Cyber Security and Breach Remediation - Are You Prepared?

As we all think more carefully about our personal data and data security, how would you deal with a cyber data breach in your business. Hopefully, many of us have not had to experience this but it’s surely a major concern for many people in business today.

Fruition IT's latest technology leadership webinar focused on cyber security and breach remediation. The webinar with Philip Clayson shared some fantastic real-world experience on the topic.

Phil started his career in software development, this included working on the UK’s first digital platforms for Sky, being co-architect of the UK’s Freeview network, digitising the Met Police with improved digital, data and cyber capabilities and being part of some of the largest technology acquisitions of the early 2000s, including a ￡2.5bn acquisition of a major UK wireless business.

During his career Phil has held a range of technology, operational and consulting roles, working with major brands including Liberty Global, CNN and TalkTalk. He also led the technology acquisition of Blinkbox, from Tesco, into TalkTalk.

Most crucially to this session he was asked to help TalkTalk’s effort in the immediate aftermath of the cyber breach in late 2015.

Educating the Business

Phil started the session by stressing the need to educate every business from exec level down on cyber security, the need for a common organisational language and a consistent and comprehensive understanding of risk, not just cyber risks, but wider business interruption related risk. As part of this, and following the TalkTalk breach, the frequency, quality and depth of risk based management conversations, companywide education and a drive to building in security thinking from day one into business process, tech designs and operations was increased.

This deeper cohesion served to create a shared appreciation, increased empathy and underpinned new language around risk, something Phil called Trading Risk.

What’s Trading Risk?

Trading risk is more than Cyber alone, Trading risk is a combination of measures that would impact, maybe cripple, your business operation. This is risk through more than the lens of IT, and includes other non-technology based trading interruptions including overall systems availability, process reliability, an overlay of criticality (which systems really matter, for example, billing), security (of course), fragility and supportability (which includes analysing the financial stability).

In creating a trading risk language you are bringing everyone together, with one consistent and simple language that can be applied to the business operations. Getting this complex, interwoven understanding across a large, multi-region, multi-platform IT centric business is not always easy for exec boards to comprehend.

Visualise the IT

Phil shared the challenges of many organisations where senior (non-tech) execs are not required to understand the day-to-day platforms that IT manage; in the same way as most CIO and CTOs wouldn’t be expected to understand complex tax law, or be engaged in detailed HR regulations. So how do you build a bridge, a bridge to understanding, that supports the simplification of the technology estate in a way that board members can understand. Phil explained how he provided a visual tool for this, a diagram that showed not only the technology estate, but also showed the business risk for each customer system or journey, including data, cyber and digital platforms, critical and non-critical, in-house and third-party – a business readable map of the technology.

Once you’ve professionally shared a human-readable visualised technology estate – the levels of real-world engagement, with the IT team, will notably increase. Non-IT people will understand you more, non-IT people will care more and non-IT people will feel part of a new world of demystified IT. Teams outside IT across the business will feel willing (not reluctant) to ask questions, and collaboration levels will increase, as the risk of knowledge gaps reduces, siloed thinking is eroded, and uncoordinated decision making gives way to cross-team alignment. 

Phil shared with us that the most important factor in any these types of trading risk conversations is Criticality – and that Criticality has two dimensions, issues that are critical for business use (KTLO, BAU), for example billing, but also criticality as a target for cyber-attacks, such as a mis-understood threat landscape. Both are key. And both can be understood better through effective visualisation of the technology landscape. 

Questions to ask yourself/your organisation around criticality

So, Criticality is the most important viewpoint to take, and Phil suggested asking yourself the following types of questions, both of your IT teams, but also your business facing commercial teams:

• Which systems in your IT estate are a bigger target, and why? Phil’s advice here is a have a clear understanding of what you have, and where the sensitive data is secured; indeed, if it is secured.
• Are you an attractive target, and why? Knowing this, and knowing which ‘actors’ would be most interested in you, is key.
• Just how secure is your infrastructure from different types of attack actor? Why would one type of actor be interested in you over another, why do some nation state actors target Hospitals and providers of services to hospitals, who are all only there to perform lifesaving, and life-improving interventions.
• Do you know how interesting you are as a data breach target? What data do you hold that makes you a target, how would criminals monetise that, indeed would they monetise that, or is it more about a sense of sport, embarrassment, reputational damage , even if there is no direct financial gain by an actor.
• Would your business instead be more scuppered by a large-scale business disruption, even if no data was stolen, no systems were hijacked, perhaps by an extended denial of service
• Most critically, what is the cost of not having a plan of action in your business if this occurred, would it delay your response, your action, your remediation impacting both revenue and  reputation for far longer, causing longer lasting damage?

What to do in the event of a breach

So having established your own deep knowledge of your trading risks, make sure you develop a shared language internally, maybe adopting a visualisation for the entire business, and understand, with your colleagues, what your risk posture was, and if then you still had a breach… what next?

Most people, indeed, many companies, would have the very natural reaction…panic!

