Cybersecurity responsibility should ultimately sit with the Board of Directors, and it’s great to see from a recent report that 54% of FTSE 350 Boards see cybersecurity as a top priority. However, concern doesn’t always turn into action and if you say cybersecurity is important, you need to do something about it.
Of course, this leaves 46% of Board members who don't see the issue as a top priority and, according to the same report, 68% of Board members have received ‘no training in order to deal with a cyber incident within their organisation’.
Gaining Board approval can often prove the stumbling block to improving security and getting buy-in to release the necessary resources can be difficult.
So, how do you achieve upper management security buy in? Well, there are many options. For example, network maps can help highlight security concerns, the latest security breach news is always a great education tool, and talking your Board through the consequences of an attack is always useful. However, we recently heard, from a FTSE100 company, about a novel approach that we thought we’d share with you.
The CEO dummy TV interview
No CEO wants to be on the TV explaining bad news. But that’s exactly what would happen if a serious breach was to occur. Your CEO would be up in front of the nation (as well any stakeholders!) explaining what happened, trying to allay customer fears, taking a grilling from reporters on the company’s security measures.
It’s never a great situation, but it can quickly become a horrorshow if your CEO can’t provide reassuring answers to those probing questions. So, that's exactly what the security team at the afore-mentioned company did. They set up a fake breach situation and, using questions typically asked after a real breach, they conducted a mock TV interview with their CEO.
The interview had the desired effect and the CEO realised that some of the answers wouldn’t stand up to this type of scrutiny, putting the company in an even worse PR position. This was enough to gain Board support and to release the funds to make the necessary security improvements.
We thought this was a great idea and a really useful exercise to undertake, not just from a security improvement point of view but from a crisis response perspective as well. So, if you’re considering this route, what questions would you ask your CEO? Let’s look at a recent real-life example.
Lessons from history: The TalkTalk experience
In 2014, the Telecommunication company TalkTalk was hit with not one, not two, but three separate cyber-attacks. The final attack resulted in 157,000 customers’ details being stolen, including bank account numbers, sort codes and dates of birth.
As you would expect, the breach was covered extensively by news media at the time and the then Chief Executive, Dido Harding, appeared on numerous live news broadcasts to explain the situation. She also faced interrogation regarding the security measures put in place and the company's response.
But what type of questions did the media ask? We’ve picked out a few from the footage:
- How many of your customers have been affected by the breach?
- Why did it take 36 hours to alert customers to the fact that their data may have been stolen?
- How much money have you allocated to your security budget this year?
- How much is this going to cost your company to rectify?
- What measures did you have in place to prevent such a breach?
- If you had encrypted customer data, surely you would have been able to say that your customers’ data was safe. So, was your data encrypted?
- In the wake of the attack how can people be sure the emails they get are actually from you and not a scammer?
- Would you admit your brand has been irreversibly damaged by this incident?
- What kind of compensation are you going to be offering to customers affected?
- Why should anyone trust you with their details in the future?
As you can see, TalkTalk was asked a variety of questions regarding the breach and widely criticised for their response to the incident. In the end the company lost £60m, as well as receiving the highest fine from the ICO for ‘failure to implement the most basic cybersecurity measures‘. But more than that, the brand’s reputation was damaged and in many people’s minds it has never truly recovered.
Improving security with Secarma
Secarma is dedicated to helping companies improve their security, offering an array of attack-minded penetration testing and red team services, to assess an organisation's security posture. Plus a range of consultancy services to help instil a security-first mindset. Whatever your situation, whatever your concerns, we’re here to help.