The Business Magazine and Complete IT hosted this roundtable discussion at the Royal Berkshire Conference Centre at Reading’s Madejski Stadium.
Journalist Tim Wickham reports the highlights.
Colin Blumenthal began by outlining the main topics for the wide-ranging discussion on security, prevention, recovery, approaches to cloud services and, inevitably, GDPR.
What pro-active measures do you take to minimise the risk of a cyber attack?
Clearswift’s services focus on email and web security, as well as data loss prevention. Dr Guy Bunker, senior vice president products and marketing, said: “The first thing to remember is that it’s not just about technology, it’s also about people and process. Technology should be seen as the enforcement of process, the back-up for keeping people and data safe – and that includes your staff and customers. You can throw money at IT, but unless you understand what you are trying to protect then there won’t be any upside to your risk measures.”
Amanda Melton, a partner at solicitors IBB, agreed that cyber security has to be considered a people issue. “It’s about training your staff and making sure your managers know about cyber security. You have to spread the message and make sure everyone in the business understands their personal responsibilities for protecting data.”
The people dimension includes a focus on awareness and company culture, thought Will Richmond-Coggan, partner at Pitmans Law. “If you have a cyber attack you don’t want employees clicking on a suspect link or downloading something nasty. And you don’t want them keeping quiet if they do for fear of being disciplined. There is usually a critical moment in a cyber attack when things can be pulled back, but only if the right people further up the chain are told quickly enough so they can take action.”
You always need to be prepared for the worst, advised Gavin Davis, director at accountants BDO, who heads up its IT consultancy and offers advice and guidance to mid-market organisations. “On a daily basis, companies don’t think they are going to be the target of a malware attack or a data breach. If you are unprepared, when it hits, it hits bad. Organisations should always be aware that it could happen to them.”
Orion goes one step further by accepting that an attack is going to happen. Sales and operations director Paul Ridley heads his company’s GDPR regulations and commented: “We are wary of every email that comes in. You have to get smart, for example, with fake emails that appear to have been sent from someone else in the business.”
Matt Riley commented that there are two types of companies, those that have been hacked and those that are going to be.
Chris Tate is business development director at Datto, which provides SMEs with business continuity, back-up and networking solutions. He said: “User training and education is a key point. There is a host of companies offering training on cyber attacks, phishing and fake email attacks. Until users are better aware the problem isn’t going away.”
Bunker noted: “The majority of incidents are due to mistakes by people, not outside attacks. For example, sending data to the wrong person in your organisation, or malicious action by a disgruntled employee.”
Tate added: “Auto-filling emails and ‘reply to all’ can be a problem. It’s an ongoing battle between usability and security.”
Blumenthal summed up the panel’s thoughts by saying there was no silver bullet to solve the threat. “Every business should have best-of-breed products for anti-virus, anti-malware, firewall and patch management – on all devices, not just servers. Humans are often the weakest link, so training is important.”
Data security wasn’t an issue a few years ago, is there recognition that today it’s a board-level concern that affects the bottom line?
Companies need to recognise that data is a business asset said Richmond-Coggan. “There has been a generational and technological shift in how we exploit data. There is a growing understanding that it is a core asset that needs to be protected.”
Davis: “GDPR is raising awareness of company data and helping boards to focus on security. The ones taking it seriously aren’t just pushing the issue on to their IT department.”
Riley, general manager at Complete IT, noted: “Stricter laws, with criminal liability at board level will help.”
Bunker pointed to action being taken in other countries: “The US, Japan and Australia already have similar types of legislation to protect citizens and business customers.”
SMEs shouldn’t bury their heads in the sand, observed Blumenthal. “The Government’s Cyber Essentials accreditation scheme was launched in 2014 to help SMEs protect against online threats. It’s a straightforward way to self-certify at a basic level.”
Riley: “If you put the right steps in place, then even if there is a breach, the Government is more likely to issue a fine that is proportionate based on the actions you took to prevent it.”
Richmond-Coggan: “When breaches do happen, if companies can show they realised something was wrong, have fixed the problem, and can show how they will be better in future they will probably be fined less. The big, high-profile fines will probably be where mistakes haven’t been fixed.”
