Mon 11 Dec 2017
News - Directors' Day 2017 - Cyber security and the Board
Description
Directors' Day 2017 - Cyber security and the Board

“Managing cyber risk is not particularly different from the other risks that businesses face and deal with all the time. Your companies must take decisions that have weighed calculated risk.” This was the assessment of Pascal Steichen, CEO of securitymadein.lu, Luxembourg’s cyber-security umbrella organisation.

There are three main components of cyber risk: vulnerabilities, threats and impact. Each can feed from and amplify the others, and strategies need to be developed for all three. However, Mr Steichen said there is no way to eliminate risk, even if it can be reduced. Work is needed across the organisation, and risk reduction and mitigation is an on-going process rather than a state that can be achieved.

  • Your people need to have their awareness raised to help them resist attacks, and there must be the skills to put prevention tools in place and deal with attacks when they occur.
  • Technology, including anti virus software, firewalls, intruder prevention systems, are a must.
  • Organisational policies, procedures, and responsibilities need to be put in place and kept up-to-date.
  • Compliance with rules and procedures must be maintained regarding privacy (with reference to rules related to GDPR and AML), intellectual property, and notification to the authorities.

But these measures are not sufficient on their own. Each firm will need to have further policies in place to anticipate threats:

  • Risks will need to be managed, ideally with a chief information security officer able to probe vulnerabilities.
  • There needs to be a proactive approach to detection and reaction, with a computer emergency response team (CERT) in place to fight fires.
  • Preparations will be needed for a crisis. Internal capabilities should be developed to help quick reaction.
  • A business continuity plan and disaster recovery plan is required.
  • Firms should also consider cyber insurance.

Mr Steichen highlighted how securitymadeinlux.lu can help with all these challenges. It provides news, information, and tools about cyber security for specialists and non-specialists alike. It does this by being the contact point for the country’s cyber security platforms and resources, mainly the Computer Incident Response Center Luxembourg (circl), Cyberworld Awareness and Security Enhancement Services (cases), and the Cybersecurity Competence Center Luxembourg (c3).

The latter has only recently been established. It features numerous innovative tools to help businesses prepare, including a simulation game where non-technical managers are confronted in real time over two hours with a simulated attack. There are even light and sound effects to heighten stress levels, the better to help users prepare for the worst.

Some of the most effective recent techniques used by cyber criminals were also highlighted. There has been a spike in compromised email addresses being used. For example, criminals can pose as executives to request that payments be made, or clients could be contacted with bogus invoices that might even refer to an on-going project. Ransomware has also come to the fore, whereby a rogue program encrypts data that can only be unlocked with a password made available by the criminals after payment of a bitcoin ransom.

If you are attacked “don’t suffer in silence,” Mr Steichen advised. There would probably be more harm done to reputations if a cover-up is revealed rather than taking an open approach. Working with the wider community helps general response to the attack wave.