On Tuesday 7th May, Claire Davidson, Partner at DRD Partnership, spoke on the panel of a Cyber security event hosted by Pinsent Masons LLP. It was the first in a series of cyber security events organised by the British Swiss Chamber of Commerce (BSCC) and was sponsored by Cyber Capital HQ (CCHQ) and IBM.
It is estimated that cyber-crime will cost $8 trillion to businesses over the next five years but by having a prepared response and recovery plan in place, businesses can ensure a level of resilience is built in. The way in which a business responds to a cyber attack is vitally important for its reputation so preparedness is key.
Guest speakers included Jean Lehmann, CEO, CCHQ, Jim Alvilhiera, Cybersecurity Workforce Development, IBM and Seaton Gordon, Senior Associate, Pinsent Masons LLP. The speakers touched on various cyber challenges facing businesses including the role of people and technology, insurance, preparedness and actions to take following an attack.
The discussion was opened with a statistic on the level of cyber attacks in 2018. He said that whilst 32% of companies had identified a cyber attack, insurers Hiscox estimate that the number of businesses which fell victim to a cyber attack in 2018 was closer to 50%.
One of the sponsors focused on the role of people in business and explained that employees are the weakest, most vulnerable asset with 91% of cyber attacks starting with emails. He went on to say that on average, it takes a company over 200 days to identify that a breach has taken place whereas a sophisticated hacker can begin using breached data within just 90 minutes to 2 hours.
Claire Davidson highlighted the need for businesses to be prepared for a cyber attack with a clear and practiced initial response plan. She told the delegates that whilst steps can and should be taken to lessen the likelihood of an attack in the first instance, when it does happen, the way in which a company handles a breach is absolutely key for its reputation. She highlighted the need for transparency, speed and tone in both external and internal messaging. As part of the plan, Claire said that a business should designate several people to lead at different stages of the initial process to ensure clear and consistent messaging.
The panel pointed out that whilst organisations may have water-tight security in place in their offices, weaknesses often occur when staff work from home, or use computers while travelling. Some of the worst breaches, for example, can take place at weekends or outside regular office hours.
The group discussed the legal requirements on companies if they suspect they have been targeted in a cyber attack. For example, a company must inform the Information Commissioners Office (ICO), the independent regulator, of a serious breach within 72 hours.
Claire reminded the audience that a company only has 72 hours to determine if an attack is serious and should be reported and, in that time, a decision also needs to be taken about when employees, clients or customers should be informed. Within this short timescale, while getting to the bottom of the breach and working with insurers, the company will also undoubtedly need to be in deep conversation with its lawyers, PR firm, HR and forensic IT specialist – hence the need to have a thorough pre-rehearsed plan in place. Claire also said that she would like to see more Non-Executive Directors (NEDs) taking a greater role in driving home the need for preparedness, prevention and planning at Board level – addressing the situation as it arises in ‘real-time’ is high risk and costly in term of resource, reputation and share price. It is particularly important today as NEDs frequently influence planning and strategy as appointees to audit and risk committees.
In response to a question about prevention, one of the panellists said that it was impossible to get ahead of hackers, because it would always be a game of catch up but he highlighted the importance of investment, in both people and technology. As well as having the right cyber protections in place, and the right people employed, he stressed the importance of having the right protocols and plans in place for when they fail. He told the audience that ongoing investment and preparation in people and technology were vitally important in ensuring that businesses have a level of resilience built in. The panel agreed that the most important step businesses can take is to have a clear and practiced plan which allows them to respond in a in a fast, positive and transparent manner.