With the increased risk of cyber-attacks, James Tickell, Partner at Campbell Tickell, details the importance of governance and being prepared.
For many boards and executives, cyber security is a matter for the IT crowd. It’s mildly interesting, and we read with mixed horror and fascination about ransom attacks on large companies in the news. It’s probably there somewhere on the risk map, and gets occasional attention from the risk and audit committee. But recent events have surely pushed cyber security right up the governance agenda. Housing associations, charities and local government have all been hit by ransom attacks. Others have experienced serious data breaches, sometimes without any malign external agency – unforced errors, as it were.
As it turns out, the first ransom attack was as far back as 1989, using floppy disks. The risk has risen ever since, and sky-rocketed in the last decade, not least because of various authoritarian states which sponsor, or at least tolerate cyber-crime. A few months back, the entire health system in the Republic of Ireland was affected by an attack. For some companies, cybercrime has proved an existential risk, with insolvency the eventual consequence.
On the international stage, cyber-attacks have effectively become a weapon of war –remember the Israeli sabotage of the Iranian nuclear programme. It is conceivable that an attack could bring down a major financial institution, or in an extreme case, the entire financial system. Or the power network for a country, an oil pipeline, pretty much any major infrastructure enterprise. To make it more personal, how much would you pay to be released from imprisonment in your smart car or even home?
The consequences of an attack can therefore be serious. Lives could be lost. Paying the ransom might turn out to be the lesser of various evils, and some UK and other firms have already paid vast sums in Bitcoin ransoms. Personal data can be lost, or abused, with business processes disrupted for weeks, or even months. Litigation can often follow. The costs and disruption can be huge. And the risk is not just to organisations, but to tenants and service users as well.
Here be monsters…
Cybercrime has become a global dark industry, alongside illegal drugs, people smuggling, and extortion. It is a monster – parasitical, remorseless, and powerful. Annual turnover may be as much as $20 billion, although that is hard to quantify for obvious reasons. As with any other industry, there is assiduous attention to branding – we have all now heard of ‘SolarWinds’, ‘NotPetya’ ‘SoBig’, ‘WannaCry’ and many more besides. The COVID-19 pandemic, with so much remote working, has opened up new vulnerabilities, which have been eagerly exploited.
The key point here is that there can be no fully effective protection from attack. Precautions are important of course. But there are many points of vulnerability, some of them inherent in the software systems we use. Human error and corner cutting add to the risk, and can never be eliminated completely. So it is necessary to assume that every organisation may at some stage in the future be affected, and perhaps held to ransom for its data. Several of CT’s clients, in housing and other sectors, have already been affected in various ways.
What then is to be done? First of all, every board, and the relevant committees, need to give this their full priority attention. To do this, they will need access to deep expertise. Indeed it is becoming highly desirable, if not essential, to have such skills represented among the non-executives. Leadership level skills are also important – more and more organisations are creating executive level posts for the Chief Information Officer. Relentless curiosity, scrutiny and questioning need to become the order of the day.
Plan for the worst
We must assume then that it will happen to us one day. So part of the agenda is about preparing for such an unfortunate event. For a start, once the enemy has already breached the outer walls – don’t use email to communicate about it – the enemy can read them!
Strong defences should help, but the hackers are smart and well resourced. As the saying goes, it’s more fun to be a pirate than a coastguard. So now is the time to start thinking about backups, and contingency plans. It would be a good idea to wargame some scenarios at governance and operational levels. So for instance, if all of your data were held to ransom, and you had to start again from a backup that was (say ) two months old, how would you set about achieving that? It’s not easy going back now to the Jurassic era of index cards. Ideally, if your data were held to ransom, you would be able to resist the extortionate Bitcoin demand, and get back in business relatively quickly, with expenditure and disruption contained at reasonable levels.
It’s all about governance
For boards and risk committees, there are some important questions to consider. The obvious one – are your cyber-defences as good as they can be? It may be worth getting some external agency to test them, trying to simulate a hacker attack. A strong and compliant organisational culture is another important line of defence. However, it goes beyond your own defences, and you also need to consider those of your suppliers and third parties, for instance your maintenance contractors with access to some of your systems. Third party software systems can also be a problem, such as those used for mass mailing.
Another area for attention is that of insurance. After a ransom attack, dealings with insurance companies often becomes contentious, as they inevitably look for reasons not to make good the losses. It is well worth looking at the detail of the relevant policies, and also at the track record of your provider in dealing with other clients. As an aside, a recent high-profile victim of a successful ransom attack was in fact a major insurers covering cyber risk. And they had to pay up!
The overriding message here is that this important subject now deserves serious governance bandwidth, based on the necessary expertise and advice, so that scrutiny and challenge can be for real. The enemy is powerful, well-resourced and busy scanning advanced economies for easy targets. They are the hungry monsters, and we are the prey. Housing associations have not yet been the main focus, but could easily become so. Now is the time to prepare, test and scrutinise. Yes, it may just never happen, but if and when it does, you must be as ready as you can. The danger is clear and present.
A previous version of this article was first published in Housing Technology’s – September 2021 magazine. Click here to read.
To discuss further, please contact James Tickell on: james.tickell@campbelltickell.com
Campbell Tickell is running a cyber security and good governance online masterclass on the 26th January 2022. Find out more.
| Campbell Tickell is an established multi-disciplinary management and recruitment consultancy, operating across the UK and Ireland, focusing on the housing, social care, local government, sport, leisure, charity and voluntary sectors.
We are a values-based business and firmly place the positioning of our support and challenge on helping organisations to attain change that is well thought through, planned and sustainable. At CT, we want to help organisations create the landscape within which we ourselves would like to exist: fair, inclusive, diverse, engaged and transparent. We build from our values in how we approach all our work as a practice. Find out more about CT’s Services. |
