Securing Our Cyber Future

Transcript

Securing Our Cyber Future

Soundbite

Mitch Scherr  00:03

There are only two kinds of companies in the world. Those have been hacked. And then those have been hacked that don't realise it.

Tom Parker  00:11

Cyber attacks were up in 2021, proving that even a global pandemic can't stop criminals online. Even after the pandemic, it's cybersecurity that is concerning companies the most ahead of both natural disasters and supply chain disruption. After all, cybercrime has the capacity to cripple a multinational in minutes.

00:35

some breaking news in the last hour, one of the UK biggest phone network says it received a demand for money after a significant and sustained cyber attack,

00:44

account information, credit card information, banking details that could be at risk.

Tom Parker  00:52

I’m Tom Parker, and welcome to the next five podcasts brought to you by the FT partners studio. In this series, we ask industry experts about how their world will change over the next five years, and the impact it will have on our day to day. In this episode, we're talking about cybersecurity and resilience, essentially, how corporations can better protect themselves during a time of rapid digitalization. where so much of our daily lives are now connected to the internet, the safety of information, infrastructure, people and data within and outside of an organisation is critical. We'll also look at the need for better cyber protection for all how countries build legislation and policy. And of course, what the next five years in a cyber future will look like.

JIM SOUNDBITE  01:48

It was the 27th of June when I woke up at four o'clock in the morning. A call came from the office that we had suffered a cyber attack. Jim Hagaman

Tom Parker  01:58

Osnabel is the chairman of Siemens and former chairman of AP Miller mask, the latter of which suffered one of the biggest cyber attacks in history.

JIM SOUNDBITE  02:09

Imagine a company where a ship with 10 to 20,000 containers enters a report every 15 minutes. And for 10 days you have no one. It's almost impossible to even imagine.

Tom Parker  02:23

Mask is a shipping company responsible for 20% of world trade and control 76 ports globally. If you're listening to this at home, look at your fruit bowl, one in three of those bananas were shipped by mask. Someone, a multinational company that is so tightly woven into the fabric of world trade is downed in just seven minutes by state sponsored cyber criminals. We should all take note.

JIM SOUNDBITE  02:50

This was a very significant wake up call for an organisation like Ebola mask. We could say a very expensive one, it costs us one and $50 to $300 million.

Tom Parker  03:01

And they're not the only ones. In the last decade cyber attacks have hit the likes of Yahoo, FedEx, and Facebook, as well as hospitals and airports around the globe. And 1000s of SMEs. The cost of cybercrime in 2020 reached a staggering $1 trillion. And by 2025, that figure is set to increase 10 fold, making the industry more profitable than the global trade of all major illegal drugs combined. 

Tom Parker  04:24

And it's the companies that pay for poor cybersecurity measures in more ways than one. The average cost of a data breach is $4.2 million. Organizations are forced to pay 4% of global turnover in fines alone, should they be in breach of data laws. Then there's the fall in share price down an average of 15% in the three years after a breach, then add to the bill all the work to rectify the chaos caused by a cyber attack. And all together is getting pretty pricey. But of course, the cost of a data breach goes well beyond the financials

Mitch Scherr  05:00

not just monetary, that's the key, its reputation. 

TOM PARKER 03:31

Mitch Scherr is the CEO of assured cyber protection and has more than 28 years experience in the IT industry, helping governments and companies become cyber resilient.

Its brand. It's the impact on morale within the organisation. There are other impacts that are like a MasterCard, commercial, they're priceless. The average cost is 4.2 million, but the cost of your reputation, your company, the brand, the your employees, priceless.

Mitch Scherr  03:42

Right now, the most common is ransomware. By far, it's impacted the insurance industry. It's impacted enterprises, it's impacted governments. And it's a way for them to as the name states, they charge a ransom so they get money. And I'll give a great example here. You had groups, cyber criminals, cyber adversaries that were hacking into the insurance companies, understanding who had policies that covered them for ransomware and then hacking those companies and then knowing that you would get paid for the ransomware. So ransomware is top but there are other forms of which a cyber adversary will look at.

