Cybersecurity - how are Directors managing their IT? Coffee chat session summary
During the second in ILA’s new Coffee Chat series, we focused on Cyber Security for Directors and their role in IT matters - a critical subject with most so many people remote working during the COVID-19 lockdowns.   
Host Monique Bachner was joined by two experts, Christophe Bianco and Carlos Alberto Silva, who shared opinions on cybersecurity in the context of the current Covid-19 pandemic.  Christophe has been based in Luxembourg for more than 20 years and is internationally active in cybersecurity services.  Carlos has over 20 years’ international technology, media and telecommunications experience including as an investor, and holds both executive and non-executive board positions in high growth technology and cybersecurity companies.  


Current cybersecurity and IT risks 

Is data more vulnerable? Is infrastructure currently more insecure?  Rather than seeing fundamental changes or increases in attacks, the experts noted new themes.  For example, there were many coronavirus-specific Phishing attacks based around the fact that people are constantly seeking updates and are more likely to be lured by anything “Covid”.  Fake news about Covid-19 abounds.  Criminals are registering domain names linked to the coronavirus theme, offering fake charities or fake sales of items such as face masks to encourage you to send money for products you will never receive.  

It was noted that companies busy managing their day-to-day activities in a time of crisis may not be paying sufficient attention to the increased cybersecurity threats arising from these exceptional circumstances.  A real issue is IT staff becoming too overstretched to deal with all of the current demands, leading to decreased vigilance.  If the company would also be hit by a large cyberattack, they will not have the ability to detect in a timely manner or to cope with both the attack and the usual business needs.  

Directors can update themselves on such threats as sites such as www.securitymadein.luwww.c-3.lu and www.bee-secure.lu - the main online sources for cybersecurity in Luxembourg.  Directors are encouraged to subscribe to their mailing lists to receive important updates, as well as invitations to topical events.  The overall message was to be careful and remain vigilant - don’t click anything you are not sure of, and if in doubt, ask someone! 

“WFH” - working from home

Whilst many Non-Executive Directors may be used to WFH, most would not have been doing this full-time, nor with their entire family also at home.  Confidentiality still needs to be considered. 

With all meetings taking place virtually, providers such as Zoom having seen the incredible increases of over 200 million new users over a matter of weeks.  As a result, Zoom has received more attention and various issues raised – they have patched various issues, however whichever service you are using you should be aware of who is joining your call and avoid accepting anonymous participants.  Where highly sensitive corporate information is shared, Directors might consider alternatives such as WebEx or Microsoft Teams.  However, it would be wrong to think that any system is 100% secure – check terms & conditions, and consider the provider’s approach to patching and updating where issues arise.

It is important also for Directors to consider the psychology of being at home, and not to mix up personal and business habits.  Try not to be tempted to click on websites or applications that you would not normally click on in the office.  Always go to trusted websites for reliable information.   

The Boards’ role in business continuity in relation to IT

How might business continuity be impacted by IT matters?  This is a question every Board should be asking.  Boards must ensure businesses are coping with new challenges arising from WFH as well as from other aspects of the current crisis.  

Pre-Covid-19, not all of Luxembourg’s financial centre was authorised or had the mind-set to allow WFH, so for some arranging this was now a challenge.  Christophe told us that some companies had more or less overnight to change their entire BCP and order new equipment as these generally assumed if the office was not available then the back-up site would be used.  CSSF compliance, internal policies and overcoming internal systems constraints all needed to be considered, whilst also ensuring a smooth WFH for the entire workforce.  This has put enormous pressure on IT systems not built with this in mind.  “Previously”, he added, “you had maybe 5-10% of the population who might work from home.  The infrastructure simply was not there for companies to allow 100% WFH.  Some private banks just simply don’t allow it.”  Faced with this new paradigm, logistics of ordering new equipment from laptops to core systems components required to allow remote access.  Christophe noted that not all had this in place yet.  The good news is that with substantial investments being made in infrastructure updates, some of the newly adopted practices will be well-placed to continue post-crisis. 

Cybersecurity for remote users must be assessed, with their security properly verified and audited.  The CSSF has reminded regulated entities that restricted access is required for sensitive systems.  

Directors need to ask be asking more questions at board meetings, and ensure they receive satisfactory answers.   The European Central Bank, for example, has requested weekly reports with statistics and measures taken to ensure adequate cyber compliance.  

Business continuity fundamentally relies of IT continuity, so Boards must make this their business, and where necessary increase resourcing for the IT providers.  Boards may also need to request third parties be engaged to conduct cybersecurity assessments.  A key unknown is how long the crisis will continue., and that will affect planning.  More intensive contact with companies might be required by Directors – even weekly meetings in some cases.  

In all cases, Directors should be asking more questions.  

