This page contains a Flash digital edition of a book.
defence & cyber security roundtable 31


improve the basic resilience of all business and industry.”


Murray queried if it was possible to have one set of security standards for all sectors.


Eryl Smith suggested a layered approach could be devised. “Roll forward four years, and I can see many government public sector contracts where a standard or accreditation process, similar to ISO 27001, will be mandatory for certain forms of government procurement.”


Roy pointed out accreditation was one way of “getting a minimum level of security compliance in place without necessarily scaring people.” It was increasingly common for sector contracts to require Payment Card Industry Data Security Standards (PCI DSS), and this could be extended to other sectors or certain products or services, he suggested.


Pudwell agreed that PCI DSS and ISO 27001 were already accepted, not too difficult to comply with, and at least proved an acknowledgement of the risk involved.


Hello, Mr Director. You may be personally liable.


Pitmans' Peddie highlighted the legal perspective. “Companies need to make their executive board members aware that they may be personally exposed if they don’t get a grip on increasingly identifiable risks. The corporate world needs to move pretty rapidly towards a proper understanding of the significance of this area, otherwise board members could be in the firing line.”


Insurance broker Piper agreed that directors failing in their fiduciary responsibility to look after a company’s assets could themselves be at risk. “We need to get down to the nitty-gritty, help them to understand what the cyber risk is, how it might impact the achievement of corporate objectives, how they can plan a solution to overcome it.”


Insurance might be part of that solution, he admitted, but although “there has been an uptick in interest,


it is an emerging market and not everyone is offering cyber policies. I am sure many directors think they are already covered (by D&O insurance) but if there is no physical damage or bodily injury, there is no trigger, no coverage, and importantly no cover for defending a law suit from a third party".


“I actually think that fear can be a good thing.” D&O liability insurance began to be taken seriously when examples appeared of directors getting hit by lawsuits, explained Piper.


Eryl Smith agreed: “Most people think it won’t happen to them, but the moment the light goes on . . . then, there is an uptake.”


James mentioned moves in the US to insist on improved corporate governance disclosure of a company’s cyber security resilience. This had followed a cyber incident disclosure by Betfair, several months after it had floated. Only a small paragraph in Betfair’s 150-odd page prospectus had alluded to the incident. “There is an increasing onus on businesses to make disclosures and be transparent.” Similarly, in Japan, demonstrating resilience is proven to enable a company to secure more favourable banking products.


Pudwell said his company often advised mid-sized companies to at least, do something now. “If you end up in court as a company director having not even taken the easily understood and inexpensive minimum steps that are available, you are in big trouble. Not least, your insurance may be invalid, but it’s equivalent to leaving your doors open at home.”


He said companies should take three immediate security steps:


• Get your current security externally tested.


• Put additional basic security practices in place.


• Start recording what goes on in your IT infrastructure. It’s like CCTV in the High Street. If you do need evidence, at least you’ll have it.


“There is technology available to protect you against cyber risks.”


Williams: “The ability to go back and determine exactly what was happening and what someone was doing, is clearly very valuable. The ability to implement security policies and also measures that will help users in their day-to-day jobs adhere to those policies is even more valuable.”


Philip James Hope: “Organisations must identify THE BUSINESS MAGAZINE – THAMES VALLEY – APRIL 2012


the value of business they wish to undertake and the risks associated with that business, before deciding on justified outlay to sufficiently mitigate those risks. Four questions that should drive a security review:


“What is the threat assessment under which the business operates; what is the organisation’s risk appetite; how can risks be mitigated to an acceptable level; and what level of protection do current controls provide and what is the delta?”


What regulatory risks does the future hold?


James pinpointed proposed changes on the regulatory horizon, which could hit business balance sheets. Draft changes by the European Commission to the European Data Protection Framework could mean company fines for a serious data breaches may increase from up to £500,000 to 2% of global turnover. “Although there has been criticism of fines as an effective sanction, In terms of getting attention focused on security, this can be a significant, albeit crude, incentive.”


Another proposed legislative shift is Andrew Peddie


provisions for reporting requirements, not only to regulators but customers as well. “What’s going to hurt organisations most is not necessarily the fines, but having to tell their customers they have had a breach.”


The Roundtable felt the inclusion of more security policy detailing was likely in annual reports and business prospectus documents, in order to counter data breach class-action law suits.


Make sure you don’t buy a Trojan Horse . . .


Steve Smith


that along with the company’s data controller, anyone processing data on behalf of the company may now be liable for prosecution for breaches. This is a paradigm shift in regulatory onus and is likely to have a knock-on effect upon cloud and related data processing supplier business models.


The new regulation is directly applicable, unlike the current 1995 EU Directive, and the ICO’s response to the draft regulation has recommended that it be in force sooner than the conventional two year lead-in, following publication in the official journal, James added.


Pudwell: “I don’t think regulation is going to have as much effect as people think. The only people who get hit by the PCI standard for instance are the mid-sized companies. They don’t stop trading with massive customers over their corporate PCI issues.”


James also highlighted new


Who the cyber attackers are should not actually be the focus for businesses, suggested Eryl Smith. “Where are a company’s vulnerabilities? That’s what matters. Companies will often put a lot of time and resources into protecting themselves and lose sight of what is just the other side of the boundary.”


He flagged up the risks of M&A, for example. “The acquisition can be the back-door vulnerability. Have you put in the due diligence to understand their security capability?”


Peddie: “In other words you may be acquiring a Trojan Horse.”


Eryl Smith: “Once you have got your own house in order, don’t stop there.”


Murray mentioned the irony of tensions being created by companies aiming to be more open and transparent, while being faced with more and more cyber threats.


McKenzie: “It is not just about separate OEMs and SMEs. Supply chains inevitably interconnect everyone, so it is the responsibility of everyone in the chain to make sure that due diligence is being done.”


Continued overleaf... www.businessmag.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52