Board-toolkit-Introduction-to-cyber-security-for-board-members-briefing-pack.pptx

Editor's Notes

1. (Note for presenters: text in bold throughout the presentation indicates where the text relates to a specific line on the slide and/or an animation). --- This presentation gives a brief introduction to cyber security for board members who don’t have much background in the topic or who perhaps aren’t sure how much they do know.    We’ll explain what cyber security is and dispel some common myths. There’s a brief case study of a well-known cyber incident to help bring the information to life.   We also look at some headline figures about how cyber security is being tackled across a range of organisations. 
2. To set the scene, it’s helpful to understand what the National Cyber Security Centre is and what we do.    The NCSC was set up in October 2016 bringing together various parts of government.   We’re not a regulator but the UK’s technical experts in cyber security.  As you’ll see from our logo at the top of the slide, we’re a part of GCHQ.    NCSC’s strapline is ‘helping to make the UK the safest place to live and work online’ and this defines everything we do.  Our website at www.ncsc.gov.uk is full of information and guidance aimed at audiences from the general public to cyber security professionals. 
3. We recognise that some board members may not feel confident about their knowledge of cyber security.   Indeed, the very term 'cyber security' isn't always well understood. So for starters, here are some of the many words associated with the topic.   
4. There are different definitions of cyber security but let’s look at the one from NCSC’s website: (see https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security ) “Cyber security is how individuals and organisations reduce the risk of cyber attack.  Cyber security's core function is to protect the devices we all use and the services we access - both online and at work - from theft or damage.  It's also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online”. 
5. There are some common myths about cyber security that we’d like to dispel because these can really hold people back from engaging with the topic.     1. Cyber security is too complex for most people to understand.  The reality is that you don't need to be a technical expert to make informed cyber security decisions.   After all, we make general security decisions every day without understanding all the details.   In our home life, for example, we don’t need to know how a house alarm works to decide whether to put it on when we go out.  And boards regularly make financial decisions without needing to know the details of every account or invoice.  This principle extends to cyber security: the board should rely on its technical experts to provide the insight they need to then make informed decisions about managing cyber risk.      2. Cyber attacks are sophisticated:  there’s little anyone can do to stop them.  In fact, the majority of attacks are still based upon well-known techniques such as phishing emails for example, many of which can be defended against, so taking a methodical approach to cyber security and enacting relatively small changes can greatly reduce an organisation’s risk.   That said, some threats can be very sophisticated, perhaps using advanced methods to break into extremely well defended networks, but we normally only see this level of expertise and tenacity in attacks by nation states.    3. Cyber attacks are highly targeted and people assume that their organisation is unlikely to be of interest to attackers.  Actually, the majority of cyber attacks are opportunistic and untargeted, with the perpetrator seeking to take advantage of a vulnerability in a system without being particularly interested in whose system it is.   The WannaCry ransomware attacks in May 2017 are a good example of this. They had a huge impact on organisations across the globe, including on parts of the NHS. The attack worked by exploiting a weakness in Microsoft operating systems that needed patching, but not all users had done so, some because they were using systems that were too old.  This shows that untargeted attacks can be just as damaging as targeted ones. And it’s worth noting that untargeted attacks are unlikely to stop any time soon because every organisation has some value to an attacker even if that is simply the money it might pay if faced with a ransomware demand.   (Note: There is also this brief video on WannaCry that might help: https://youtu.be/uahiEldI7YA)
6. That’s some of the background to cyber security. Let’s now look at an example of a real cyber incident and its impact.    In October 2015, the TalkTalk data breach hit the headlines across the UK.   Attackers exploited a vulnerability in the company’s website that enabled them to access the underlying database. The database held customers’ personal information including names and addresses, emails, dates of birth and phone numbers. Nearly 160,000 customers’ records were accessed in some form and most significantly, about 16,000 customers’ bank account details were stolen.     What was the impact of this on TalkTalk: their bottom line and their reputation?  It was reported that they lost just over 100,000 subscribers in the quarter after the hack.  They also incurred considerable costs in remedying and recovering from the attack – perhaps £60 million.  And when the Information Commissioner’s Office later looked into the breach, they levied a record-breaking £400,000 fine.    In their official report into the matter, the ICO said "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease…  Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations”.  (see https://www.bbc.co.uk/news/business-37565367)
7. What is the implication of this for board members?  On this matter, the ICO was extremely clear. Announcing the fine, Information Commissioner Elizabeth Denham said:    “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant.  They must do this not only because they have a duty under law, but because they have a duty to their customers”. 