Bunker: “I think we are likely to see a number of test cases to establish the basis for fines.”
What measures should businesses take if data is lost through a security breach?
The general view was: don’t make assumptions that your data will be safe – and don’t pay ransoms.
Davis: “Never pay a ransom – how do you know you’ll get your data back? Make sure you do back-ups, preferably to a shared drive. Test your back-ups regularly, so you know you can restore all your data.”
“Businesses need to consider the speed and time it will take to recover backed-up data said Blumenthal: “I think the majority of SMEs haven’t thought about it – or tested their responses. It could take days – or weeks – to get it back.”
Bunker: “Businesses might have thought about disaster recovery and business continuity, but they need a plan that will work. A plan doesn’t need to be massive but it should be tested regularly.”
Cyber risk insurance is another aspect to consider, added Richmond-Coggan: “Does your disaster recovery plan adhere to what your insurer expects of you?”
Ridley: “Testing your back-up should be a real, live test. Turn off the server and see what happens. Can you carry on running your business?”
Richmond-Coggan agreed: “That will help flush out problems, for example, are all the essential contacts and phone numbers you need to run your recovery plan only kept on your computers, or do you have hard copies?”
Tate: “A challenge for SMEs is educating rather than scaremongering. You have to convince companies that they need plans and polices in place, even if they don’t think they do.”
Blumenthal: “Companies are beginning to realise they need to make the investment to protect their data.”
One approach is getting businesses to understand that not every process is a number one priority in terms of business continuity, said Bunker: “If it took several days for HR to sort out paying salaries that might not be a huge problem. But not being able to access customer orders could be far more serious. Business-critical data should be available on an instant recovery basis, while lower priority data could be backed up on tape, which is a relatively cheaper option, but takes longer to access.”
Does migration to cloud and cloud services change your views on what you need to do to protect and recover data?
Panelists agreed that not all cloud services provide adequate security and back-up. And businesses should be concerned if they are unclear what data ends up in the cloud, especially if it contains customer information.
Riley: “Don’t assume if it’s in the cloud it is being backed up – that’s not necessarily so. The definition of a cloud service is difficult to pin down. It could be someone with a server in a shed in their back garden. The definition needs to be better defined so companies know what they are buying.”
Bunker: “You can have ‘shadow’ IT running in the cloud that your IT department doesn’t know about, for example, sharing information via services like Dropbox. The challenge for companies is knowing where their data is, otherwise they can’t protect it. The IT department needs to be able to certify and audit cloud services to ensure they provide the same, or better, security as their in-house data storage.”
It’s also about understanding control and the geographic location of the cloud host,” added Richmond-Coggan. “Different countries have different regulatory regimes, so global businesses should be wary about putting data with cloud providers where security is less strong.”
Tate: “The popular entry-level cloud services make it very clear in their terms and conditions that they are not responsible for backing up your data. You should always keep a copy of your data ‘off cloud’. I don’t think that is fully understood, especially by smaller businesses.”
The cost of cloud can put companies off, but it shouldn’t said Bunker. “Reading the small print can scare people, particularly the potential cost of cloud services. Going to the cloud with high security and high availability that is as good as what you have in-house isn’t necessarily going to be cheaper, but could be the better option. The cloud is a bit of a bandwagon that companies are jumping on, and you should ask questions about the provider before making a choice.”
Improving understanding of the cloud is the way forward noted Melton: “That brings us back round to training. In the past, we always relied on our IT team to do the right thing. Things have changed dramatically, with everyone using technology. So we all need to understand the terminology.”
Avoiding getting too technical was important added Bunker: “Trying to explain the cloud to some executives can be a hiding to nothing. It’s better to talk to businesses about risk and consequences – the practical impacts – and avoid technical terms.”
The discussion on the benefits of the cloud also covered control and how long you store data. Blumenthal said: “Businesses need to understand that if they move to a cloud they could lose control of their services. If you run your email, you know how to sort it. But if it is in the cloud and it goes down, you won’t necessarily know why, or when it will be back up.”
