t need to be technologists to play an effective role in cyber risk oversight – but every Board can take the opportunity to improve the effectiveness of their cyber oversight practices.’ Understanding risk and mitigation efforts is an ongoing process and the need for topical and continuous education and awareness amongst senior executives is therefore critical.
In addition, every organisation needs to identify C-level functional leaders who are tasked with managing the Cyber Security agenda. This will enable an effective, dynamic and adaptive response both from the perspective of providing a competitive edge for the organisation and helping mitigate the risks. The nature of Cyber attacks is becoming ever more complex and versatile - from corporate cyber espionage, hacktivism and state sponsored attacks to threats such as ransomware, phishing and distributed denial of services (DDOS) attacks - these can leave an organisation instantaneously besieged and compromised.
Moreover, whether enacted maliciously or accidently, everyone is a potential target in today’s digital age; and an organisation can only be as strong as its weakest link. Against this backdrop, building Cyber resilience capability within an organisation requires a systematic approach and needs to be seen through a number of different lenses, encompassing cross-functional departments and other stakeholders.
The following scenario concatenates a number of real world incidents to demonstrate the ‘holistic’ nature of Cyber Security. This is done with the intention of demonstrating why for a CEO, the Board member for HR plays just as an important role as the Board member for IT, Legal Counsel, or indeed the Senior Information Risk Owner (SIRO).
Energy & Accounting is a London-based international accounting and mobile energy generation firm that provides managed accounting services for SMEs to large organisations across 16 countries, as well as mobile generators to SMEs in remote geographical areas around the world. On the accounting side, services range from provision of accounting software to full accounting services and payroll. This also includes ensuring the correct amounts of tax are paid to the administrations where the clients of Energy & Accounting are geographically located.
Although profitable, the company Board is hungry for further efficiencies and have created a Transition Plan to bring together key elements of both businesses. In light of this, within the accounting business, a number of datacentres have been earmarked for consolidation over a six month period. Some locally employed employees will inevitably be made redundant, and those affected have already been notified that their jobs are ‘at risk’.
It is the morning of 10th August, and the Financial Director of Energy & Accounting, Angus Dart, receives a call from his deputy Frank. Frank tells him that he has just had an email from the UK’s Revenue & Tax Department (RTD) asking why they had not received payment from the company for two of its clients for tax owed from the last financial quarter. Frank confirmed that payment of £500k was made and believes it’s a mistake by the RTD. Angus thinks nothing more of it. However, three days later, the RTD calls Angus personally to advise they definitely have not received the outstanding payment of £500k.
Angus is somewhat baffled by this turn of events and calls Frank and asks him to carefully re-check payments made. Frank calls back 15 minutes later. He confirms payment was made but not to RTD; the account numbers had been changed to private bank account numbers. Moreover, the transactions had occurred some six weeks earlier.
Recognising the severity of the breach and potential consequences, Angus then contacts Templar Executives immediately for specialist and trusted support. A team is deployed to work with Angus, who is the responsible Board member for the organisation’s exposure to Information Risk and Cyber Security (the Senior Information Risk Owner or SIRO). Templar Executives also works with the CEO, Tony Rose, and Board members responsible for Security, Marketing and Communications, HR and Legal Counsel to resolve the situation.
It came to light that one of the dispersed IT Datacentres earmarked for closure housed a locally sourced finance team that had all been given notice of pending redundancy. A number of supervisory employees had already left for other roles within the organisation, leaving the remaining employees with little or no oversight.
Moreover, a few weeks earlier local flooding had limited the operational effectiveness of the site, and local management had decided to allow staff to make use of a small number of computers so passwords were shared. However, these were never changed when normal operations resumed. These computers provided access to client financial data including the payroll details of many thousands of client employed personnel. With the use of a common password, individual attribution became very difficult.
A swift moving investigation soon revealed that a Serious & Organised Crime gang had recruited an ‘Insider’ and over £2million had been earmarked to be paid into private accounts in different cities over the coming months. Moreover, it was unclear where or not the organisation’s client databases had been compromised. If it had and these were leaked, Energy & Accounting could be responsible for the breach of many thousands of personal datasets. Energy & Accounting and the Templar Executives team now had to manage the intense media interest that ensued, to limit damage to the organisation’s reputation and ultimately protect the share price.
Through working closely together, and taking the appropriate steps at the right time Energy& Accounting and the Templar Executives team brought the incident to an end within 7 days. Minimal reputational damage occurred and an individual was eventually arrested by the Police and evidence handed to the Crown Prosecution Service.