Example may include:

• how the company’s systems are coping?

• how are IT staff and helpdesks coping? 

• have updated guidelines been issued to employees to ensure appropriate use and behaviour?  

• Is systems access appropriately graded and controlled?

• Is there a have a clear procedure to follow in case of security incident?    Does everyone know it?  

• Request some form of incident reporting, or reports with statistics

• Ask: How might business continuity be impacted by IT matters?  


Directors and their own IT set-ups 

It was noted Non-executive directors (NEDs) tend to already be nomadic – working from home, office, or travels.  They have their own devices and are expected to ensure these are maintained.  Regardless of how they are organised, all Directors must ensure their devices are properly protected, strong passwords used (and regularly changed) and applications kept up-to-date.  Passwords should not be re-used, with password managers helpful to keep track of multiple passwords. “Two Factor Identification” (2FA) should be always enabled for additional protection.

If NEDs are not IT literate, they should seek help to ensure proper cyber hygiene.  In the absence of one’s usual IT assistance, WFH may mean tech-savvy teenagers are onsite who can help, or most items can be learned through online searches, and YouTube videos providing step-by-step instructions.  A poll showed most participants thought their mandate companies should be offering assistance to NEDs regarding IT and cyber matters.  Many felt more work was needed to improve their own practices. 

Not all Directors have (or require) IT support, however obtaining replacement computers or getting hold of appropriate support may currently be more difficult than usual.  Adequate bandwith, regular backups and multiple devices can all help to ensure the Director can keep working.

Have an anti-virus installed, and make sure it runs and updates itself.  An online search for reviews will help see which one suits best, but the main message was that it must be used and kept updated.  

Regarding encryption, a distinction was made between:

(i) encryption of data on devices (noting lost or stolen devices being a lower risk whilst stuck at home), and 
(ii) encryption of information sent between devices and remote systems.  For the latter, a VPN was recommended – a kind of “secure pipe” between you and your company for sending documents.  Many Directors will be familiar with examples such as ShareFile or their Board portal where they log on and upload/download documents to avoid using email.  Free personal email services like free Gmail/Hotmail accounts should never be used to send or receive sensitive data – keep to the corporate accounts and make sure all sensitive documents are password protected.  

It was noted that tablets tend to have fewer security weaknesses than PCs.  But don’t forget to wipe the device when no longer required and ensure all documents have been deleted.  

Also be careful on instant messaging applications like WhatsApp or Slack as 100% security cannot be guaranteed.  These are great tools for communications and quick exchanges – often acting as the office “water cooler” and for wider collaboration, and for less sensitive matters.  If asked to send a sensitive document on via such a platforms, first ask why as these should only be shared via your agreed secure portal.  

In general, Directors should be wary of free applications, and of course watch out for phone calls from “Microsoft”, “Apple” or your bank – these will not be calling you, rather it is fraudsters wanting to access to your data.  If anyone calls, don’t provide details, but call back on the company’s usual number and request your usual contact – do not call any new number the caller gave.  

In summary, some of the tips for a Director’s own IT included: try to split personal from work computers, and don’t forget to run your back-ups

• take care of where sensitive documents are saved, who has access to them and take care how these documents are sent

• encrypt sensitive data and documents e.g. via password protection

• be wary of free applications

• practise good cyber hygiene (strong passwords which are not re-used, 2FA, anti-virus programmes, VPNs, and keeping everything updated), 

• look out for phishing emails (currently on the “Covid” subjects in particular) 

• only rely on trusted websites for information

There may be legal and/or regulatory consequences of breaches - or even worse, business failure.  Take as much care in the cyber world as you would in the physical world.  Use common sense - your liability as a Director and the success of your companies may depend on it.  

If you are worried you may have been subject to a cyber attack, then reach out for help.  


Further resources:

Platforms to notify when facing a cyber incident (Fr and Lux)

https://www.bee-secure.lu/fr/

https://www.cybermalveillance.gouv.fr

Recommendations from Authorities on WFH in this current time

https://www.europol.europa.eu/staying-safe-during-covid-19-what-you-need-to-know

https://www.enisa.europa.eu/tips-for-cybersecurity-when-working-from-home

https://securitymadein.lu/news/covid-19-safety-and-cybersecurity-can-go-hand-in-hand/

Managing the Cyber Risks of Remote Work

https://www.bcg.com/publications/2020/covid-remote-work-cyber-security.aspx

Links to tools for personal security

Considerations for Antivirus programmes

https://www.itproportal.com/guides/the-best-antivirus-software/

Considerations for password vault managers

https://www.cnet.com/how-to/best-password-manager-for-2020/


Topics for Boards of Investment Fund Managers and Investment Funds to consider during the Coronavirus (Covid-19) disruption