Cybersecurity: key considerations for businesses - Guides - Gateley
Guide

Cybersecurity: key considerations for businesses

Gateley Legal

Article by

In this episode, Dennis Murphy, a cybersecurity expert here at Gateley outlines some of the key cyber threats which businesses face and the specific steps they can take to protect themselves.

In this episode:

  • An explanation to the surge in cyberattacks in response to the coronavirus pandemic.
  • A round-up of the main cyber threats businesses currently face.
  • Key considerations for businesses, as the UK moves forward into the later stages of lockdown.
  • An outline of steps businesses can take to mitigate cyber threats.
  • The potential consequences businesses, who do not consider cyber threat as a priority, face.

Subscribe to the podcast series

This episode is part of our straight talking business success podcast series. Learn more about the series and what we cover. This podcast is available on iTunes, Spotify and Soundcloud.

Read the transcript:

Host: Welcome to Straight talking business success, your guide to growing and developing your business.

Host: Hello. Today, I'm joined remotely by Dennis Murphy, a cybersecurity expert here at Gateley. We've seen a lot in the press recently about spikes in phishing attacks, mail spams and ransomware attacks. It seems attackers are using COVID-19 as an opportunity to take advantage and impersonate brands.

Today with Dennis's help, we're going to be looking in more detail at the threats faced by business and some of the specific steps that they can take to protect themselves.

So thank you for joining us, Dennis. To begin with, can you tell us a little bit more about yourself and give some background on what it is that you do?

Dennis Murphy: Sure. Good morning. Thank you very much for having me. As mentioned, my name is Dennis Murphy and I joined Gateley as a threat consultant in January of this year. By way of background, I spent 27 plus years within the Five Eyes intelligence community. I left the government at the end of 2019, retiring as a senior director.

Dennis Murphy: I guess if I had to kind of categorize my career within the intelligence services, it was mostly on the national security side., so having run a very large and complex national security related apparatus mostly around the counter terrorism, counter intelligence, counter-proliferation side, but coming from the crypto logic intelligence community, really the basis of everything that we did was cyber. All of our activities were cyber based, whether it was on the defensive or the offensive side.

Dennis Murphy: I come from the poacher side of the organisation versus the gamekeeper, so I spent many, many years trying to access information on behalf of Government of Canada or broader Five Eyes intelligence requirements. So, my experience comes more from the attacker side, which is helpful, but I've also worked very closely with the defensive side over the years as well.

So in the last several months I've been helping both Gateley and others with respect to better understanding the threats that are out there, but more importantly from a very strategic view, what organisations need to do to be able to mitigate these threats going forward.

Host: Excellent. Okay, Dennis, so could you give us a roundup of what the key cyber threat facing businesses at the moment?

Dennis Murphy: Sure. I think as you mentioned earlier was definitely on point. I think probably the lion's share of what is being seen internationally as it relates to cyber threats or cyberattacks are in and around COVID. You have very, very advanced and malicious actors who are taking full advantage of, more often than not, human frailty and fear.

Dennis Murphy: So COVID is the perfect example where we're starting to see these extremely well architected, multi-layered attacks, for instance, starting with disinformation. So more often than not now when you're doing your searches and what's appearing on your screen is inaccurate, so you're seeing a great deal of misinformation being spread about the virus, for instance, which just plays upon people's fears and sets them up perfectly for the attackers when, as you mentioned earlier, we're seeing incredibly socially engineered phishing campaigns happening, really, really well architected links that look very real, that aren't, and if they've already kind of predicated that with something of concern, more people than not are actually clicking on these links and that ultimately execute malicious payload.

Dennis Murphy: We're seeing different ways and means, i.e. this text messaging now is taking a great prevalence in terms of what they're trying to do. Obviously you're seeing bogus WHO-related advice and guidance as it relates to the virus. People see that, they want to know it, they click.

Dennis Murphy: So, I would say that the COVID stuff is probably the most expansive right now, but what people are probably not thinking of is, these threat actors are incredibly intelligent and very asymmetric in how they think. So, they also realize that most people are very focused on COVID, so now what they'll be doing is they'll almost be performing if you will, a flanking manoeuvre and they'll be coming in different ways.

Dennis Murphy: The supply chain risks that are happening, I mean, if I had to kind of define what I've seen is the greatest evolution, it would be this convergence of threats. So what we used to see is two very, very distinct practices, if you will, one would be for instance in the criminal space physical. So we would see physical crime where people would actually know rob a bank physically. Then on the other side of the coin, you would see cyberattacks. Well, now they're mutually enabling each other.

Dennis Murphy: Supply chain is a tremendous example where if somebody in the inside, so to speak, and help facilitate an access, then you know, a cyberattack will follow. The scope and scale is just increasing. I don't think anybody's in a position to really, to be able to articulate what is going on right now, but kind of going back to what you had said and what I kind of endorsed, is COVID I would say is the predominant cyberattacks that we're seeing.

Host: How seriously do you think businesses are taking it and how seriously should they be taking it?