8. The TalkTalk examples helps illustrate why cyber security is a board-level responsibility.  To put it plainly, if your organisation is connected to the internet then it is exposed to cyber risk. And regulations such as GDPR make it clear that cyber security is not the responsibility of an individual but of the whole organisation.   This means that the board of directors, as the effective governing body of a company, has collective responsibility for cyber security.   Beyond that, there are three inter-related reasons that board members need to take cyber security seriously.      1. Nearly all organisations depend on digital technology to function.  It’s worth considering how well your organisation could operate if, for example, it lost access to all the data that's held electronically, or if computers and other networked devices simply couldn't connect to the internet.       2. The potential cost of remedying a cyber incident   There are different facets to this. There is often a cost in terms of lost business but there’s also the financial impact of having to repair and clean up after a cyber incident. This cost varies significantly but in general, the larger the organisation, the larger the bill.  And as we’ve seen in the case of TalkTalk, if there has been a data breach then there’s also the risk of a significant fine from the ICO.      3. The risk of reputational damage  It’s worth asking a few questions here such as:   Would customers would still use you if your services had been offline for a significant period of time? Would they continue to choose you over your competitors if you had had a well-publicised data breach?   Would a major incident affect relationships with those in your supply chain?   Taken together it’s clear that cyber security is essential and needs to be understood as an enabler as it enables organisations to function.    In other words, cyber security:  isn’t something that can be considered ‘just an IT issue’  It’s not a ‘nice-to-have’, perhaps something that can be indefinitely parked Isn’t something that any one board member can assume is being looked at by someone else
9. So how are boards across the UK addressing these challenges?    Every year the Department of Digital, Culture, Media and Sport (DCMS) runs a detailed survey of organisations’ approaches to cyber security and their experience of cyber incidents1.    This table from the 2020 report shows the extent to which cyber security is seen as priority for directors, trustees and other senior managers.    Overall, 40% of businesses classed cyber security as a very high priority.   As you might expect, there are variations according to the size of business and the sector they are in.  Broadly speaking, larger organisations attach more importance to cyber security than smaller ones, and the sectors that attach most importance to it include finance and insurance, and information and communications. 
10. The survey also looked at data breaches.  Almost half of businesses (46%) reported a cyber security breach or attack in the previous last 12 months. (see figure 5.1)    It’s also interesting to look at the type of incident reported.   This chart shows that by far the most frequent types were fraudulent emails or being directed to fraudulent websites: in other words, phishing attacks. (see figure 5.2)  Impersonation of others by email or online is also an issue, particularly for charities.  
11. And what about the board’s role?  Overall, nearly 4/10 (37%) of companies have board members with a specific cyber security brief, and  as many as 70% in finance and insurance.    In other words, plenty of boards are already aware of their responsibilities for cyber security. Many already have a coherent strategy in place, with board members clear about how the topic is addressed corporately as well as what their personal role is.   But cyber security isn’t being looked at so thoroughly in every organisation.   That’s not to say those boards or individual board members are ignoring the issue: it’s more likely that it’s something they simply haven’t prioritised yet, perhaps because they don’t realise how important it is, or perhaps because they aren’t sure quite where to start. 
12. Wherever your organisation is on its cyber security journey, the NCSC’s Cyber Security Toolkit for Boards can help board members get to grips with the topic. It’s available online, just search for ‘NCSC Board Toolkit’. We’ve also got another presentation that introduces toolkit and how it can be used.  The toolkit aims to help board members understand the crucial role of cyber security within their particular organisation and how they help drive this forward.