With organisations at risk of an attack, Clarity head of information security Gavin Dodd says it is vital not just that businesses have the appropriate mitigation and reporting measures in place but that cyber attacks are recognised, at Board level, as a “principal business risk”.
“They can have operational, financial and reputational consequences,” he explained, “which is why the forthcoming Jersey Cyber Security Law should not just be regarded as a piece of legislation with which businesses have to comply.”
With all businesses holding a range of data which needs to be protected, Gavin adds that the “greatest cyber issue” facing many firms is a “failure to understand the risk”.
“If you don’t properly understand the information assets a business holds and the cyber-security risk created, then you may be in a poor position to implement the appropriate controls,” he pointed out.
And that understanding, he says, is not the sole responsibility of the IT department.
“It is a Board’s responsibility to show that they have considered the risk and implemented right-size measures, which both meet the relevant regulatory requirements and enable the business to continue operating in the event of an incident.”
This, he adds, is particularly important as cyber attacks are constantly evolving, supported by the “power of AI”.
“AI is at the top of everyone’s agenda,” Gavin said. “Its power and the quality of its answers are getting stronger week by week, which gives attackers increased opportunities to improve and automate some of their activities. Because of this, ransomware and phishing attacks remain dominant, with the main worry being that attackers will gain access, usually through abuse of identity and/or authentication, to your data. Effective campaigns run using AI-powered Teams calls and deep fakes have been reported.
“Alongside that, we see issues with invoice fraud, often stemming from the email account of a trusted but compromised contact”
This, adds Gavin, links with one of the core risks facing businesses – that of the supply chain.
“Supply-chain risk is very difficult to counter and has to start by businesses understanding who their main suppliers are, including their technology suppliers, and which ones are critical,” he explained. “They then need to look at the information exchanged within the supply chain and the accreditation of the suppliers.
“At a deeper, more technical, level, working out if compromised third party packages are included in a software can be a highly complex task.,
Against such a complex landscape, many businesses may be unsure about how much they should be spending on cyber resilience. This, says Gavin, comes back to understanding the level of risk.
“This is actually a straight-forward equation,” he said. “What’s the risk? What’s the cost of fixing the risk? Does that cost outweigh the benefit of your investment in cyber resilience?”
Within this, he adds, is the question of whether a business would be able to continue operating if its systems were compromised.
While some businesses may choose to align themselves with a recognised standard, such as Cyber Essentials or ISO27001, Gavin says the starting point is always assessing the risk and then looking at the balance between detection, prevention and response.
“It is all about prioritising measurable outcomes,” he added. “How are you measuring your cyber security and can you demonstrate continuous improvement through reduced risk exposure or better incident response?”
And while regulation may be placing increasing scrutiny on cyber security, Gavin stresses that companies should not just adopt a compliance-led approach.
“I would urge businesses to move from compliance-led thinking to resilience-led thinking,” he said. “Of course, you have to comply with the regulations – and in the case of businesses which form part of multijurisdictional companies there could be several regulatory frameworks to consider – but I would encourage business leaders to think firstly about whether the organisation would be able to recover from an incident.”
One new regulation which will be relevant to local businesses is the Cyber Security (Jersey) Law, which is expected to come into force this year.
“This is targeted particularly at ‘Operators of Essential Services’,” explained Gavin, “so the first thing businesses need to do is establish whether they, fall into that category. This law is intended to drive governance, resilience planning and co-ordination with the Jersey Cyber Security Centre, and while it is designed primarily to improve cyber security, it also contains enforcement provisions, so organisations within scope should treat compliance seriously.”
Another piece of legislation which is relevant to many local businesses is the Digital Operational Resilience Act, a regulation introduced by the European Union with the aim of strengthening the digital resilience of financial entities.
“This is another example of a regulatory framework which also looks at the ability of parent companies and suppliers to recover from disruption,” he said. “While DORA may not apply directly to Jersey businesses, if you have links with an EU-based company, your risk management frameworks, governance, incident reporting and risk oversight and control will all come into the spotlight. And it is worth mentioning that DORA states that Boards are explicitly accountable for ICT risk management / digital operational resilience.”
Of course, while there are many cyber risks, some of which are driven by AI, this technology also has the potential to support business innovation.
“AI creates both threats and opportunities,” said Gavin. “It must be treated as an enabler of innovation, and innovation is clearly important, but security measures have to be applied. Secure by design is an over-used phrase but it is relevant and if you enable security and governance at the beginning, you are in a much better position to innovate and adopt technology.
“Microsoft, for example, has an area of its website dedicated to everything you should do before implementing AI within a company. And, again, it all comes back to understanding. If you understand data governance, restrictions and controls, and have the right document and record management systems in place, you will be much better placed to take advantage of AI-based technology. But you should remember AI is good at finding a way around problems, so without the right permissions, security measures and policies, you increase your vulnerability.”
While this might sound daunting, third-party suppliers and technology partners can play a critical role in supporting this process although again, as Gavin stresses, this can bring its own set of risks.
“Having a small number of suppliers, and understanding their criticality to your business, helps to identify and cut down risk,” he said. “Continuous monitoring is also a real issue. Is your threat intelligence up to date? And do you know what would happen to your data or the service your supplier offers if they suffered a cyber incident? What would happen if your supplier became insolvent? And what are your own obligations should one of your suppliers experience an attack? It is worth remembering that, at Board level, you remain accountable for failures within your supply chain.”
With this bringing the issue of cyber resilience even more firmly into the spotlight, Gavin says that key features for businesses to consider include managing identity, access and ensuring patching and vulnerability remediation is effective.
Critically, says Gavin, this is not something that people can afford to spend too much time thinking about before taking action.
“There are several short-term cyber challenges facing firms,” he said. “The industrialisation of cyber crime remains a significant challenge. It is widely predicted the rate of bug development will exceed the capacity of companies to remediate reported issues, as AI and automation capabilities increase. There may also be regulatory requirements coming into effect, for which businesses should be preparing;
“Therefore, my overall message is that just talking about cyber isn’t good enough. The only businesses that will succeed in the event of a cyber attack are the ones that invest in, and implement, test and review their security measures to strengthen their operational resilience.”
