Cyber security "starts with the board"

By Matthew Drage, director of external engagement, Huntswood and Stephen Head, senior partner, cyber security practice, Gadhia Consultants

7 February 2020

Just as we rang in the 2020s, foreign exchange company Travelex found itself battling a well-coordinated ransomware and meticulously planned cyber- attack.

This attack came as a timely reminder that, as financial firms extend their offering and reliance on all things digital, we can only expect the risk of cyber incidents to increase.

No business wants to find itself in a position where they risk having their systems hijacked or their customers’ personal details stolen, but the hard truth is that cyber-attacks can hit and incapacitate even the most well-defended firm.

The question now then is ‘how can you ensure your firm isn’t next to make the news?’

Now is a great time to re-evaluate your cyber security processes and policies to prepare for the decade ahead. But where is the most effective place to start?

Start at the top.

Co-ordinated protection

Appointing a board level representative to take ownership of cyber security should be a top priority for any business – no matter its size. This person will be specifically accountable for the ongoing management and monitoring or cyber security. Their first task should be undertaking a thorough review of the business’ preparedness, paying close attention to the policies and processes that are in place in the event of an attack. This audit will quickly make apparent which areas require bolstering or need further attention.

Board members must set the tone for the business, but it is only by ensuring that every level of the organisation is prepared with the most appropriate and comprehensive knowledge, will a company be best protected. Hackers will target any weakness in a firm, meaning there can’t be any weak links. All staff must be on the same page, with clear roles and responsibilities assigned. These should be continually tested and updated based on the changing threat landscape.

As the nature of threats evolve, constant evaluation and understanding of cyber trends is advised. You, of course, want to know what is in store – forearmed is forewarned.

For example, phishing attacks are evolving, with criminals moving beyond emails as a way of targeting consumers. They can now be carried out via browser pop-ups, ads, malicious search results and malicious apps. Secure gateways, extensive employee training and a real culture shift will be need to bolster your firm’s security in the face of this threat.

Prepare for the inevitable

Unfortunately, no matter how prepared a firm can ever be, we now operate in an environment of ‘when’ rather than ‘if’.

Your firm needs to prioritise which systems or applications are critical to the running of the business, and then draw out parallel contingencies that could be activated if they were breached.

For example, consider whether, and how quickly, teams can remove or change access permissions and what would be the process for doing this. Partnering with third party providers will give you access to specialist technical help with the complexities of a cyber breach. A move will also help you free up resources internally and provide you with guidance around how to communicate the breach externally.

Mitigating reputational damage

Knowing how and when to communicate a cyber security breach to the market, regulators, customers, media and staff is a must. GDPR requires firms to report any breach of personal data to the CIO the Information Commissioner’s Office (ICO) within 72 hours. As part of this notification, an assessment of the extent and severity of the breach needs to be included. Would you firm be able to meet this requirement within the set time frame? Failure to do so is costly – £20m or four percent of annual turnover – whichever is greater.

Reputational damage is often a secondary concern when an attack occurs, but it’s important to remember that poor communication can cause significant harm to a business in the long term. A clear strategy should be mapped out which can be adjusted to individual circumstances. This will go a long way to ensuring that, in the moment of crisis, all communications are timely and accurate, retaining customer, stakeholder and regulator confidence in your organisation.  

The good news is that strategic, cyber-savvy board members are on the increase. By consistently sharing knowledge and experience, financial services firms will be better prepared and able to more easily adaptable to the evolving threat landscape.  Cyber security is an issue that every business knows they must take control of – the risks of regulatory fines, reputational damage and material losses are simply too great to ignore – but it’s an ongoing challenge with no room for complacency.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development