The world of cyber security for businesses is one fraught with risks. Not unlike the surfer who vowed never to surf again after enduring 31 hours adrift in cold Scottish waters. He knew the risks before he went out, he could have mitigated the risks and he could have assessed the environment more fully prior to going out.
In much the same way, businesses that fell victim to the recent Wannacry attack need to be motivated by risk; nine out of 10 of those businesses affected were probably aware there were risks to their organisations but did they react before the attack to reduce the risk. Unlike the surfer, though, businesses cannot just decide not to trade.
There are lessons for Guernsey businesses to learn and learn fast. Cybercrime pays and, as long as it does, businesses will continue to be at risk. Add in the growing sophistication of tools available to cyber criminals, not to mention the vast resources of nation states that dabble in cybercrime, and we should expect much worse in the future.
There is a heavy reliance on IT “experts” to tell businesses what to do rather than the business knowing what should be done or what needs protecting. Business leaders and boards of directors need to upskill quickly. They need to be able to understand what the experts are telling them and interpret those lessons effectively to ensure systems are more robust and are able to continually reduce risks of attack; they need to be actively involved in this process and that requires skills sets boards and business leaders, on the whole, do not yet possess. The role of their advisors may also be a factor. Advisors should be qualified (not something that always happens in Guernsey) and should be taking and passing industry-recognised exams at a high levels and in specific areas around cyber security.
It could be argued that the lack of expertise at board is the greatest risk to cyber security. People generally do not like to admit what they don’t know but if they did they could seek those who will help them learn. Simply relying on the experts to fix the problem will not, on its own, future-proof the business or guard it against cyber-attack.
It is time to look at board makeup and competencies. In my view, there needs to be is at least one non-executive that not only asks the right security questions but understands, interprets the responses, elaborates and interacts with those responsible for technology and security. Without these skills at this level we will continue to see boards making bad decisions based on ignorance.
Yes good advisors are important but boards need to understand what they’re being told. Understanding technology has long been missing on boards; we are at the stage where such deficits should be seen as bad corporate governance.
The internet is a dodgy neighbourhood. Businesses are connected to this neighbourhood and, unless protected, their valuables will be compromised.
The lessons not learnt from Wannacry
The latest attack dubbed “NotPetya” by Kaspersky Labs is taking advantage of similar known weaknesses used by the recent Wannacry attack, however, it is also looking for weaknesses in already patched system configurations, seeking areas where best practice has not been followed by the IT department and suppliers.
This is a double whammy, there are many IT departments that are proud that there estates are up to date, but scratch the surface and you often find that best practice has not been followed on all elements of the configuration.
This is a critical issue for boards. The fact that at the Russian nuclear site of Chernobyl, the radiation sensors are down and they are leaning out of windows to manually sample says it all. Complacency rules even in critical environments so boards need to take the FCA recommended approach and deal with cybersecurity proactively, intervening before an attack happens and before it is too late.
The event, Europe’s largest and most wide-ranging gambling conference, attended by over 25,000 people, showcased new developments across the gambling sector for both land-based and online casinos and offered a number of seminars on topics such as the latest legislative changes.
Marc Lainé, Managing Director of C5 Alliance Guernsey, who attended the event with client relationship manager, Adrian Bott said the event was an excellent opportunity for networking and it highlighted the need for Guernsey to refocus its efforts on attracting eGaming to the island.
“C5 Alliance was pleased to be able to support Team Alderney in raising awareness of the Bailiwick’s eGaming proposition. Once again there was a noticeable increase in participating jurisdictions this year with at least 60 different countries represented, including our Jersey neighbours. Government funding has played a key role in the growth of eGaming in jurisdictions such as the Isle of Man and Malta.”
“ICE is the premier event in Europe for eGaming; the industry continues to grow globally and it is increasingly apparent to me that Guernsey needs to remind the sector not only that it is open for business, but that as a jurisdiction it is an attractive place to do business. We have a world-class infrastructure and connectivity on the island, a fibre network and three major data centres to serve the market. With back-office support and short journey times to London we are excellently placed. We are outside the EU and the uncertainty about the Brexit effect on tax in this industry” said Mr Lainé.
Competitor jurisdictions like the Isle of Man, Gibraltar and Malta have been making hay for some years and the eGaming sector is now a primary employer and provider of significant GDP for those jurisdictions. Mr Laine believes that Guernsey needs to consider the contribution this industry once made to the islands economy, estimated to have been in the region of £50 million a year, and develop a new strategy to reassert its place as a well-suited location for operators licensed by the AGCC (Alderney Gambling Control Commission).
I recently attended the FT Cyber Security Summit Europe in London; one of the speakers was Nausicaa Delfas, Director of Specialist Supervision from the Financial Conduct Authority (FCA), and from her address I learnt that the FCA’s attitude to cyber security and supervision is very proactive and prescriptive in terms of expectations.
The FCA is taking an interventionist approach; they have set their approach to cyber security and have clarified in detail their expectations of firms but at the same time acknowledge there is no one correct answer.
