Views and opinions expressed are that of the author and may not represent IT Governance.
The secret to avoiding danger is not to rely on lists of things experts tell you to do, but to get into the habit of knowing what to ask to avoid trouble. There are two questions that the C-suite and customers should ask to minimise their risk of exposure to cyber crime but these are not being asked. Why is that?
Competence vs checklist
I was a policeman for over 30 years and – like all those who went through police college – I developed an obsession with proudly reciting little sections of the law. I would compile endless lists, acronyms and mnemonics like some colourful, quasi-legally qualified parrot. DG CHAMPS was a favourite cue to remember all the animals listed in the Road Traffic Act that you are required to report to the police following a collision. Sorry Felix, ‘C’ is for cattle not cat, which is not in the list.
In policing, learning by rote and having long lists – such as the points to prove for theft – means you can recall facts and won’t miss an issue that will make you look like a bungling Keystone Cop. It also gives an officer confidence, an air of authority and – most of all – structure. Issuing the caution to a violent burglar you are trying to restrain on the ground without recourse to a laminated note in your pocket, or knowing when to deploy the explosive question that demolishes a suspect’s defence, shows you’re in charge of the situation.
Three decades on, I can’t resist looking at a list published online by a respectable colleague, like the one on cyber security and the duty of care by Ed Bets. His top 10 checklist for what board members need to consider is a clear and easy read.
There’s only one problem with such aide memoires. You have to know the subject inside-out to write them; should understand the subject to use them; and remember where they are on the odd occasion you need them. The diligent police detective knows their powers of arrest and restraint before they start grappling around on the floor with a villain. They know and remember this because there is a strong likelihood they will face this danger and they must do the right thing when it happens. Once ingrained in the thin blue mind, the cue card can be written.
Dirty rotten crooks
We may not think of cyber and economic crime as being anything like as dangerous as, say, sharing the last train home with a knife wielding maniac, but the truth is that cyber criminals have the potential to wreak havoc on the lives of every citizen and seriously harm businesses in the United Kingdom.
Talking at a conference hosted by IT Governance to explain how the UK Government’s new Cyber Essentials scheme can protect large and small businesses, I provided a picture of the true nature of this hidden crime that costs the UK over £21bn each year. I also sought to dispel any romantic notions that these criminals are some kind of lovable rogues. These villains are callous and deal in a filthy crime that illegally transports human beings and preys on the vulnerable and gullible.
They are cyber wolves hungry for unsuspecting pigs that live in straw houses, and companies that are vulnerable to attack are high on their list.
The scandals sweeping the financial services sector reminds us that managing operational risk has to be a way of life for every serious professional, from the entrepreneur to the FTSE100 CEO. I find it alarming, then, to hear from the government that many large companies in the UK – even household names that hold customers’ personal data – have not put in place the basics security measures set out in the Cyber Essentials scheme. This means they don’t have the right controls in place to prevent the theft of information such as customer data.
Courage to question
How can this be so when the board knows its duty of care and must have seen guidance such as that top ten checklist for cyber security? I don’t believe it is ignorance on behalf of the board. My suspicion is that those who have a duty to protect the company are trapped in a cyber-trance – hypnotised by the sheer volume of information about invisible threats and immeasurable risks.
Like many vulnerable consumers, they are paralysed and unsure what to do to address the threat. Then there is the cost of putting measures in place to protect the business from the invisible attacker, and the risk of looking foolish for asking.
This cyber-inertia spell can be broken by asking two simple questions. Firstly, “Does the company have certification under ISO27001 or the Cyber Essentials scheme?” Secondly, “If not, why not?” These are the standards that assure you that an organisation is serious about keeping confidential data secure.
You don’t have to be an expert to ask these questions, but you need expertise to achieve them. I am not a cyber security specialist, but over the past year I have been working with Today Translations, a pioneer in the translation industry, to help them provide their clients with additional assurance in this data-rich sector. They elected to adopt ISO27001, which is no simple undertaking for a firm with operations that span the globe. Rather than acting alone, they took advantage of the unique services offered by IT Governance who held the company’s hand throughout the process. In June 2014 the company became the first in their sector to achieve ISO27001 certification, and even picked up a commendation from the assessors. You can learn how this had a positive impact on their business in this case study.
I’m not asking everyone to enrol as a special constable to fight the organised crime menace. My plea to business leaders is to make sure their information doesn’t end up with criminals, and asking two simple questions is a start.