During the second episode of Going Global, a webinar series brought to you by moneycorp bank, we had the pleasure of talking to esteemed guest, former Director General of the Foreign and Commonwealth Office, Martin Clements. Martin spoke candidly with moneycorp’s Andrew Harrison, Head of Group Risk and Compliance, diving into the world of cyber risks; past, present and future.
The true threat to ordinary businesses
The information and opinions available to us on the risks of cyber can be a hindrance in its vastness. It’s confusing, overwhelming and often misleading. So what is the actual threat to ordinary businesses once you cut through the noise? And how is that threat likely to evolve?
‘There’s always something to be terrified of,’ says Clements, ‘and in a certain sense, you should be.’ The infamous Solarwinds cyber assault of last year, which saw malicious code injected into software that was then installed into about 18,000 customers’ systems, was the work of a nation state adversary. The full extent is still unknown, but the breech exemplified how cyber attacks can devastate both commercial and governmental organisations. ‘It’s a really shocking story…but [it’s] a little bit misleading,’ advises Clements. ‘Nation states do matter, but I don’t think they’re [a] major threat to businesses…at least not directly,’ unless, he clarifies, a business is ‘involved in some sort of high-end negotiation with an unscrupulous and highly competent nation state when it comes to offensive cyber operations. And frankly, that’s pretty rare.’
So while nation state hackers may make headlines that create a wake of paranoia, they’re not a true threat to ordinary businesses. Not in so far as the cyber threat isn’t there, but rather that there’s such a limited amount that can be done about it. ‘You have to pay attention to it and think about how to mitigate those risks,’ but the truth, he explains, is that the main concern to businesses is surrounding the volume and variety of threats that cyber criminals are using, rather than one thing in particular. For now, he identifies ransomware (‘it encrypts your hard disk drives, making your data unavailable to you.’) and CEO fraud, (‘the clever confluence of cyber techniques and traditional fraud.’) the latter of which, he says, ‘actually causes the greatest losses.’
Responding to cyber threats
It’s one thing knowing to expect a cyber threat on your business, but it’s another to know how to respond. What should be front and centre of leaders’ minds in the current landscape, in terms of how to handle a threat?
‘If I was going to have one…message,’ Clements says, ‘it’s this: get the basics right. Teach staff not to click on the wrong link, have the right basic technical security in place, and patch your software in a timely manner. This deals with a lot of the problem.’ As it transpires, however, Clements has much more than one tip for leaders and CEOs on responding to cyber threats, which he ties up neatly into a series of questions to be posed as a sort of preparatory checklist: Do you understand the threat? Do you have the right team in place to manage it? Have you hired new roles such as Chief of Information or a Security Officer? Have you got sensible defences in place? These defences, he specifies, must crucially cover ‘people, process and technology. It’s never, never, never just about technology.’ Do you check those defences? Do you probe, do you stand outside your organisation? Do you pay somebody to do that? ‘You will have got something wrong. Find it before the bad actors do.’ Then onto culture – Have you set the right culture, one in which people care about information security, about cyber risk, about not having the business disrupted by something avoidable? Clements has an idea, he reveals. ‘[Y]ou have two chances with cyber…[T]he first one is not to get hit in the first place, but the second chance, if you do get hit, is then to manage it in such a way that people say, “well, my goodness, that could have been us…[T]hey handled that well; they must be a professional organisation!”…I think everyone deserves a second chance.’
As most things do within business, it all boils down to leadership. When leaders set a good example, which in this context might mean looking after their phone and emails properly, or keeping continuously up to date with online training, it has a trickledown effect that could be make or break for the business in the face of a serious cyber incident. ‘[A] rounded leader in 2020/2021 is going to be someone who, personally cares about technology and how it works,’ decides Clements. ‘Go and learn something...learn coding…go and do something yourself...[A]nyone I know who has ever done that has found it hugely beneficial, and of course, then they’ll talk about it and others will get the message, too.’
What lies ahead
Clements’ rationalisation of the present threats that ordinary businesses are facing is a welcome voice of reason amidst the panic, but what changes can we prepare for going forward? What are the predictions for 2021 in cyber security? How can we press down on cyber as a risk? ‘I think businesses are going to respond with a lot more outsourcing of technology and the complexity of defending it,’ predicts Clements. ‘At the moment, that will be into public cloud offerings, and I’m sure that’s the right thing to do. We’ll almost certainly find ourselves accepting more and more that there’s no perfect defence that will see cyber security as something of a tax on digitisation, from which, of course, we get so much more advantage than we ever have to spend on our defences.’ He also anticipates that over time we’ll become more proactive, and that cyber attacks themselves will become something to be expected, and therefore prepared for, allowing us to also get better on a collective level to ‘defend the common interest.’
The last year has seen unprecedented challenges for organisations across the board on a global scale, and one of the necessary responses has been the unified shift to remote work, on which Clements offers some forecasts: ‘I think we'll see some evolution in criminal techniques to attack people when they're working from home…There's a lot of talk about it, and existing techniques have been used, but I suspect we'll see some new techniques, along with things like infiltrations of remote meetings, webinars, like this one.’ On that note, he returns to the topic of ransomware, predicting a ‘big clash over the payment of ransoms.’ He explains that ransomware has seen a sevenfold increase in activity between 2019 and 2020 because, ‘clearly someone is paying [them].’ On another note, Clements speculates that ‘there’s going to be a bit of a machine learning war between the criminals who use machine learning to develop, from their perspective, better cyber tools, and cyber security organisations that will use machine learning to come up with better defences.’
It’s been a long time since we’ve had a large scale, global cyber attack of the Petya or WannaCry ilk, which could mean the next one is impending. Clements cleverly draws on a comparison between this and the Covid-19 pandemic, which, he posits, we knew was coming yet we’ve handled poorly. ‘It’s been on the UK National Risk Register for years,’ he says, but we still weren’t prepared. Much like a pandemic, a global cyber security breach will bisect organisations into two camps: those who had been getting the basic defences right, and those who hadn’t. ‘What [the last large scale, global cyber attack] turned into was what you might call a stain test of business cyber defence,’ deduces Clements. ‘If this happens again, I predict it probably will be something escaping from government circles…So look, everybody, if you remember one thing, keep up that patching, because you don't want to get caught up by Martin Clements’ 2021 prediction turning out to be true.’.