Phil suggested that if you are prepared you will have at least two valuable things in place, a run book which everyone has been part of creating, and you will be able to rely on a third-party incident response company to help (assuming you’re not a major international company with one of its own).

If you have either or both of these items, then you’ll quickly set-in action the agreed processes from your dry-run and war-rooming and initial panic will turn to rapid functional action, and your handling of the incident will move forward.

If you are one of these companies, a company that has taken cyber-attacks seriously already, and prepared in advance, the chances are you’ve also invested in useful cyber security tools and you will have already been alerted to the attack, and maybe even moved to contain it. If you’re one of those with all the above in place, especially if you’re earlier in your life cycle, then you’re more mature than most.

Phil believes that many CIO/CISOs should be asking the following questions, in advance of the event of a security breach:

• Who would you turn for help? Have you got great relationships with suppliers who have been close enough to your business to help you, are there service agreements that allow them to start immediately, has the run-book been tested for these interactions with them as well?
• Have you got funds or insurance for this set aside? It’s always wise to have some funds to get you started, you’ll incur fees for even basic items, long before the big services invoices arrive, do you have the structures for senior team leads to incur expenditure, outside of an otherwise (maybe) slower sign-off process, to get started where they need to.
• Would your exec team be able to lead effectively? This one is critical. Have the exec team been led through a professional incident response process, one that is robust, and (at least for a time) rapidly changing and relentless; it’s not a one-off meeting for 2 hours one Friday afternoon, this should be a scenario set-up by professionals to stress test even the most cohesive and mature exec teams.
• Has your PR team got the knowledge and capability to handle this? Your PR teams’ reaction to the event could make the difference between a short and painful moment versus months, or years, of sustained share price reduction, and long-lasting media coverage. Have your PR team got the skills (or access to external skills) to handle national media, maybe international media, TV and high volumes of social media. Have they got a ‘plan b’ just in case.

In summary

Being prepared is not easy, it is expensive, and requires deep levels of honesty, realism and pragmatism. But in comparison to not being prepared at all, when there is an enormous amount to do, much of it very timely, very sensitive, and for many companies, likely to impact their company reputationally, commercially, being prepared is a must.

Knowing who does what and when needs to be decided before an incident. Whether it is business owners, shareholders, the Board, non-execs, whoever gets involved in this planning is critical.

Does the Board stay well clear of the tactical resolution plan, and let the leadership deal with it, or does everyone play a specific role? And do they all know where to play, and how to play in position.

If you have not prepared for this, then there is a long list of things to do, with hundreds of small decisions, all to be made rapidly, before you even start the biggest issues of dealing with the actual breach remediation.

Closing thoughts

Phil concluded the session by talking about accountability and how ultimately having key people who are accountable in the event of a breach is essential. Phil felt that the acid test for everyone in a company, from board down to most recent early career hire, is “Would you resign if it was on your watch” and if not, why? And if yes, again, why?

If you are able to confidently answer that question it will take you a long way to understanding, perhaps explaining, where you feel you sit in a level of accountability in your business for cyber related breaches, and every single member of staff, whether technology based, business based, or support functions, has a role to play.

It doesn’t mean the more senior you are the more likely the question applies to you; if you’re a software engineer and you do nothing to make sure you understand how you can design and implement your software securely, then you are likely as dis-engaged with the issue of security, as a board who won’t invest in it. 

Bio

Philip has delivered some of the UK biggest turnaround events, leading transformative work working with PE and FTSEs who are acquiring, scaling, transforming, or divesting large parts of their business. Working with business through investment planning and early stage funding, M&A, product and service launch, growth acceleration, and scaling to worldwide 24x7 operations. Philip has operated across large private and public organisations, in the UK, and internationally, and across sectors including Retail, Telco, Energy, Utilities, Broadcast and Media, in both B2C and B2B.

Recent outcomes include engaging quickly to create and deliver effective customer-centric transformation in business-critical FTSE turnarounds, delivering a complex digital transformation, a post cyber-attack recovery, and an acceleration of a major M&A event.

Philip also is recognised for delivering value from an IT portfolio modernisation, reducing operating costs from ￡80m to ￡40m inside 12 months for a FTSE30; delivering a legacy IT removal programme by removing 400 of 600 IT systems, saving ￡10m’s per year; introducing new agile development, shrinking delivery cycles from 12 to 2 weeks; and migrating multiple legacy on-prem platforms to Cloud/SaaS (including ERP, HCM and CRM).

Get involved in future events

Fruition IT's technology leadership events aim to bring together technology leaders across the UK to discuss topics that are highly relevant to modern IT leadership. If you would be interested in attending or chairing a future technology leadership discussion then please get in touch - kevin.harper@fruitionit.co.uk

About Fruition IT

Fruition IT is an independent, service driven IT recruitment agency that sources high-quality, talented individuals. Based in Leeds but serving the whole of the UK and Germany they specialise in recruiting business change and IT professionals at all levels - contract to permanent. For more information, visit their website www.fruitionit.co.uk or e-mail hello@fruitionit.co.uk