Adam McElroy, Deloitte UK Lead for Identity & Access in Financial Services, spoke to NEDs at the recent Channel Islands NEDs Forum. His session introduced the audience to the cyber landscape, advised NEDs on personal cyber security consequences and armed attendees with critical information to take into their boardrooms.
He highlighted eight risk themes that have affected organisations over the past 12 months, sharing a global overview, personal experiences and learnings.
He underscored the fast-moving nature and impact that cyber issues can have on share price and long-term reputation – citing recent examples of what will happen when transparency and consent in the use of data go wrong.
Increasing threat
Current cyber security themes include catastrophic technology and data loss, which sees cyber criminals and nation states aiming to destroy data rather than simply steal it.
Responding to the increased threat, and reflecting on the criminal nature of these issues, additional assistance on cyber security matters is now coming from law enforcement and government agencies. These include the National Cyber Security Centre, which has grown out of GCHQ, as well as additional support from specialists in the larger police forces.
"These new agencies mean we have a range of guidance available, cyber hygiene principles, and, in the case of the Information Commissioner's Office, we have both a regulator and a constructive source of advice," said McElroy.
Added vulnerability
He went on to talk about the ubiquity of smart devices and constantly connected enterprise, which makes us all more reliant on technology and arguably more vulnerable.
"We use our phone to do everything from managing our bank balance and heating our home, to booking a flight ticket – this brings opportunities but also risk," he said.
Obfuscation and the use of technology for the avoidance of controls is another theme that has started to emerge. Recent examples include automotive manufacture and transportation services which are alleged to have evaded regulatory and legal scrutiny.
Inside job
McElroy warned the audience that the cyber threats they face do not always come from the outside. "There is an increasing trend for individuals to compromise the integrity of their organisations. This might be direct and deliberate actions by activists. However, often internal cyber issues come from errors made by staff who make a genuine mistake or need more support or training for their role.
"Eighty per cent of insider cyber threat is not malicious; continual investment in training and digital skills for staff should be highlighted at board level," he said.
Legal framework
The ethical and legal ramifications of ransomware attacks, combined with the regulatory framework within which the business is operating, are complex issues of which NEDs must be cognisant.
"If you are an officer of a company or a NED, you may need to debate the question of paying a ransom. But what about anti-terrorism or anti-money laundering regulations? How might you pay in cryptocurrency? Should you even consider paying a ransom and where can you get legal advice? These are questions that NEDs might need to answer and must to be equipped to consider, now and in the future.
"Boards should expect a growing level of scrutiny from regulatory authorities and other stakeholder groups in how they deal with cyber risk," said McElroy.
Individual action
At an individual level, NEDs also need to consider their personal cyber security measures, where they go for advice and how they can stay up to date with the fast-paced cyber environment.
McElroy concluded: "There are many resources available to NEDs and executives and, in summary, we believe the best form of defence is defence."
• An executive briefing on these and other current cyber risks can be downloaded here