Last Friday, IIBN chose a thematic approach to their latest virtual event, namely cybersecurity. Like everybody in business, I’ve seen issues over the years where staff clicked on things they shouldn’t, had to ramp up security after discovering somebody had scribbled over our site and had to boil down the ocean of information about GDPR to identify what we really needed to do to protect our clients’ data. While sales or people or operations might be top of our business agenda, if something happens regarding our cyber security, then that topic jumps right up to the top of the agenda in blinking red lights.
Enda Brady, Sky News Reporter, chaired the session with:
Danny McCoy, CEO of IBEC
Jacky Fox, MD of Accenture Ireland and Vice Chair Cyber Ireland
Andrew Fitzmaurice, CEO of Templar Executives EMEA
Des Ryan, Director of Solutions and Cyber Security at Microsoft
Here were my key takeaways from the session:
- SME Cybersecurity Health
Ireland has some fantastic tech companies with the talent, knowledge, and budget to handle cyber security risks. For example, Microsoft invests over €2 billion in cyber security and scans 450 billion emails for malware monthly. However, Irish SMEs may not have a proportionate amount of resources to take care of what they need. Covid 19 has brought out a lot of threats. There is an element in society that capitalise on the fear that people have around the virus e.g. people putting “quack cures” on the internet. Also, there is a dramatic increase in “script kiddies” activity (i.e. a person who uses existing computer scripts or codes to hack into computers, lacking the expertise to write their own) who are extremely tech literate, lack a moral compass and have excess time.
- The national conversation is a global one
When the panel were asked about Irish cyber security and resilience, each of them reiterated what the other had to say which is that cybersecurity is a worldwide concern. The world is flat and therefore, the Irish situation is highly influenced by other parts of the world. The median age of the global population is 30.9 years and today’s young people are very tech savvy. They have high standards for their digital safety.
- What gets measured gets done…. and then analysed
When trying to determine maturity or resilience of a country or an organisation, one considers how the subject identifies the risks, understands their nature, their action plan for dealing with eventualities and their responsiveness. The National Cyber Security Strategy was launched last December with key targets so that the country’s infrastructure and companies can be held accountable. After this, the strategy will be interrogated to ask what has been achieved and what new tangibles and intangibles need to be in focus. While the speakers acknowledged that cybersecurity is hardly coming up all that often when politicians are knocking at one’s door in the leadup to elections, it’s an issue that matters hugely when it goes wrong. They would love to see the strategy get implemented more quickly and attract more funding into the sector.
- Change has happened much faster than expected and it needs support
Two years of technological change has happened in two months – working from home, a massive scale up of videoconferencing, new business models etc. While our focus has been on making this happen quickly, we also need to consider if the cyber security measures in place are sufficient to protect those changes and the underpinning network. Now is a good time to revisit that.
- There is a shortage of 1 million cyber security specialists
As many people have been furloughed or laid off around the world, people may reconsider their career prospects. There is a severe shortage of the people with the competence, knowledge, and know-how in this ever-growing industry. 50% of cyber security events aren’t being investigated because of this. Further, 10 – 12% of people in the industry are female and this represents an even more acute deficit. There are a plethora of STEM wide engagements and company specific outreach activities to help solve this problem. (I interviewed Jacky Fox back in 2016 on this very subject at #PWNSTEM with 1000 secondary school girls in the audience.)
- Simple actions can prevent complicated situations.
There are lots of simple cybersecurity things that every business should do. During induction, give clear direction on how to maintain high cyber security. Staff need to be aware of the efficient transfer of information, the risks associated with actions (e.g. with Microsoft Outlook) and how to do things right. If you’re working from home, ensure that you have:
- appropriate antivirus software working on your computer
- an operating system that is up to date,
- a VPN (Virtual Private Network)
- a reminder to change your password regularly
Personally, I remember being on a course of this nature about a decade ago and the trainer pointed out how much pain could be avoided if you simply lock your computer screen every time you leave your laptop.
- The future of the world of work depends on cybersecurity
As the panel reflected on our new normal and the future of the world of work, they pointed out how much of it is predicated on the presence of good cybersecurity. For example, if people are going to continue working from home, they need to ensure the transmission of data is safe. If people are going to work in progressively more remote teams, they need to protect their intangible assets from the threats of unsecured networks. If eCommerce is going to be a greater part of retail, consumers need the comfort of a “trusted trader”. If somebody is working for a company, they can’t be forwarding work e-mails to their personal gmail for ease of access.
- 30% of all the data in the EU is held in Ireland and we need to take care of it.
In the aforementioned strategy document, “Ireland is home, according to some estimates, to over 30% of all EU data”. As of the Q4 2019, Ireland had €997 billion of foreign direct investment stock. Our corporate balance sheet dwarfs other countries. We can have all the fantastic talent, tax incentives and strategic location that we like, but if companies don’t feel they can continue operate properly and safely within the infrastructure that we have here, we’re compromising our opportunities.
- GDPR acted as a boon for cybersecurity
GDPR forced companies to look at how they’re handling data, conducting relationships with third party organisations and analysing the risk of data leakage. These considerations are very much in tandem with good cybersecurity practises and hence GDPR has been a welcome development by the industry.
- Insurance companies are pushing responsibility back to the companies they’re insuring
Some businesses pay for bespoke insurance against cyberattacks. If they can’t control certain things, they’re transferring the risk of them to the insurer. The knock-on effect of this is higher premiums (for everybody) but also, insurers are setting the bar higher and higher for insureds to take certain preventative action. In fact, they’re sending highly trained personnel out to companies to assess their capabilities in this area. Companies need to be as proactive as possible and not rely on insurance payouts as there are non-monetary (e.g. reputational) consequences also.
- Healthy cybersecurity habits need to be incorporated into the culture of a company
The panel didn’t agree on how long cyber security training sticks and suggested that it can last from six weeks to three months. However, there was clear agreement that there needs to be constant reinforcement of the message so that it moves into the subconscious of the organisation. They also fervently put forward that both message and actions need to come right from the top. Cybersecurity is a board level leadership issue. It’s not just a job for IT to take care of because if something happens, it affects an entire business – finance, operations, people, everything. A person or team needs to take critical responsibility and there needs to be a clear internal communications strategy also. Enforcement of rules, consequences for lack of discipline and accountability for actions are advisable.
- Cybersecurity and digital activity move in lockstep
If a company is very active digitally, they’re likely to be using a lot of data and observing analytics. While there are so many rich insights that can come from that, the last thing that companies may want is a breach and hence, they must manage that risk accordingly.
- Technology is always changing, and cybersecurity is every bit as dynamic.
We need to have constant vigilance. Digital activity is constantly changing – from moving data to the cloud to the explosion of social media to this global remote working experience, we can see technology changes happening apace (accelerated by the Covid19 restrictions), so we have to maintain our focus on keeping ourselves up to date.
- Put a plan in place to deal with ransomware in advance of it happening
The panellists sagely responded to this issue with a similar tone of “we’ve had to deal with this far too often”. The main message was not to pay the ransom in most cases (unless the consequences are people dying (i.e. if a hospital can’t get access to data) or similar). They also highlighted that even if you pay, then it doesn’t mean the problem will go away. Put together an action plan before it happens as you can think differently in the heat of the moment. Have somebody on speed dial to help you through the situation. If you wouldn’t pay a ransom for physical assets in the real word, then don’t do so in an intangible world. Call it out and be part of a global movement to stop this form of online bullying.