Lessons to Learn
The CEO Tony Rose, along with Angus Dart, called an extraordinary meeting of the full Board to review the Cyber Security incident in detail. The main aim was to find out how things had gone so wrong so quickly, and to ensure that this did not happen again. The theme that emerged with distinct clarity was that the Cyber Security agenda was a horizontal, cross-cutting agenda. It was clear, that in order to be effective, the Board SIRO must be able to exercise Governance around the Cyber Security agenda across and down all the business verticals, and the Board members responsible for each of the verticals had to consider their own business plans through a Cyber Security lens. The following points were the views of some of the key
Board members after the CEO’s meeting: Board Member for HR
Alice Wallace realised that she had allowed the organisation’s drive for financial efficiency to stifle her calls for a complementary ‘People Strategy’. It had been clear that a failure of local management oversight had contributed to the incident. These included a lack of adherence to procedures, to appropriate changes in staff ‘Terms and Conditions’ and basic good people management practices. It was evident that the risks of bad management practices challenged the ability to maintain effective Cyber Security in the operational environment. More and regular awareness training was clearly essential. From now on, Alice would be taking a more proactive role in ensuring the ‘people-risk’ dynamic of all initiatives was fairly and properly considered.
Board Member for IT
Mike Biff had been driving the agenda for architectural changes to meet Tony Rose’s requirements for significant savings in IT. Biff had been appalled at how easily the ‘Cyber crime’ had been achieved involving what was a simple systems breach. He felt that he was not to blame for HR agreeing to the posting of key staff whilst the IT Datacentre was on run-down. However, he did feel energised to influence the Board for an increase in his spend so he could purchase an internal monitoring capability. On hindsight, this may, arguably, have spotted the initial attack before it became an issue.
Board Member for Security
Cameron Wild felt a little uncomfortable. He had been with Energy & Accounting for 25 years but most of that was in the mobile generator business. He realised a significant security event had just occurred but he had felt ill-prepared to deal with it. As a former policeman with an engineering degree he knew about fraud and physical security, but some of the subtleties and capabilities around the Cyber Security agenda seemed more like ‘James Bond’ than normal policing. He knew he had to work closer with fellow Board members, so decided to seek funding to create a deputy role of a Chief Information Security Officer (CISO); a key role to advise on all holistic aspects of securing information: people, physical and Cyber Security.
Gill Duke was new to Energy & Accounting. Gill was a corporate lawyer by training, with a background in construction. This new role was quite a different challenge. Gill realised that there were areas that she had been expected to handle that she just did not have significant experience in. Gill realised that in terms of Data Protection she had been on the back foot, especially around who was really responsible for what, when it came to outsourced processing of personal data.
Moreover, her role had necessitated interaction with the UK’s Information Commissioner and she was not too sure that she had been as effective as she would have wished had it not been due to guidance from Templar Executives. Gill realised that she needed to widen her legal advice from purely the financial aspects and cover-off Cyber risks to ensure she made a meaningful contribution at Board-level.
Board Member for Marketing and Communications
David White had a small Marketing and Communications team. Recently he had been concentrating on a growth strategy and the shareholders communications strategy. He had found no or little understanding of Cyber Security from within the wider Board. Although experienced in internal communications, he had not been included at all in the creation of the Transition Plan for the business, nor had he much dealing with external stakeholders, such as the media.
When the story of the breach broke, David discovered the Press was very hungry for news. Whilst Energy & Accounting was on social media, due to the nature of its business, it’s profile was low. However, the media interest was so intense that David quickly felt that he lost control of the agenda, and did not have enough experienced resources in his team to support him. He quickly learnt to watch all media feeds and develop ‘lines-to-take’. When it came to a request for an interview with a Board member, none had any recent media training. This lack of training and the fact the Board had not done any Crisis Management exercises for at least 18 months, meant that David would be raising this at Board-level for action.
Finance Director & SIRO
Angus Dart was relieved things had ended so well. He had been unsighted on some of the HR and IT plans to deliver the Transition Plan, despite the fact he was now responsible for dealing with the outcome for the Cyber attack and data breach as SIRO. Angus understood that going forward he must have an input to ensure the right amount of risk was being taken from a Board-level perspective. Angus had now undergone specialist training provided by Templar Executives and knew when and how to ask for expert assistance.
He had obviously had a hand in developing the Transition Plan that had almost caused a disaster, but that had been before his training. He knew he must have inputs from others into any future planning. He realised that he was holding the Cyber risk agenda on behalf of the Board so needed to ensure he contributed and influenced plans of all the directorates in this area. He had already decided to increase the Security and IT budgets in the next year that would be commensurate with the business risks identified by Energy & Accounting.
Tony Rose had been very pleased at how his team had worked with Templar Executives to resolve the incident swiftly with minimum financial impact. However, he was less pleased with the lack of understanding of Cyber Security amongst his Board – including himself. It was clear that the increased Cyber risk that transition projects inevitably produced was not taken into account. Tony decided to introduce KPIs around the Cyber Security agenda for every Board meeting and ensure that his Board received training so they all had a common understanding. He also recognised that when the Cyber Security agenda goes wrong it can be very detrimental to the success of any organisation’s business. However, get it right, and it becomes an effective business enabler.
Organisational leadership, expertise and decision-making around the Cyber Security agenda can divert disaster and enable businesses to operate safely and successfully in the digital age. The Board must understand, own and define the governance and risk management criteria, and the key role of Board Directors, to ensure proper oversight of Cyber risks for their organisation. The above scenario is based upon Templar Executives’ real-life experiences dealing with Boards and organisations who are seeking to address and proactively embrace the Cyber Security agenda.