Jim Baines, the CEO of a major US packaging company, recently said: “Just a few months ago I made a stupid mistake. What looked like an unwitting error; the kind of thing we all do, all the time. I was careless and now my business is in danger. I was the first target… the CFO of my biggest customer was the second target. They used me to get to her. Now we’re in big trouble.”
Jim had been personally targeted from out of nowhere. But he should not have been surprised.
High profile cyber attacks continue to focus our minds – particularly those in the boardroom – on hard-won reputations, customer trust and finances.
Many leading commentators report that the risk from and the impact of cyber attacks is one of the foremost issues concerning directors. However, at Axelos, we believe there remains a large gap between awareness and true insight and action.
Conflicting research validates our concerns. A recent study carried out by Tripwire published in June 2015 found that 54 per cent of C-level executives at organisations within the FTSE 100 index believe their board is both cyber security literate and actively engaged in routine security.
Conversely, UK government research from early 2015 with CEOs, non-executive directors and chairs of audit committees of FTSE350 organisations shows that over 70 per cent reported that they receive “very little” or only “some” cyber risk management information, and 75 per cent believe they have limited understanding of how to prevent being the target of a cyber attack themselves. The challenge appears to be what “cyber literate” actually should mean for a board director.
All too often organisations react to a cyber crisis rather than prepare their organisational resilience to these attacks. The reality is no matter how much money, people, resources, and technology you apply to the cyber threat you will never be bullet-proof. You will be breached sooner or later. No organisation, whatever size they are or whichever sector they operate in, is safe.
Unless a company board has had to deal with the full consequences of a critical cyber crisis it is very difficult to properly understand the full organisational pain such an incident can have. It is therefore difficult for them to contextualise the threat and how they would respond.
Cyber literacy comes with learning and experience combined with effective collaboration and best practice. It starts with the board understanding and owning the particular cyber risks they face to the critical information they need to deliver their business strategy. It matures in developing the collaboration and common language required with peers and colleagues in designing and managing what good organisational resilience looks like.
I believe that a board must take the lead in setting the right “tone from the top” to all staff; demonstrating that it has a real understanding of the key cyber risks and how these will impact their organisation’s strategic ambitions. Effective cyber resilience will look different in any organisation. What needs to be the same in any organisation is the boards’ cyber literacy – knowing they will be breached, understanding and guiding the programmes that are in place to detect, respond, and recover from cyber attacks effectively. Only then will the research start indicating that the gap is really closing between awareness and real insight.
Jim Baines is fictional – he is a character that Axelos developed in “Whaling for Beginners”, a narrative account of a cyber-security incident of the type that is becoming all too common. Jim isn’t real – but his words carry a lesson that many in the industry need to hear: “At the root of the problem is the fact that I didn’t challenge the people below me – in my own organisation – the people who were supposed to be able to tell me the truth; which is simple – my own human frailties are just as much a danger as theirs. We have to see through advice. Be honest about what we understand and what we don’t. And there’s a lot we don’t.”
Nick Wilding is head of cyber resilience at Axelos