Davis: “Bear in mind that some concerns about cloud are coming from internal IT people who might be more concerned about their jobs. It’s natural that there could be some resistance to the cloud.”
Bunker: “When you no longer need the data, for example, after a marketing campaign has finished, you need to know what happens to the data and how you can retrieve and/or delete it from the cloud. There’s confusion around cloud security – it’s a grey area for businesses.”
If you breach GDPR rules, what should you do?
The issue will be critically important after GDPR comes into force on May 25. “It will be mandatory to give breach notification within 72 hours, said Richmond-Coggan: “You have to do this even if the breach is unlikely to harm data subjects. You don’t want to still be developing your strategy when a breach occurs – you need to have a tried and tested response plan, so you can show to the Information Commissioner’s Office (ICO) what effect the breach had, and demonstrate that staff have been adequately trained.”
More breaches are likely to be highlighted as companies become more switched on to the GDPR definition of what is defined as a notifiable breach. “We could see the ICO becoming concerned if they don’t receive notifications from companies as that might imply they aren’t monitoring and reporting properly. Businesses should set up an internal system to triage breaches – work out how serous it is, and what you need to do,” added Richmond-Coggan.
Bunker: “A breach is one side of GDPR – you can also be fined for non-compliance. Focusing only on an attack and data loss could be a false economy; you also have to think about other things that might affect you, for example a customer’s ‘right to be forgotten’, which could be a costly process to complete. There’s a risk of the ‘weaponisation’ of GDPR with multiple ‘right to be forgotten’ requests being made maliciously that could force an organisation to grind to a halt. It’s something the ICO needs to consider.”
What are the essential items in a GDPR plan?
Bunker: “Have a team in place to deal with breaches, with a clear set of rules to follow, and know how far up the organisation you escalate the action. If a breach affects millions of customers then you’re talking CEO level involvement. Using e-forensics is helpful, especially if ransomware goes into hibernation on your systems, which makes it harder to detect and deal with.”
Riley: “Seeing what has happened in a data breach isn’t easy without an e-forensic tool. You might have to contact a wider audience than has been affected, which could attract negative attention, so you have to know how to deal with the situation.”
Richmond-Coggan: “If you have cyber risk insurance you will probably have to be able to provide a costed solution showing what action you will take to make things right. It’s not necessarily all negative – being GDPR compliant can have business benefits as it shows you have processes in place to protect data and that could be a competitive advantage.”
Bunker: “You need to think what data is contained in printed reports. You need to be able to track these as well. GDPR makes you think about what information sits in your business, for example, is it with suppliers and can customers access it if they ask to? We are seeing clients using e-forensics even though no incident has occurred, rather than waiting, so they can act immediately if an incident happens.”
Melton: “You need to look at your business culture and change attitudes, so data protection is a priority.”
Davis: “A plan needs to be achievable. It’s easy to put together a document that meets GDPR requirements, but can you deliver on it? Will key people be available and contactable? Have you tested the breach process?”
How far do you think the businesses you interact with are on the road to GDPR awareness and compliance?
Bunker said most weren’t near being compliant. Riley and Melton thought partial progress had been made with some, but not all. Richmond-Coggan said some clients were ahead of the curve, but awareness with SMEs was still very low. He was worried that uncertainty had become an excuse to do nothing about it.
A final observation was that some companies are comparing GDPR with the year 2000 millennium bug, except that this time there are real consequence that have so far been under-estimated. Richmond-Coggan closed the roundtable with the observation: “Everyone had heard of the millennium bug, took it too seriously, and not much happened. With GDPR, not enough businesses have heard of it, and those that have aren’t doing enough about it when they could face fines and a loss of customer trust.”
Will Richmond-Coggan: Partner, Pitmans Law
Dr Guy Bunker: SVP products and marketing, Clearswift
Gavin Davis: Director, BDO
Amanda Melton: Partner, IBB Solicitors
Chris Tate: Business development director, Datto
Paul Ridley: Sales and operations director, Orion Electrotech
Matt Riley: General manager, Complete IT
Peter Laurie: Head of client relations, The Business Magazine
Colin Blumenthal: Managing director, Complete IT, chaired the discussion