KPMG is reporting that cyber security is now firmly on the agenda in boardrooms. Unfortunately management are skimping on training in how to deal with cyber incidents. The details come from a KPMG survey carried out as part of the UK Government’s Cyber Security Health Check. The details of the KPMG survey were not made available to us to see how they relate to the UK Government report.
Paul Taylor, UK head of Cyber Security at KPMG, said: “Cyber-attacks continue to pose a growing threat to business. While cyber security has cemented itself onto the board’s agenda, they often lack the training to deal with incidents. This is hugely important as knowing how to deal confidently with an incident in the heat of the moment can save time and money. The aftermath of a cyber-attack, without the appropriate training in managing the issue, can result in reputational damage, litigation and blunt competitive edge.”
Incident response a critical part of cyber defence
Dealing with a cyber attack is far more complex than just throwing money at support teams to fix the problem. There are complex legal issues to be dealt with. Those are set to get even more complicated as we head towards the implementation of GDPR next year. One area that will have a significant impact on companies is breach notification. The UK Information Commissioner’s Office (ICO) has published a useful guide to breach notification and GDPR.
Beyond legal issues there are other things that the board has to deal with. A key one is reputation management. Any breach is likely to bring the press to an organisations door. They will want to know the details, who is affected, what you are going to do and they will speculate on the damage. Failure to engage or communicate effectively can have create a disaster. This is a lesson Target, TalkTalk, AOL and several other high profile companies have failed to grasp.
Many boards believe that this is a role for their corporate communication teams. It is not. When there is a major issue the press and customers expect board members to speak out.
Listed companies also have other issues to deal with. A breach will hit their stock price. That brings shareholders and potential investors into play. GDPR carries the risk of large fines. Investors will want reassuring that the board are on top of the issue and the impact to the business will be minimal. A poor incident response will cause them to move their investment elsewhere.
A case for incident response training
Over the past two years, companies that provide cyber security training have been expanding their offerings. They now provide incident response training for management and senior executives. This takes the form of a combined exercise where the board is involved in a cyber attack. While the technical team deal with the attack itself, the board, in parallel, are exposed to the issues that they must deal with.
By doing both parts of the attack in parallel, it allows the board to understand how complex a cyber attack is. It also enables them to fine tune their response to an attack. This is particularly important when it comes to getting up to date information from the IT security team. It allows the board to know exactly what it happening so that, unlike TalkTalk, they don’t keep changing their story. The constantly changing story on how many customers were affected, what was stolen and what customers should do dragged the attack out. It is also believed that this is behind the change of CEO earlier this year.
The lack of training for boards is not just about incident response. Among other results from its survey, KPMG is saying:
- 31% of boards receive comprehensive and informative management information on cyber risk. (Increase of 10% from 2016 Health Check).
- 53% of boards receive only some information on cyber risk. (Decrease of 4% from 2016 Health Check).
“Board members need to take collective responsibility for cyber security and consider it in every aspect of the business. If they can do that, then perhaps cyber security will become mainstream and a vital component of doing business in our digital world,” concluded Taylor.
What does this mean?
In short it means that boards are still disconnected from the reality of what a cyber attack means. It is not just cyber attacks that require incident response training. Disaster recovery plans have always had elements of who to inform and how to deal with the press. Cyber attacks are effectively just another disaster.
The problem is that few companies ever updated, reviewed or even practiced their disaster recovery plans. This is despite the disastrous responses from banks such as NatWest (RBS), Barclays and others when their systems have failed. A more recent example of a failure to deal with a disaster response was British Airways.
There are a couple of issues here that need to be addressed. That boards need more training is the obvious one. Auditors also need to ask more questions and provide more information on corporate readiness to deal with a cyber incident. This is also something that non-executive directors should be pressing as part of their role in governance checks and balances. Finally shareholder groups should be asking for details at AGMs before they approve directors salaries.
Boards may argue that they do not have the time for more training especially in an area as complex as cyber incident response. However, without training they are leaving themselves and the business in a position that could lead to the loss of the company.
Things are improving at the board level when it comes to cyber security. However, unless fundamentals such as incident response are dealt with properly, everything else is just papering over the cracks.