A Thinking Business publication
The cyber threat landscape is changing all the time and rarely a week goes by without a major corporation hitting the headlines as a result of hackers executing painful cyber attacks. This year has seen Marks & Spencer, Co-op and Jaguar Land Rover all fall victim to extremely costly and disruptive incidents, and the role of technology in escalating the threat level cannot be underestimated.
Friend or foe: the role of tech
While geopolitical forces are inevitably playing a significant part in elevating cyber risks, the ability of technology to power bad actors is turbo-charging a fast-growing threat level. While new technologies like AI and generative AI can do much to support businesses as they look to more proactively identify and detect threats and build cyber resilience, there are several ways in which the tools are also raising risk.
For a start, AI tools allow hackers to automate some of their attacks and to scale their attacks in both number and impact. Given these malicious individuals are seeking financial reward, this heightens their success rate.
At the same time, new technologies lower the barriers to entry for criminals, meaning even novices can create malware and ransomware with the support of AI tools. The National Cyber Security Centre has noted an increased pool of individuals that now has access to the ability to hack systems.
AI helps criminals make cyber attacks more sophisticated and therefore more effective. However much businesses train their people to look out for dodgy email addresses or other signs of phishing emails, when hackers can scrape the internet for video footage of a CEO and then have a deep fake of that individual show up in a Teams meeting, that becomes incredibly hard to spot.
Charlotte Clayson, Partner in the Dispute Resolution and Litigation team at Trowers & Hamlins, has extensive experience helping businesses both prevent and respond to cyber-attacks. She says “It is quite easy to receive a voicemail from your colleague in the finance team, or attend a video call with them, and believe them when they ask you to transfer money. That is the most tangible example of AI for bad.”
We know that the recent M&S cyber attack involved a sophisticated impersonation, where the attackers posed as legitimate employees and were able to trick IT help desk personnel into resetting passwords and essentially unlocking the systems for them.
That attack cost the retailer an estimated £300 million in lost revenue as it raced to recover its systems. Meanwhile, the estimated impact of the cyber attack on Jaguar Land Rover was £1.9 billion, making it the costliest cyber incident in UK history, disrupting the company’s manufacturing for weeks and affecting over 5,000 companies across its supply chain.
Clayson says: “Businesses have long been concerned about data leaks but we are increasingly seeing the operational impact of cyber attacks having the potential to create much more immediate and devastating financial impact. AI is a good thing for the good guys, but also a good thing for the bad guys.”
She adds: “As more and more businesses bring on board new technologies, there is a need for enhanced awareness of the vulnerabilities coming into systems.”
Recognising the risks
Data from the latest Cyber Security Breaches Survey, published by the UK government, highlights the fact that 72 percent of businesses consider cyber security a high priority for their senior management. However, only 27 percent have a board member with responsibility for cyber security, and that figure has declined from 38 percent in 2021.
Further, the survey reveals that only one in five organisations provide training to their staff on cyber resilience, despite training also being the most common preventative measure that businesses adopt following an attack. That just shows the importance of being proactive in addressing cyber risk.
But perhaps the most important thing that organisations can do to build resilience is set a tone from the top that elevates cyber safety and instils a culture of taking these threats seriously.
“Whenever I talk to businesses about cyber attacks and how to protect themselves, I always start with the importance of strong leadership,” says Clayson. “Technology is developing at such a rate that most businesses cannot realistically keep up with the threats that are out there, so they can’t remove all the risks. What they can do is actively engage with the issue and think strategically about how to manage it.”
It is easy for companies to think about cyber resilience as an issue for the IT team or for information security specialists, but siloing responsibility is not the best way to protect themselves.
Strong leadership starts with building a tangible understanding of what the risks look like for the business in question, because every firm has different priorities and vulnerabilities. While Jaguar Land Rover exposed the threat of widespread disruption across a supply chain, the recent attack on nursery chain Kido International highlighted what can happen when hackers steal sensitive data – they took names, addresses and photos of approximately 8,000 children.
Once the board has fully grasped the financial, operational and reputational risks that cyber threats represent, the next step is mitigation and putting in place a response plan to deal with any attack that unfolds.
The UK government has published a Cyber Governance Code of Practice that sets out around 20 action points for boards to take in order to most effectively govern cyber risk. “That code covers questions boards should consider in relation to risk management, strategy, people, incident planning, response and recovery, and assurance and oversight,” says Clayson. “It is a really good place for people to start if they are trying to get on the path to cyber resilience.”
A cultural imperative
By prioritising leadership, businesses can ensure their people engage with cyber risk and the right attitudes and behaviours trickle down through the organisation. Staff need to be empowered to report things that they think are concerning and to make suggestions where they think processes and procedures might be strengthened.
“An open and transparent culture has to be led from the top,” says Clayson, “empowering everyone in the organisation to take small steps to really protect the business. Phishing attacks involve a huge human element – only when people know what to look out for and how to respond can you really make an impact.”
If a business does fall victim to a cyber attack, the first 24 hours are critical. And yet despite so many businesses having cyber risk at the top of their risk register, the Cyber Security Breaches Survey shows only 30 percent of businesses have a formal incident response plan in place.
“You need to have a response plan, know who the decision-makers are at every level, and then practice that in a simulation,” says Clayson. “You can work through a realistic attack scenario in an afternoon, including people from across the business – HR, finance, legal, regulatory, customer facing and IT.”
She adds: “Bring those teams together because everyone will see things from different angles, and you can walk through all the decision points along the route and discuss competing priorities. That puts the whole business in a much better position.”
Best practice dictates that the incident response plan, once formulated and agreed, should exist in hard copy somewhere on the business premises – too often companies overlook the fact that it will otherwise be hard to access when systems are down.
There is no denying that cyber security can be technical, expensive and frightening. But instead of allowing that to result in a lack of engagement, senior leadership teams need to lean in and take a proactive approach to managing the risks.
“So much of being cyber resilient is about understanding the risk, engaging with it and making sure you have a plan and a culture to respond and recover as quickly as possible,” says Clayson.
Technology may be elevating the threat, but companies still have the power to respond.
