The biggest problem seems to be that businesses are still not taking cybercrime seriously enough, says Ian Buchanan: ‘It’s evolving all the time. The bad guys are getting more sophisticated, the threats are getting more sophisticated. They’re now starting to use, allegedly, machine learning and artificial intelligence, which escalates the threat and that’s why people have to take it seriously at all levels.
‘This is not just an IT risk, this is a business risk and when it comes to governance in organisations this needs to be an agenda item at board level.’
Cyber attackers aren’t just part-time hackers in hoodies, they are now serious organised criminal gangs and even nation states. ‘It’s really important that organisations take it seriously because it’s just going to get worse and worse as we go into the future.’
So what’s Mr Buchanan’s best advice for businesses?
- Make things difficult
‘Threat actors use rational economic business models themselves – they are there to make money. If you make it difficult for them to achieve their end, which is to steal money, then they’ll simply go somewhere else. So part of risk management thinking needs to be about how do I make it difficult for those guys to do something to me and try to catch me out. So risk management is really important.’
- Don’t forget your staff
Staff can be the biggest risk in your company, but they can also be your first line of defence: ‘The majority of people, if they circumvent security, it is because the security is getting in their way. So security shouldn’t be a disabler, it should be an enabler. It should enable people to do their jobs effectively, it should just steer them to do it safely. Training, education and awareness are absolutely key – get them onside.’
- Have a response plan
‘There are two sets of organisations in the world: those that have been hacked and broken into and there are those that just don’t know it yet. So organisations need to understand what their response is. How do they respond, how do they react, who do they call upon? It’s all to protect their business continuity. The business owners need to understand that if and when they get hit, that they can respond in such a way that keeps the business going. If the business doesn’t keep going, then that goes back to the fault of the chiefs who sit on that board having not done their job properly.’
- Prepare for the worst
‘Those people at the top need to have media training. They need to be able to stand in front of the cameras and microphones and be able to explain why they’ve been breached and what they are doing about it in such a way that it retains confidence in the company.’
- Where to get information
Ian says the best thing a business can do is to tie into the UK’s National Cyber Security Centre – the public-facing element of GCHQ: ‘It is doing a great job of bringing things to light and exposing the threats that are out there and they are aiming not just at large organisations, but also small organisations. They’ve recently released advice for charities and small businesses, their ten steps to cyber security. They are also going public on attribution. It used to be a problem with who was behind an attack – was it organised crime or state actors? They are now being open about state-sponsored attacks. That’s important for people to begin to understand the scale of what they are up against.’
For more information visit ncsc.gov.uk/guidance/10-steps-cyber-security.
