Prove you are
It’s not a question of
if, but when your organisation will be hit with a cyber-attack.
a work culture of cyber hygiene is important to reduce vulnerability, but
ultimately boards have to ensure their organisations are resilient. These
fundamentals were fleshed out in the "IT security, the risks, and the
board’s role & responsibilities" breakout session.
“To protect against
liability, as a corporate body must be able to provide evidence that you have
taken the threat of cybercrime seriously, debated this in the board with the
result of this risk being properly managed,” said Astrid Wagner, a partner with Arendt
& Medernach. This might start with the regulatory aspect, but should not
stop there. “Ultimately we are talking about resilience, because full
protection is impossible,” said panel moderator Najia Belbal, a member of the
ILA Executive Committee.
At least regulation
From GDPR to the coming Digital Operational Resources Act (DORA) and the second Network and Information Security directive, European regulators are setting benchmarks. Ms Wagner gave an overview of this landscape, including mentioning the five pillars of DORA: ICT risk management, ICT-related incident management, incident classification, reporting, and testing of digital operational resilience.
She also focused on the specific regulatory challenges the country faces. “The Luxembourg financial sector is particularly reliant on an outsourcing model, hence the importance of managing third-party ICT risk,” she noted. There has been increased focus on ensuring service providers have the necessary cyber resilience expertise and experience, and clients are increasingly sending out questionnaires as proof of best efforts.
An agenda must-have
“Yet regulatory box ticking should not be the primary aim of an organisation, but rather building an organisation that can respond effectively to cyber crises,” she said. “No company can afford to not address cybersecurity at all levels,” agreed Pascal Steichen, Chair of the European Cybersecurity Competence Centre Governing Board and CEO of the Luxembourg House of Cybersecurity. “Boards have to have cybersecurity on their agenda, and it’s not me telling you this but numerous global best practice reports, and it was one of the main topics at the World Economic Forum.”
Mr Steichen insisted that this is not a topic to be entrusted solely to the chief information security officer (CISO). He recommended that each company should have at least one or two members of the oversight or executive boards focus on that topic. “Beyond that, all key people should have a certain level of knowledge about the topic, just as they do about finance and the law,” he said.
As well, all staff should be engaged to build a security culture within the enterprise. ”Most of the attacks that we see today target humans, and these are increasingly sophisticated and tailored to be particularly persuasive and realistic,” he said.
Categorise risks and prepare
There is also a need to identify and categorise different risks to develop a risk appetite. Mr Steichen recommended independent audits to identify the nature of different vulnerabilities, with teams then able to focus on high-risk areas while accepting an element of lower risk elsewhere. “The investment required to mitigate all risks might be too high, so maybe investment into response capacity would give the minimum comfort required,” he said. “It's also a communication challenge, within the company, but also with providers, clients and regulators,” he said. Hence the importance of soft skills alongside technical know-how.
The starting point of a cyber security strategy is the ability to detect attacks and threats. “The main challenge is always monitoring,” said Yanniss Lervon, director of Change Digital, who gave some case studies of cyber-attacks, including one where the hacker had infiltrated the organisation two years previously before the main assault occurred.
Simulate to build effective teams
As well as training, Mr Steichen recommended having management teams and boards take simulation exercises to enable them to understand how they need to work and cooperate during an attack. “Such simulations help threats and vulnerabilities to be identified, and how teams should work together in times of crisis,” he said.
The state-backed House of Cybersecurity has “Room 42”, a simulation and exercise facility in which management teams can experience a mock cyber crisis. “It's not technical but is an immersive session, a stress test where you can understand what it is like to go through as many as 10-15 incidents,” said Mr Steichen. “The objective is to test your organisation’s limits and identify gaps into which you can build competence.”
He also spoke about the dedicated Incident Response Centre that can be called “like the fire service” during an incident. They can also offer advice outside of crisis periods, helping businesses make contacts to solve their unique cyber resilience challenges.
Luxembourg House of Cybersecurity
Arendt & Medernach