Successful cyber-attacks continue to make headlines. Three different perspectives on recent events combine to shine a spotlight on one key area for focus and action: the role of the Executive and Non-Executive Board members and their advisors. In this article, we review each perspective in turn and highlight the different ways in which Board-level involvement makes a difference to cyber security.
-
The British Library Cyber-Attack.
The British Library (the Library) is the National Library of the UK. It has several purposes, including “building, curating and preserving the UK’s national collection of published, written and digital content” and “supporting and stimulating research of all kinds”.
Much of its collection was created digitally (‘digital-born’), whilst the digitalisation of printed material is an on-going process. A significant amount of the research purpose is delivered by on-line access to ‘e-resources’.
In late October 2023, the Library was the victim of a cyber-attack that exfiltrated large amounts of data, encrypted or destroyed much of their server estate and locked users out of their systems. The attack was accompanied by a threat to publish or sell the stolen information unless a ransom was paid.
As might be expected, the Board commissioned a full investigation into the cyber-attack. In a more unusual move, the Board approved the publication, in March 2024, of an 18-page report (“Learning Lessons from the Cyber-Attack”, on the Library website).
Amongst 16 ‘lessons learned’, the Board focused on their own shortcomings, which covered lack of awareness of cyber risk, especially when considering strategic investment choices, leading to the down-playing of cumulative risks. The lesson was:
- Lesson 11: Ensure cyber-risk awareness and expertise at senior level (recruitment of a Board member or Board-level advisor with cyber expertise is strongly recommended).
They observed that: “The threat of cyber-attack continues to grow but there is a large volume of advice available to support all aspects of defence, response and recovery. Membership of general and sector-specific cyber information-exchange forums may have helped the Library to be better prepared; this has stimulated the publication of the Library’s report.
Or, as they succinctly put it:
- Lesson 15: Collaborate with sector peers.
-
Synnovis
Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics. On Monday 3rd June, Synnovis was the victim of a ransomware cyber-attack. The following day, the CEO, Mark Dollar, issued a statement admitting that the attack had taken place and stating that an investigation was underway. This statement was quickly followed by similar statements, including apologies, from the Chief Executives of both of the NHS Foundation Trusts involved.
In his statement, Mark Dollar said: “We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our security arrangements are as safe as they possibly can be. This is a harsh reminder that this sort of attack (ransomware) can happen to anyone at any time”.
These three Chief Executives now have almost a full-time role in managing the impacts of the cyber-attack. The key lesson is:
- Preparation for Crisis Response, including rehearsal of the management and communications aspects, must be at the forefront of the Board’s planning.
-
Business Continuity Institute (BCI)
The BCI is a leading member-led institute with a strong track record in developing ‘good practice’ and offering training, education and qualifications related to Business Continuity and Resilience. Amongst its publications in its ‘Annual Cyber report’, with the 2024 version published on the 12th June. Amongst the findings are:
- There is a continuing requirement to educate Boards in the language and complexity of the ‘cyber’ world.
- Executive leadership is not just important for gaining the investment needed to counter cyber-crime but is crucial in fostering collaborative working practices.
- Sophisticated, targeted social engineering attacks on senior executives are increasing. Deepfakes are increasingly being used to emulate personalities (such as CEOs) and can have disastrous reputational consequences.
-
Summary
With Boards responsible for setting the strategy, defining the resource envelope and for managing the wider implications of a cyber-attack, it is incumbent on them to understand the threats and risks that their organisations are exposed to. Help is available, and the NCSC offer Board Toolkits that may help better understand the environment and associated risks.
As these three sources confirm, Boards play the most vital role in cyber security; put simply, Board Members must:
- Learn about cyber risk (including their own role as a risk-vector);
- Train in cyber response; and
- Collaborate with sector peers.
In today’s rapidly evolving digital landscape, with cyber threats becoming increasingly sophisticated and relentless, businesses must work to stay one-step ahead to ensure that they are protecting their business and it’s critical assets.
At Redcentric, we understand that effective cyber security isn’t only about deploying the latest technologies, it’s about seamlessly integrating them with your business processes. Redcentric offers a full suite of cyber-security services that address these vital elements.
Our consultants have experience in delivering Board-level cyber training and exercising and in facilitating knowledge exchange between peer organisations. If you’d like to arrange an initial consultation, please reach out to your Account Manager or the wider team on sayhello@redcentricplc.com so we can help you in identifying the next steps of your cyber security evolution.