JIM SOUNDBITE  05:25

We were basically average when it comes to cybersecurity, like many companies, and this was a wake up call to become not just good, we actually have a plan to become calm in a situation where our ability to manage cyber security becomes a competitive advantage. 

Brian Holliday  07:10

Think of Jim's point about cyber as a competitive advantage. 

Tom Parker 05:50 

This is Brian Holliday, Managing Director of Siemens digital industries, and a member of Siemens senior executive board. 

companies that build trust will ultimately succeed, it's going to become an increasing business factor. You know, these are companies that build the right culture, they have the right processes, they have products and services that have cyber built in, you know, companies that provide clear guidance and advice or updates to software and are responsive are going to very clearly print the appearance of robustness and resilience that you've got cyber at the heart of your strategy, too. So I think companies that shine through with that capability will ultimately create competitive advantage over those that don't. 

Tom Parker  06:47

The mask attack was nearly half a decade ago. We've digitalized even further since then, According to McKinsey, the pandemic accelerated the digital transition by seven years. The 50% week on week rise in cyber attacks, witnessed in 2021 alone suggests that cyber criminals have welcomed the move and taken advantage of the new gaps in security.

Brian Holliday  05:41

Jim talks about this being an inflection point or post pandemic inflection point really where we are dramatically accelerating digital capabilities. 

He talks about the fact that IoT, the connectedness of devices is growing, we found that we used digital technology in an accelerated fashion whilst or working remotely. And so you know, cyber concepts need to be defended in depth, they need to think about different threat vectors. It is a challenge, of course, because of the number of IoT devices that we now see in circulation and growing, we estimate that to be in excess of 50 billion by 2025. I mean, it means that we do need to have broad awareness of the security risks associated with working with devices in the cloud. We need to build security concepts for companies and governments in particular, but, you know, consumers need to be aware, certainly, and we need to make sure we're keeping up to date. So that doesn't just mean keeping software versions up to date on our devices at home. But certainly for companies that's a real risk

Tom Parker  07:49

In 2018, it was the hotel chain Marriott who famously took four years to realise they had been the victims of a cyber attack that compromised 339 million guest records. This isn't a complete anomaly. Research shows that it takes organisations an average of 191 days to identify data breaches. But why?

Mitch Scherr  08:11

First of all, it gets back to a very interesting dynamic with Marriott, for example, the reason that Marriott was impacted was that Marriott in a sense, acquired the hack. When Marriott went to acquire Starwood Starwood had already been hacked. So in a sense, they acquired the breach. Why, as you said, the average cyber adversary is in organisations six months before you even know about it. They go through laterally. And sometimes they don't want you to know that they're in there. So they don't create disruption. And they're in there sometimes because of either a lack of Digital Stewardship by the enterprise, or the government for that fact. They're in there because of a lack of good cyber posture and hygiene. And it can be simple things. It's not that servers or devices are patched and up to date. So there's what they call a mitre attack framework, of which the cyber adversary will get in, laterally move across to want to get access to the crown jewels. But a lot of times cyber adversaries don't want you to know that they're in the system, why they want to exfiltrate as much data as possible without you knowing it. So the longer they're in there, the better off they are on the enterprise side. It's unfortunate, but sometimes I lack good cyber hygiene and posture.

Tom Parker  09:45

Are there any industries particularly vulnerable to cyber attacks?

