An information security expert was in the Channel Islands this week to advise non-executive directors on the topic of cyber security.
Adam McElroy, Deloitte UK Lead for Identity & Access in Financial Services, spoke to NEDs as part of the Channel Islands NEDs Forum. His session introduced the audience to the cyber landscape, advised NEDs on some personal cyber security consequences and armed attendees with critical information to take into their boardrooms.
Adam highlighted eight risk themes that have affected organisations over the last 12 months, sharing a global overview, personal experiences and learnings. He underscored the fast-moving nature and impact that cyber issues can have on share price and long-term reputation – citing recent examples of what will happen when transparency and consent in the use of data go wrong.
Current cyber security themes now include catastrophic technology and data loss which sees cyber criminals and nation states aiming to destroy data, rather than simply steal it.
Responding to the increased threat, and reflecting on the criminal nature of these issues, additional assistance on cyber security matters is now coming from law enforcement and government agencies, such as the National Cyber Security Centre which has grown out of GCHQ, as well as additional support from specialists in the larger police forces.
‘These new agencies mean we have a range of guidance available, cyber hygiene principles, and in the case of the Information Commissioner's Office we have both a regulator and a constructive source of advice,’ said Mr McElroy.
He went on to talk about the ubiquity of smart devices and constantly connected enterprise, which makes us all more reliant on technology and arguably more vulnerable. ‘We use our phone to do everything from managing our bank balance and heating our home, to booking a flight ticket – this brings opportunities but also risk.’
Obfuscation and the use of technology for the avoidance of controls is another theme that has started to emerge. Recent examples include automotive manufacture and transportation services which are alleged to have evaded regulatory and legal scrutiny.
Mr McElroy warned the audience that the cyber threats they face do not always come from the outside. ‘There is an increasing trend for individuals to compromise the integrity of their organisations. This might be direct and deliberate actions by activists; however, often internal cyber issues come from errors made by staff who make a genuine mistake or need more support or training for their role.
‘80% of insider cyber threat is not malicious; continual investment in training and digital skills for staff should be highlighted at board-level,’ he said.
The ethical and legal ramifications of ransomware attacks, combined with the regulatory framework within which the business is operating in, are complex issues of which NEDs must be cognisant. ‘If you are an officer of a company or a NED you may need to debate the question of paying a ransom, but what about anti-terrorism or anti-money laundering regulations? How might you pay in cryptocurrency? Should you even consider paying a ransom and where can you get legal advice? These are questions that NEDs might need to answer and must to be equipped to consider, now and in the future.
‘Boards should expect a growing level of scrutiny from regulatory authorities and other stakeholder groups in how they deal with cyber risk,’ said Mr McElroy.
At an individual level, NEDs also need to consider their personal cyber security measures, where they go for advice and how they can stay up to date with the fast-paced cyber environment.
Mr McElroy concluded: ‘There are many resources available to NEDs and executives and, in summary, we believe the best form of defence is defence.’
Helen Gale, Partner at Deloitte, said: 'Information security is one of the most challenging topics that boards are currently facing. Today’s business environment is global and highly interconnected, increasing an organisation’s probability of cyber threats. Organisations must remain secure, vigilant and resilient to both minimise risk and optimise new opportunities.
‘If NEDs in the Channel Islands are to retain their quality and competitive edge, it is critical to keep abreast of topics like cyber risks and to hear Adam’s insights on this topic was both thought-provoking and enlightening.’