Dennis Murphy: Well, I think businesses have to take it incredibly seriously. I think it's interesting historically, I mean, if you're looking at the board level cyber presents itself as a very strange threat. I mean, boards understand that it's something that is important and that it's a direct concern and threat to the organisation, but they don't really understand how it needs to be handled.

Dennis Murphy: At the end of the day cyber permeates the totality of an organisation. I mean, technology is something now which in my mind is both really a blessing and a curse. It massively enables business. I mean, the speed and pace at which business can be done, our capacity to communicate, our ability to kind of develop new products and services is unbelievable. Unfortunately that creates a vulnerability and there are many, many individuals and organisations out there who want to exploit that.

Dennis Murphy: So I think a business has to really view cyber as something that just weaves its way throughout the organisation and that they have to have a component part to it, at least a cyber thought around all of these things. It's not simply a technical thing, as I said earlier, I mean, it really starts with that board level understanding of what the threat is, and what I've observed through dealing with C-suite level individuals and others is there's a bit of a disconnect between for instance, the technical leadership within an organisation really being able to explain that to the board.
 

Dennis Murphy: So if CISO can walk into a boardroom and normally default to technology type speak, and that doesn't resonate. They need to understand if... The CEOs want to know what's the business impact to my organisation in terms of what cyber presents itself as a threat? How much is this going to cost me? What are we going to do to fix the problem? And what are the ultimate benefits?

Dennis Murphy: If you start there, then the conversation gets easier and allows you to start formulating your plan. And then below that you start working into everything else which is required and I've mentioned earlier, technology is important, but if you haven't created that behavioural structure, the appropriate policies, governance, comms, everything that you need and then you augment that with the appropriate technology. That will significantly enable you to protect yourself as an organisation.

Dennis Murphy: And the other thing that I think boards need to understand is this is enduring. This isn't something where you throw your money at the problem. You invest in the technology and you're safe. That is not the case. It has to be fixed into your business planning throughout the lifetime of your organisation.

Host: That makes sense. That's some useful tips and techniques there, Dennis, on how it can go about getting our board level stakeholders bought into investing and improving security within the business. So specifically what steps can organisations take today to mitigate the risks of these cyber threats?

Dennis Murphy: Right. Well, I think, so one thing, an interesting starting point we're at right now in terms of our new reality is I think this extended enterprise model that we're all living, which we're doing right now, is going to be predominantly the way that businesses operate going forward.

Dennis Murphy: So by all means, you're still going to have to have your headquarters, so to speak, and the ability to have people congregate, but this is a tremendous example. And Gateley is a very, very good example as well of an organisation who migrated roughly 1,000 people to homeworking and did a very good job. But going forward in terms of what will Gateley or any other business needs to do, they're going to need to understand from a technological perspective, okay, what is this going to encompass? Because they've started it and it's operating, but they're going to have to augment that now with increased security regimes, things like two-factor authentication, making sure that people are operating... I mean, shadow IT will be a big concern. People using their own personal devices.

Dennis Murphy: So they're going to have to be working through a lot of these things and the IT departments will be working very hard. And on top of that, you're going to have to start building all the appropriate policies to make sure people are adhering to them. Communications are critically important. Again, I'm impressed with Gateley, whereas I've seen, your IT people or new information security folks communicating on a very regular basis with your employee base at home in terms of the things that they need to be aware of. COVID being a great example from a malicious cyber perspective.

Dennis Murphy: So comms are critically important. The governance piece is going to be critically important as well, going forward to make sure that data is being appropriately protected, whether or not it's like data that's housed within the organisation itself or data that can be accessed or stored by employees.

Dennis Murphy: I think it will be critically important to make sure that organisations enhance or build, unfortunately, some really don't have them in place, but your emergency response planning, your business continuity planning, making sure that these things are robust in place, they're regularly, regularly actioned, so you get that corporate muscle memory. So as in when the next cyber event happens, whether that's in the global nature or directly with the organisation itself, the companies can respond. So that's going to require potentially new talent, definitely new ways and means of thinking. The board's going to have to be involved. I think it's going to have to require a far more empowering mentality within an organisation.

Dennis Murphy: Traditionally, in my opinion, and what I've observed in the private sector over the last several months, it's very hierarchical. It's very top down. You're going to have to start thinking in different ways for organisations to become far more agile to be able to respond to these threats. And that will require new constructs. Building new teams that have very specific authorities, decision making trees that they are allowed to execute, because time is not a factor. Time is not something that is available in an event where a cyberattack occurs. You have to be able to respond very, very quickly.

Dennis Murphy: So it's going to take time. And I think the other really important thing is cyber is very much a team sport and it's going to require a more collective defence type approach and that, in the private sector perspective, is not normally the current mentality. Normally sectorally you compete with others, you don't collaborate. Well as it relates to cyber, we're going to have to.

Dennis Murphy: Having run some kind of HMG related workshops several months ago, we actually got the chairman and the NED of some very large UK organisations to get into that head space where, as far as cyber goes, we collaborate and we compete on everything else. Individual organisations may be able to significantly increase the capacity to protect themselves but if there's a broader, collaborative construct out there, I think it's going to make it significantly better for all of us.