Mitch Scherr  09:49

Number one, every year, finance, right? It's where everybody has the most to gain and finance can also include insurance and the related activities. So finance has always been number one. And I think it's been number one for at least seven years. Number two used to be healthcare. But last year, it became manufacturing COVID. Other areas that extended the perimeter, created a scenario where an adversary said there's a weakness in the supply chain. We can have an impact if we can hack into the supply chain. Why? Because it comprises small and mid sized businesses that don't have access to the protections that are necessary in these cases, which I think is a very important part. Because when we think of this world are you see the cyber environment, Everybody focuses in and thinking of the big companies, but the ones that we should be focused in on to assist to aid to protect our the small and the mid sized businesses,

Tom Parker  10:54

Steven Phipps and you see CEO of make UK, an organisation that represents the manufacturing industry in Britain,

Stephen Phipson  11:01

The challenge of manufacturing is that we are automating the production process. And while you're doing that, you are inserting lots of internet connected devices into your production process. And they have access to manufacturing data, processed data, all the secrets of your company, as a manufacturer, are actually not in the front end, where your payroll and finance and bank accounts are. But it's in the backend where all that process technology is. And many companies are not protecting them because they don't understand that the risk is there. And so that's where people are coming in. And taking intellectual property of one form or another be that machine set up by data, process technology in terms of what you're doing to assemble those products. And that's why it's open, because there's not many people with that sort of comprehensive cyber approach. That's, that's the subject of the attack. And that's where we're seeing more and more of it in manufacturing, the message we need to get out there. It's not just about protecting those front end systems, we have to have a comprehensive approach to cybersecurity in the manufacturing processes themselves. And that's why at the moment, we're pretty exposed. We've got brilliantly good innovative manufacturers in the country, who have lost significant parts of their business, because overseas actors, whether they're state actors or whatever, have come in and taken their process technology out of the manufacturing side and then set up a competitive manufacturing business. I mean, that's a tangible and real example of the risk of not covering the entire operation when you're a manufacturer. And that's why there's so many reports saying that the manufacturing sector is one of the most highly targeted, we need to make sure that we build that cyber resilience into those factories.

Tom Parker  12:38

IBM Security x force report, released in February 2022, highlighted that manufacturing was the number one ransomware attack sector worldwide, falling victim to 23% of all attacks, attacks that were aimed at sabotaging the backbone of global supply chains.

Stephen Phipson  12:58

95% of manufacturers in this country are SMEs. So the larger companies have got a very important role to play to help educate and support those SMEs along the cyber resilience journey. And it's very pleasing to see it we do have some very good examples of worldleading approaches to the supply chain, where companies are, first of all, understanding their supply chain properly, which is always a challenge if you're in a large complex organisation, but then rolling out schemes to help them along the journey. And I think that's why we need to see a lot of these companies try to help their smaller suppliers to build cyber resilience, which is absolutely vital.

13:36

some breaking news in the last hour and one of the UK biggest phone networks says it received a demand for money.

Tom Parker  13:42

In 2015 telecoms company suffered a cyber attack that put at risk the private data of their 4 million customers and were criticised at the time for poor handling of the attack,

13:54

account information, credit card information, banking details that could be at risk.

Tom Parker  14:00

Many boards were left scratching their heads to discover that there was no dedicated chief information security officer. At the time of the breach. No one at sea level was accountable specifically for security, leaving then MD Dido Harding to face the music. So where or with whom does the responsibility lie for a company cybersecurity,

Brian Holliday  14:27

it ultimately has to be with the board. The board needs to create a culture in which cyber risks are understood and policies and processes are therefore followed. And it's very much about culture, but then the controls that follow. Leadership is needed. Expertise is needed to help guide the board and networks are needed because no company can do this in isolation. So I think this really is an ecosystem issue. Those experts need to benefit from training that comes about through for example, becoming chartered information security managers and those programmes help the experts in companies build business impact models and think about critical vulnerabilities and therefore the response mechanisms that companies need to put in place. So the board needs to sponsor that it needs to invest in that it needs to support its experts. And then it needs to work with agencies that can help make sure they're not acting in isolation.

Mitch Scherr  15:20

Cyber is not a technology issue. It's a business issue. It's Digital Stewardship. It's the transformation of cyber being viewed at a business level, and the impact to the business in all kinds of different areas from the CFOs perspective from hrs perspective, and it has to also run right up to the board and it has to be adopted at the C suite issue. You cannot use ignorance as a defence. You cannot blame it on the CTO or the CIO any longer. What you have to do is take responsibility as the CEO of the risk that is impacted by your business by not having good cyber hygiene.

