Data breaches have become an unfortunate fact of life. From British Airways to Facebook, rarely does a week go by without a headline announcing that a company has been hacked and their customers’ personal information has been compromised. To understand more about the real issues behind these breaches, Kekst CNC spoke to Tim Rawlins, a senior adviser at the leading global cyber assurance company, NCC Group. Top on his list of priorities: preparation, getting the fundamentals right, and always having a communications adviser on hand during a crisis.
Kekst CNC: Can you tell us about how companies can prepare for a cyber security breach?
Tim Rawlins: Properly preparing companies and their senior management for a cyber threat is an intricate process. You really need to explain the threat in a language that makes sense to them. There is no point in talking in highly technical terms. It’s simply not productive. So, we explain cyber security to executive committees, boards and senior management, but we frame the issue in a way that they understand - as one of the most serious business risks facing their organisation.
Once we have helped them to understand the threats and benchmarked their current cyber security capabilities, we can run a full spectrum of simulation attacks that help us demonstrate where the company’s vulnerabilities still lie. To cover every possible weakness, we deploy different teams. Our Black Team leads the physical infiltration, getting on-site and seeing how easy it is to gain physical access to their systems. Our Red Teams oversees cyber intrusion, either on-site or via the internet, while our Purple Team helps the client’s own team defend themselves against the attack. We also have a Gold Team, which works with the most senior-level leaders who set the strategy for an organisation. By putting them under real pressure in a simulation environment, we can find out if their crisis management procedures and plans are going to work when the real thing happens.
I take all the insights we gain from these exercises and help businesses understand what must improve and how we and they can work together more effectively to manage their business risks.
Kekst CNC: GDPR has made data breaches very public. Can you tell us what this has meant for the way companies view cyber security?
The introduction of GDPR has brought cyber security to the attention of company boards across Europe and increased the concern around cyber breaches. Companies now realise that a data breach can have a very significant impact in business, financial and reputational terms and so the security of the data they hold across the organisation is everyone’s responsibility.
Having to report a breach with 72 hours means that there is a lot of pressure on how a company communicates with their customers and regulators. The Information Commissioner’s Office (ICO) can fine a company up to 4% of their global annual revenue or €20 million, whichever is larger. Not only do organisations have to report the breach in a short window of time, they will also be judged on whether they had done everything they could to avoid it.
The positive aspect of GDPR is that it ensures that cyber security is not just siloed into IT and forgotten but is a board level responsibility.
Kekst CNC: What role should communications specialists play during a cyber breach?
Tim Rawlins: Communications advisers are absolutely essential in a cyber crisis. It is so easy to lose your reputation by saying the wrong thing, even if you are doing everything right in the background. The wrong word, or the wrong off-the-cuff comment can be disastrous. How the spokesperson is presented visually, what language they use and how they are prepared for questions from the media is crucial to successfully navigating a crisis situation, and there are plenty of examples where people set themselves up for a fall because they weren’t properly engaging with a specialist. This is even more true now that GDPR has set a time limit on communicating with internal and external stakeholders.
So, I absolutely wouldn’t run one of my Gold Team exercises without a specialist communications adviser to advise the board. Someone who has the experience of handling the pressure of a major incident and the knowledge of how to navigate the very sensitive issues you are facing. If you find yourself managing a crisis you should absolutely engage a specialist who will help you draft the right words and ensure that your internal and external messages are clear, consistent and deliver the right message to the right audience.
Kekst CNC: What are the key mistakes that companies are making when it comes to their cyber security?
Tim Rawlins: Many now see it is a question of when, rather than if, a company will become a victim of a cyber breach. Despite raised awareness around cyber security, we are still seeing organisations failing to get the fundamentals of cyber security right. While the sophistication of attacks launched by nation states and organised crime have become increasingly complex, in many cases the simple attacks still work.
The ideas set out in the NCSC’s ‘Cyber Essentials’ scheme are a great place to start. These cover: using a firewall on your internet connection; setting up your systems and devices securely, with good passwords that are not re-used; protecting yourself from viruses and malware; limiting the higher level of access to systems to those that really need it. And possibly the most fundamental of all; always update, or patch, your software so that it has the latest cyber security features. Some people call them “hygiene factors” as they should be as fundamental to your business as washing your hands is to your health.
We say that you can help your staff maintain good security by following a simple mantra: “Make it easy to do the right thing”. Take that phishing attacks as an example. Phishing emails try to trick you into clicking a link or downloading a document. No matter how hard you train your staff, if there are enough phishing emails sent to your company, someone will click on the link. You need to take some of the burden away from your staff. You need to stop them from even seeing phishing emails in the first place. Your systems should filter them out straight away and if they do get through make it easy for staff to report it to your security team.
For more on Kekst CNC’s expertise on cyber security and crisis management click here.