- ‘a security culture’, driven from the top down – from the Board, to senior management, down to every employee;
- good governance around cyber security in their firms – senior management engagement, responsibility – and effective challenge at the Board;
- firms have identified their key assets and that the protections around them are appropriate
- firms need to have adequate detection capabilities;
- firms should have systems and controls to ensure they can carry on in the event of an unforeseen interruption, and to be able to recover from interruptions, preserving essential data.
The FCA highlighted three emerging risks areas at the Security Summit; an increase in ransomware attacks; the outsourcing of data storage to cloud services, which means businesses are sometimes unknowingly adopting the governance of their cloud provider, and an ever-increasing skills gap in the industry.
Security measures for any business shouldn’t be just a ‘tick-box exercise’. While recovery and response after an attack are important, if an organisation has got to that stage arguably it is too late. Key assets need to be protected appropriately and confidence in personnel should not be over-estimated.
Raising and understanding standards around cyber security is vital. Boards and senior management teams in Guernsey, with vague guidance, are struggling to understand the level of competence, preparedness and compliance needed.
Our regulator cannot be expected to produce its own detailed independent advice and some would rightly argue it’s not its job to tell businesses how to protect themselves – beyond that organisations must be able to demonstrate that they have applied high standards in the event of breach.
The regulator in Guernsey clearly has a far smaller jurisdiction and therefore a smaller mandate than the FCA who have given high priority to ensuring licensees meet minimum clear standards; whilst local financial services businesses do not need to comply with the FCA cyber security guidance they should embrace this helpful advice and test themselves against it.
It was refreshing to hear how robustly the FCA are dealing with the clear and persisting threat to regulated businesses. Cyber-crime pays, and for as long as it offers a lucrative opportunity it will continue to grow, attracting more participants and greater levels of sophistication.
This is a sad day for Europe and it does seem in part that the referendum was largely about immigration. It appears there was a divide in the voting demographic which has never been seen before – with the older generation in favour of the leave vote and the younger generation, those who will inherit the many consequences of this significant decision, in favour of remain.
There are many aspects to consider in the wake of the decision to leave and even if Britain is better off out of Europe, the advantages may be short lived if this decision is now the catalyst for the collapse of the EU. We may eventually be worse off as a result of economic disruption and chaos and it may now cause a domino effect; Europe may seek to make an example out of the UK – worryingly Guernsey could become a bargaining tool in the difficult negotiation period that will now follow.
Guernsey’s politicians and external relations team, who have in my opinion being doing a commendable job to get our voice heard on the global stage, now play an even more significant role in getting us the best deal possible. From today the clock has started ticking to get that deal.
The diversification of our economy is brought more sharply into focus as a result of this decision; no one in the technology industry has a crystal ball to indicate which services will be most impacted but what I do know is the greater the diversification in Guernsey the better the chances for growth and continued prosperity. Is the States of Guernsey prepared to lead by example and really invest in diversification in the run up to the exit in two years’ time?
Today our world became a little bit more uncertain and in this time of uncertainty we need to consider what makes us vulnerable – our deficit. I throw down the gauntlet to the States of Guernsey to return the deficit to zero by the time of the exit to ensure we are as resilient as possible for what may lay ahead.
Adversity is undoubtedly the mother of invention; so if Guernsey wants to nurture innovation and invention – is this possible in an island where adversity is not the norm?
A senior partner working in professional services described to me his predicament – he has exciting digital business ideas he is keen to pursue, but he is currently employed in a well-paid position which gives him a secure future. In the current climate there is little incentive for the best talent to create a digital or Fintech start-up, it feels too risky compared with just doing ‘the day job’.
I have met half a dozen local start-ups that have the potential to bring tens of millions in new tax revenue to the island. You won’t find them sat dreaming at the Digital Greenhouse, but struggling to hold down a full time demanding job while trying, in what little time they have left, to move their company or project forward. For these entrepreneurs there is no red carpet treatment, government endorsements, facilitation or door opening and introductions. They offer the most promise, but are not nurtured at the pre investment stage.
I strongly believe the way to accelerate these new ventures and provide the best chance of success is via a government grant. I tested this theory and spoke with 30 or so key Fintech and digital businesses in London at Finovate, which showcases the cutting-edge innovation in banking and financial technology.
Every single venture started with grant or match funding in some form. Indeed, a Guernsey digital entrepreneur recently started his new business in London with a £40,000 UK grant and tax breaks for investors. This is an opportunity lost for Guernsey and demonstrates that we have not got it right – yet.
Great work has been and is being done in this area and we have been promised that much more is in the pipeline – but we need to highlight this matter to our new States of Guernsey Deputies now in the hope of getting a grant scheme in place. I have discussed this with government and have enjoyed a good response from officers as they wait for the newly elected Deputies to take their places. Credit must be paid to these officers, with many now preparing grant scheme options for their new Board to consider.
Grant funding must not be confused with investment – either private or government. Investment at first or second stage is the natural result of a successful grant-funded phase of development – one does not replace the other and they are both essential. Of course a funding scheme will be even more controversial if the recipient fails. I don’t believe that there would be more than a handful of worthy projects each year, and we must be realistic some of them will not succeed. But without a government funding scheme in place we have a beautiful jigsaw puzzle with the piece in the middle missing.