Tom Parker  16:00

In October 2021, the US held a forum with 30 countries to form a global counter ransomware initiative. The online meeting hosted by the White House National Security Council, is the first significant step towards forging a unified defensive front and law enforcement collaboration on major cybersecurity issues. But it government's keeping pace with legislation and policy,

Mitch Scherr  16:28

I can refer to something that has already happened in 1990 1992, corporate abuse was running amok. And it all culminated with Enron, in the United States, that compelled congressmen and senators Sarbanes and Oxley to actually pass legislation that put the burden of, let's say, responsibility on the C suite. Because until then, everybody was doing whatever they wanted to do. All of a sudden, when that legislation came through, ignorance was no longer a defence, and the C suite was responsible and could go to jail. Everybody got religion, real quickly. Now, unfortunately, from a legislative perspective, it takes an act of God to have a government try to pass legislation for a multitude of reasons. I believe that the impact can come from public private partnerships and with enterprises, because a large, let's say entity or let's say a blue chip company that has a supply chain that is comprised of small and mid sized businesses, they can change their policies fairly quickly, to address the cyber resilience areas, and the the the, let's say, impact of requiring the levels of hygiene. Now that can happen faster, and I think can have a greater impact as the governments are trying to figure out what they're trying to do.

Brian Holliday  18:00

Governments are almost certainly always going to lag in legislation, what's happening in the tech space and cyber threats grow as we grow our use of technology. So that I don't think in itself is a surprise. So I think we've got to look increasingly to those security agencies that are there to be experts and who aid us as consumers and companies. In this case, for example, National Cybersecurity centre being a front end for GCHQ here, set up with this purpose. But it strikes me that even from off my holiday I read recently Nicole Pearl Roth's book, this is how they tell me the world ends and the Business Book of the Year for 2021. But that illustrated to me just how governments have always lagged in legislative terms, the threat that's been there, really since the birth of connected computers and the internet. So I see that this is probably not going to change. This isn't all on the government, but they do have the power to convene. And sometimes I think they undervalue this in terms of bringing together the agencies with companies and actually the skills bodies that are necessary as part response to this. So yes, we need the agencies, we need them to be well funded, we need awareness, and you know, government strategies and white papers help. But convening around what we need to do to help keep our companies and consumers safe is incredibly important.

Tom Parker  19:21

What needs to happen in cybersecurity in the next five years, what do countries and companies need to do to maintain a safe cyberspace?

Brian Holliday  19:31

First of all, I think there is no silver bullet for cyber. It depends on factors associated with the technology types, you're using your business field, the level of threat and building appropriate response. But actually, secondly, I think manufacturing in particular, or companies needed to build awareness. It's very clear you cannot expect to operate systems in the future without knowledge of the threat vectors that are likely increasingly to impact you. Thirdly, I would say it is important that you build skills inside the organisation and connections out so that you have the built in ability to respond. You build processes that mean that your response is something that you can keep up to date as threat vectors change. And then finally, I think, why not think about turning cyber into an increasing competitive advantage. That sense that actually you're building trust in what you do for your customers to recognise that you are robust, resilient, and knowledgeable on cyber, you know, what you're doing, and your processes reflect the fact that you are able to respond as threats to change and develop. And I think I would just add that something incredibly important for the future is building even more capacity into the UK skills base for cyber. There should be a dose of cyber with everything that we do. So if you imagine in apprenticeships and degree apprenticeships and undergraduate programmes, we've got to think about exploiting the power of data more. And rather than having perhaps single discipline degree types in engineering, you know, we can have mechanical and electrical and software engineering degrees, but let's make sure cyber sits with that. And actually, we raise the general level of skill base that we've got in the UK as well as building a growing number of specialists that we know were to need, if indeed, cyber is increasingly being used as an offensive tool against UK interests. So next five years, there is going to be growing awareness of that the cyber threat, I think we will see growing adoption of cyber technology,

