Company leaders – including chairmen and non-executive directors – must become better aware of cyber risks to ensure the progress of their businesses. Richard Holmes, head of Cyber Security Services for CGI UK, who has more than 30 years’ experience working with organisation at the sharp end of digital protection, says the risks are growing by the day and no-one who sits on a board can be complacent.
“If the boards of businesses do not do their job, the costs of a breach as well as compromising company and customer data will be significant and hugely damaging to the reputation One of the most important development over the past three years has been the movement to the cloud, be that with a major public providers or through a hybrid cloud. Executives need to keep asking how this impacts on their day-to-day business.’’
“We’ve been talking about cloud for years, but the tipping point has been the UK coming out with its Cloud First policy which has been actively encouraging companies and institutions to embrace the cloud,’’ he said.
He was speaking ahead of Cyber Scotland Week, a joint initiative between ScotlandIS and the Scottish Government, will see a series of events take place from 22 to 28 April.
He spoke about companies which are part of the UK’s essential infrastructure, such as energy companies, logistics and infrastructure companies. Last May, the UK version of the Network and Information systems regulations 2018 came into force. It was part of the Government’s £1.9 billion National Cyber Security Strategy – requiring compliance from not only for ‘essential’ transport, energy, water health and digital services but also network and information systems critical for their provision over the cloud.
While Mr Holmes has been working in Edinburgh, with the City of Edinburgh Council, he points out that Aberdeen, with its oil and gas industry, remains vulnerable to hackers. Last December it was hit with a major cyber-attack targeting Italian oil services firm Saipem. The most common is phishing, with viruses, spyware or malware as well as ransomware attacks also on the rise.
Cyber can be a real enabler for businesses. Mr Holmes said that companies which display strong cyber security processes and protocols, can be viewed as much more secure when bidding for business as part of an advanced supply chain.
Despite the increasingly diversity on company boards, with more women rising to the top, many are still dominated by older accountants and entrepreneurs with no real background or understanding of the digital changes and the imperatives of cyber defence.
“Everything in most businesses is about data, connectivity and connections. These are the dimensions which drive the economy. The more connected we are, the more complicated it gets, and with more data there are more risks around cyber.’’
“It makes it absolutely critical for boards to address cyber at the start and understand cyber, especially in the context of cloud and the agile development of new services,’’ he told Scottish Business Insider.
“Business leaders need to understand what data is most important and requires special levels of protection, they can then make the right value judgments as to what is best for securing that data. All of the security principle for companies managing their own networks, still apply in the cloud. What is different is how you choose to implement that protection. There’s a lot of security that the cloud providers take care of but still, as a company, you have responsibility as a user of cloud to play your part in the bargain.’’
This includes knowing who has access to the company computer systems, even through wi-fi connectivity. While resilience is the responsibility of the cloud provider, controlling who has access remains the responsibility of companies, organisations and the consumers using the cloud.
“We developed a guide around cyber-security specifically targeted at board levels, called The Thin Guide. We have explained cyber in a jargon-free, plain English talking about the various aspects, whether that be about leadership and governance and understanding the risk that affect a company.’’
This included the legal requirements, including the consequences of GDPR, and the expectations of UK and European regulators.
“This is about understanding how it works with your partners and supply chain, and being on top of that, as well as having an incident response team. We’ve been looking at all the aspects but in a plain English way is really important.’’
“Having people who understand quite a technical subject but are able to articulate risk in a general, more corporate way, so that board members and senior members understand the risks and can therefore make the better judgments.’’
This can be about what investments to make or what residual risks that they are happy to accept.
Here it also requires the new breed of C-suite leaders, such as the Chief Information Officer (CIO), and Chief Information and Security Officers (Ciso) to be able to plainly speak in the language of the business.
Mr Holmes says the other important issue is the skills gap and the desperate need to bring more people into the cyber security industry. CGI, founded in 1976 and with 400 people working in Scotland, recently partnered with Scottish Borders Council, Apple and XMA for a programme which will see £16 million invested in digital learning over a ten-year period.
“This will equip young people as well as teachers with the digital skills and knowledge necessary while having a wider economic objective to attract new businesses and employment opportunities to the region,’’ he said.
