General Counsel & Senior In-House Lawyers Roundtable: Cyber security – best practice in the real world
Following our cyber security roundtable discussion in February, here, we look at the key themes that emerged from a very insightful conversation
Date: 28 February 2019
Location: Duck & Waffle, London
- Charles Antelme – Managing Partner, Skarbek Associates
- Jano Bermudes – Director, Global Legal Technology Solutions, Ankura Consulting Group
- Simon Colvin – Partner, Weightmans
- Chris Crowther – Chief Information Officer, KCS Group Europe
- Edward Lewis – Partner, Weightmans
As well as delegates from Lawyers in Local Government, London Borough of Hackney, Metropolitan Police, NEC Group and the Royal Borough of Kingston Upon Thames.
- Cyber attacks have grown in sophistication and become more targeted in the past five years
- Organised crime syndicates see cyber attacks as a key revenue generator
- Simple security measures like good password discipline and multi-factor authentication can make a big difference
- Fostering a culture of awareness right across organisations is key
- Senior executives must lead by example and put robust governance in place
- Technology is a transformative enabler, but organisations must manage the associated threats
Cyber security breaches have become an everyday event. Week in, week out the media publishes stories of organisations being disrupted or held to ransom by hackers and of sensitive customer data being leaked.
For organisations of all sizes today, it is a question of not if but when they will suffer a significant data breach.
The consequences of such breaches vary widely, from a minor inconvenience to serious financial or reputational damage that can jeopardise the viability of a business.
As part of a series of General Counsel and Senior In-House Lawyer events, we held a roundtable, under Chatham House rules, to discuss the threats and best practice for mitigating them which brought together our CyXcel* experts including forensic analysts, legal experts, law enforcement and senior cyber security experts.
The aim was to look at cybercrime through the lens of business owners and financial stakeholders and to ask how the threat can be managed.
Here we will relay the key themes that emerged from what was a very insightful discussion.
An increasingly sophisticated threat
The level of professionalism and technological sophistication of hackers has developed rapidly in recent years.
Only five years ago, cyber attacks tended to belong to two broad categories – high-end, often state-backed operations and unsophisticated attacks by low-level scammers or brazen bedroom hackers.
Today, however, cyber crime is used to generate funds by organised criminal syndicates. This has seen a move away from the data breaches for their own sake, towards direct attempts to monetise the activity through highly targeted and efficient breaches.
These intruders carry out reconnaissance to extract the most value and they have developed advanced malware that can spread rapidly and silently throughout an organisation.
So what can organisations do to become more resilient against this increasing threat?
Processes and culture
A large proportion of attacks could be prevented simply by making it harder for intruders to gain access to user accounts.
Most cyber attacks are carried out through email servers or platforms such as Microsoft 365, so multi-factor login authentication – where users need not only a password but also a secondary verification method – can have a big impact.
Fostering awareness of the threat and training individuals on best practice is also key. Just as with health and safety compliance, basic cyber security and the requirements of the General Data Protection Regulation (GDPR) mean every individual in the business should be trained and familiar with the basic operating procedures.
This awareness will bring practical benefits too, as users will be more understanding of enhanced security measures.
Of course, implementing this culture throughout a business requires leadership and this must be driven by its most senior people, with the right governance structures in place to implement it all levels.
It is also at this senior level where there is the need for organisations not just to be aware of threats, but also to contextualise their threat intelligence – i.e. what do threats actually mean for them. It is too easy to drive yourself mad with paranoia and a feeling of helplessness. Contextualisation brings clearer perspectives on the risk for coming to harm and thus in turn the measures that can be taken to move out of harm’s way.
Harnessing the benefits of cyber
Digital technology is a vital enabler in a vast array of different ways, opening new markets and delivering another level of efficiency and collaboration.
However, in order to harness these benefits, it’s vital for organisations to be aware of and to manage the new risks that reliance on digital systems has created.
We would like to take this opportunity to thank all of those who attended the event for their invaluable contributions. For further information regarding the programme of events for our General Counsel and Senior In-House Lawyers, please contact Simon Colvin.
*CyXcel is a 360-degree approach to information security, data protection and privacy, with an emphasis on cyber resilience, incident planning and response.