Stephen Phipson  21:33

I think it's about awareness over the next five years. And I think what we'll find is much greater awareness. If you look at most of the cyber breaches that happen in organisations, the most of them are due to human factors, they're not due to technology, they're something like 70 plus percent are due to the way people are operating their business, the way people are managing their day to day activities are allowing people in so I think what we'll see, over the next five years, particularly as we see more and more of this complex geopolitical situation, is a much greater awareness, and a much greater hunger for people to live under to understand how they operate in a cyber safe environment, that's going to be critical. So we're gonna see that awareness increasing. I think the future for me is around, first of all, getting as many manufacturers in the UK on that digital journey. So we need to digitise a lot more than we are. At the moment, the fourth industrial revolution, we're right in the middle of it. Now, we have most of our large companies actually working very hard on the transformation. We need to see that whole supply chain, the 95% of the SMEs in the country, getting onto that journey, and that will happen, I think exponentially over the next five years. As that happens, we need to be rolling out really robust cyber solutions for manufacturing and not just for the front end of the business, not just for the financial systems in a business. But to cover the IP and process technology that is absolutely vital to make you a competitive manufacturer, you need a very strong manufacturing sector absolutely vital to the UK economy, just over 50% of our exports are manufactured goods. And I think over the next five years, those two things are going the next five exponentially, I can go to the situation

Mitch Scherr  23:15

paint the picture of fear and complete disruption. Because unfortunately, isn't going to get better unless we adopt different ways of looking at this. And so you can paint that picture. I sometimes don't really like to play on the fear aspect, because I take

Stephen Phipson  23:36

a look at all the r&d investment in the country very favourably. You want to create the manufacturing sector and we index 5.7 about equity 30% above average wage, the cyber absolutely vital, because you could say just speaking, it's 10%. More

Mitch Scherr  23:55

on the Enterprise governments

Stephen Phipson  23:57

in their communities around it, or Bucha will account for only 25%.

Mitch Scherr  24:01

So there's already a disadvantage. So absolutely vital. Unfortunately, we take that into the mill, we have job specific things and understand that technology is not completely the answer. And it does have to involve, let's say Digital Stewardship and responsibility at the leadership level. And that it has to be viewed from a people perspective and an organisational perspective and a technology perspective, things aren't going to change. So that's one one view. The second view which I like a little bit better is kind of like painting a picture of nirvana. And in the next five years, I believe, inherently, that people are good, and that there will be a world in which, in a way, the adoption of zero carbon and sustainability, which is an important part of the puzzle, is driving digital transformation. Digital Transformation is making it easier for us to do things that have a higher quality of life in all areas of health care, in your personal stay and travel and hospitality, more efficiencies in manufacturing and supply chain, that world of which we do embrace responsibility, Digital Stewardship could be amazing. We could have an Earth for our generations to come for our great great grandchildren. And we are able to transform safely, of which there isn't that concern. And that's the kind of way that I want to see in the next five years is the development of those dynamics that create just a better world for all of us. The bottom

Tom Parker  25:43

The line here is that with the Fourth Industrial Revolution upon us, everything is becoming digitised. Companies, governments, and people want attacks that can cripple multinationals, rupture global supply chains, and bring countries to a standstill. It's the people that matter. Every day, the Internet of Things network will connect more and more non business objects together. Even the most benign of household items like toasters, your fridge, or even a baby monitor. If it's living on your local network, it's a perfect platform for a hacker to infect, and then laterally move through the rest of the network. One casino in North America had data stolen from it via the thermometer in their fish tank. All these increased access points demand increased vigilance. But it demands something much simpler, that every company, every government and every body take their place in cyberspace seriously. It is the next frontline. That's it for this episode of the next five podcasts. Many thanks to Brian, Steven and Mitch for talking with me today and to you for listening. For more information on the topics discussed and the sources used in the show. Please check out the episode description. Take care and bye for now.