Host: Brilliant. Okay. Dennis, thank you. So Dennis, what do you see as the consequences for those businesses who fail to embrace that agility and collaborative spirit that you've just touched upon?

Dennis Murphy: Sure. I think there is no shortage of examples, both very recent or even more historically in terms of organisations who have suffered cyber breaches and kind of what the resulting effects were. I think ultimately from the more catastrophic end of things, it ranges from complete and utter business interruption. We've seen many, many examples of organisations, whether it's been through some very, very serious cyberattacks from a more physical standpoint when they've actually destroyed infrastructure, whereby a company just simply is not in a position to manufacture for instance, the widgets that it makes.

Dennis Murphy: The possibility does exist that a very advanced cyberattack could completely shut an organisation down. I think on the lesser worrisome ends of things, just general business interruption, whether it's ransomware or other forms of attacks, it takes time for the organisation to remediate that. Now whether that's unfortunately sometimes having to completely burn their infrastructure to the ground and rebuild it, or just taking the time to bring in professional experts to kind of get the IT back up and running and all the other corresponding functions that are required.

Dennis Murphy: The other thing that is critically important that organisations need to be aware of is the litigation risks that exist. Now that we're in this GDPR space and other governance and regulatory models, organisations have to be incredibly conscious of the data that they hold and the ramifications if that data is obtained by others.

Dennis Murphy: Again, we see many organisations, whether it's the Panama Papers, for example, if you want to move closer to say Gateley as an example, as a law firm, and the sensitive, sensitive, proprietary data that they hold. If that's accessed, and that's released into the wild, well that just sets things up for some pretty unfortunate lawsuits and otherwise.

Dennis Murphy: And I think the other thing that could be potentially crippling is just the reputational risk which exists. So again, organisations who have been compromised, the ones who succeed and the ones who do well getting out of it, are the ones who have a very fulsome communications and response plan and they let it be known, right. They let their investors, more broadly they let people know that they've been compromised. And right after that, here's the following plan that we're going to do to kind of recuperate and recover and hopefully prevent it from happening again. Too many organisations are compromised and for many reasons, reputational is a starting point, they don't tell people and by the time that they've attempted to recover, it's too late and you know, that just dramatically affects.

Host: So COMS is key in both prevention and following an attack. Right, thank you, Dennis. If there were five key takeaways that you could give our listeners today that they could action in the short term, what would they be?

Dennis Murphy: Sure. Number one, I think it's the communication piece, which we've talked about earlier and that... Definitely starting within the organisation. So making sure that from the top down, cyber threats are understood in terms of how employees and leadership can respond and react to them and what needs to be done.

Dennis Murphy: I think it's critically important that organisations have very, very robust business continuity and response plans in place. And more importantly than that, rather than letting them gather virtual dust, they need to actually action them on a regular basis and that will seriously increase their capacity to protect themselves.

Dennis Murphy: I think it's incredibly important for organisations to make sure now in this new reality of homeworking, that they are applying the appropriate levels of infrastructure, the newest technologies, the ones that are the most protective, and again, accompanying that there has to be guidelines and employees need to seriously be following.

Dennis Murphy: I think as mentioned earlier, I think we have to be in a far more collaborative space. We can't simply be operating independently. I think that we have to be sharing those experiences in terms of cyber threats or breaches that will help enable and others protect themselves. I think the collective defence piece is absolutely critical and it will take a time before mentally we get there in the private sector.

Dennis Murphy: And the other thing I think is just pause, take a breath, for instance, before you click... And this, again, this starts at the top. So if, as an organisation, your breached, if you're a senior leader or senior leadership team, take a breath, then react. And you know, that kind of goes right down the chain to, we're respectively sending it home right now and we're quite unbalanced as it relates to COVID and what that means to us and what is going to happen, and then we get some information appearing in our email that may give us some of the information that we've been seeking for. Think before you click on it. Right?

Dennis Murphy: And again, that needs to be accompanied by solid communication from your company. These are the kinds of things you need to look for when you get emails, and the threat will be dramatically reduced again, if you've educated your workforce, provided in what they need, communicate to them on a very regular basis in terms of the evolution of the threats and what we're seeing and what they need to be looking out for. And I think that will position all of us in a much greater way in terms of kind of be able to decrease these threats.

Dennis Murphy: The final point that I would make is what I said earlier, this is not going away. This is our new normal, if you will, from a cyber threat perspective. I think cyber threats represent the single, greatest concern for businesses and it needs to be the number one.

Host: Thank you very much, Dennis. So, I'll be providing Dennis' contact details and information along with this podcast, but if you have any questions for him, relating to this podcast, or anything else, please do pick up directly. Thank you very much.

Dennis Murphy: Thank you very much for having me.

Host: Thank you for listening to Straight talking business success. To find out more about the series, please visit gateleyplc.com/business success. From here, you can subscribe for updates, meet our speakers and get more information on all of the topics that we've covered.

SubscribeHide

Forward thinking insight

Direct to your email inbox

Subscribe now