Cyber resilience is everybody’s business (even Billy Idol!)

03 November 2020
  • A follow on from our Cyber Resilience webinar in September. 

    Even Billy Idol was talking about cyber back in ’93 (see his ‘Cyberpunk’ album). I’m not a fan by the way, but facts like these are only a quick Google search away.

    According to Wikipedia, the album was a critical and financial failure. And strangely, these are the exact kinds of failures that can result from weak organisational cyber resilience.

    Cyber resilience is really important. That is one of the key messages that came out of our webinar on cyber resilience at the end of September. And we will reinforce that message when we publish our national report on cyber resilience (focusing on Board level oversight of cyber), which we hope will be out in December or January.

    I was happy to play a small role as part of the webinar panel, which also included colleagues from Audit Wales, alongside experts in their field from Welsh Government, the National Cyber Security Centre (NCSC), the NHS and other smaller Welsh public sector organisations. 

    The panel considered the emerging findings from our survey of Board members and Heads of ITs (or equivalent) at around 70 bodies. The session seemed to go well, and I hope that those that attended felt the same. 

    The panel were insightful and helped to add useful context to some of the stats and feedback we collected, saying things which others can take away and put to good use in their own organisations. Nuggets included:

    • Create a culture where users feel they can report anything suspicious. Accept that all organisations are vulnerable, no matter how much money is invested in cyber defences.
    • If in doubt, report issues to the NCSC.
    • Try ‘Red Teaming’ [opens in new window] your cyber resilience. It’s the kind of thing that makes the Board sit up and take notice. 
    • Board members don’t need to be technical experts.
    • Cyber is a corporate risk, treat it as such, alongside all the other risks which Boards and Audit Committees review. It should also be a standing item on Board agendas.
    • Basic cyber hygiene will go a long way to beating most cyber-attacks. Get the basic things covered well and you will make it very difficult for most of the bad people out there.
    • It’s not just about splashing cash on a bit of kit to manage cyber risks. In fact, having a big budget can lull you into a false sense of security. Other things like appropriate people, culture and governance need to go alongside it. Getting cyber security done well is never about some magic defensive protection.
    • What should Boards do as a starter? Cyber can be a confusing world where it’s difficult to find consistent reliable guidance. Start with the NCSC’s toolkit for Boards [opens in new window]

    We also touched upon the theme of COVID-19, and the associated cyber risks. The kind of people who attack systems are well aware that COVID-19 has put most organisations under extraordinary pressure, so they will use stealth and try and break into systems using COVID-19 as a distraction. 60% of respondents to our survey have changed their approach to cyber resilience because of the pandemic, and we’ve been given around 30 examples of what they’ve done. These include refreshing policies, increasing communications with staff, increasing training and awareness, investing in a security incident event management system, and implementing secure ways of working for remote staff.

    Normally these blogs wrap up by referring back to what was said in the first couple of paragraphs alongside another cheesy joke, but I’ll try not to do that. Plus, I can’t think of any linkages to white weddings or wanting more, more, more.

    Keep an eye out for our report!