Jon [00:00:03] Hello and welcome to The Loop, where we untangle today's business issues by throwing real life scenarios at a panel of experts and asked them to deliver practical advice on how to tackle current business issues. In this episode, we're exploring the art of cyber security. Now, we've heard a lot about digital transformation over the past 18 months and how the coronavirus has accelerated investments in all things digital. But we're also increasingly seeing examples of cyber attacks on firms across the UK. So what does this mean for businesses? What do these threats mean for companies across the UK? And how can companies use effective and robust cyber security to protect themselves? Here to answer those questions, we have four excellent guests. Sheila Pancholi is Technology Risk Assurance partner at RSM. Chris Knowles is Chief Digital Officer, also at RSM. Richard Card is Chief Information Officer at Savills and Lee Cowie is Chief Technology Officer for Merlin Entertainments. Thank you for joining us all and welcome to The Loop.
All other speakers [00:01:13] Great to be here.
Jon [00:01:14] Thanks. Well, it's fantastic to have you all here before we kick things off properly. It'd be great to hear a little bit more from each of you about your role and particularly about your role within cyber security. So, Sheila, I'm going to come to you first. Introduce yourself, please.
Sheila [00:01:29] Hi, Jon. As you say, I'm a technology risk assurance partner RSM. I work with clients of all sizes across all sectors, helping them to think about the growing number of challenges that businesses are faced with when it comes to technology risk. Clearly, cyber security and data privacy are growing risks, they're not going to go away. And it's really thinking about how pragmatic and practical we can be with our solutions in terms of helping clients to understand those risks, but manage them effectively as well.
Jon [00:02:02] And Chris, you also have a key role at RSM, perhaps. Tell us a little bit more about that.
Chris [00:02:09] Sure. Well, I'm Chief Digital Officer for the firm, Jon, and that includes responsibility for all of our I.T., I.T. operations, digital strategy, but also, crucially, our cyber security arrangements. And I'll be completely open. That wasn't a particular aspect to the role that I particularly thought about before taking it on. So I wouldn't say it's been a baptism of fire because I certainly am aware of the challenges in this space. But in terms of getting to grips with how we manage those risks as a firm, that was a side of the job I hadn't especially thought about before taking it on.
Jon [00:02:40] Thank you, Chris and Richard. Just a little bit more about yourself, please.
Richard [00:02:44] Yeah, thanks, Jon. My name is Richard Card. I am Chief Information Officer at Savills. So I look after our EMEA region and I echo Chris's words very much. From a moment ago when I first took this role, it wasn't very much a cyber first in terms of things we needed to look at, but very much it is a very important part of our role now and know a huge part of what we're doing. We were a massively diverse company, huge geographies and lots of different property services that we offer people. So our threat landscape is is done nothing but expand during it, during the the pandemic, which is has given us significant challenges. And it's and it's kept it kept it from.
Jon [00:03:28] And Lee, finally over to you at Merlin were about your role.
Lee [00:03:32] Thanks, Jon. So my name's Lee Cowie. I'm the Chief Technology Officer at Merlin. Many people may not have heard of Merlin, but Merlin is actually the world's second largest location based entertainment company and we're spread out more than 130 attractions, over 20, more than 20 countries actually, operate some some brands that you will be familiar with, such as Lego Land, Alton Towers, Madame Tussauds, Sea Life Centre and the dungeons. My role is, I'm accountable for all of the technology within Merlin, of which cyber security is an increasingly important part. And I think as my my colleagues on the panel have alluded to, and I think many people take the top job thinking that their focus is all about cyber security, but you can't separate cyber security from the notion of doing business. It's like yin and yang. Particularly as we are connecting more people, more systems, and we're living in an ever more digital age. It really now is probably one of the most important moments of leading a technology function.
Jon [00:04:42] Well you are all perfectly qualified, certainly for the subject that we're discussing in this edition of The Loop. The aim of The Loop is to help middle market businesses untangle today's business issues. We're going to do this by setting you what we call The Loop Challenge. I'm going to talk you through a couple of real life business scenarios and we'd like you to give us some practical advice on how you would tackle each of those scenarios. So before we jump in, first of all, do you accept the challenge?
All other speakers [00:05:14] Yes Jon. Yes, I do.
Jon [00:05:15] And that's what we like. Absolutely full hearted. Well, let's jump in, let's start with our first scenario. You've recently started a new role as chief technology officer for a well-known business. After many years of neglecting investment, the business has decided to invest in technology and digitilisation across all its operations. And you've had sign off now for a new digital transformation project which will help move the business forward. All the information collected on your employees, customers and partners will now be kept in a cloud based platform provided by third party service provider. But in the last week, you've discovered a data breach and it occurred just before you were appointed to the role. So you're struggling now to find out what exactly happened, why it happened and what measures have been implemented to stop it from happening again. So things are occurring before you've even arrived. Sheila, I'll come to you first. What would your immediate response to that be? What would your approach be?
Sheila [00:06:19] I think for me, Jon, it's about actually has that attack been contained? Has it been closed down completely? Because, you know, more than often we go out to help clients, in effect with the incident management side of an incident. And it's almost post recovery and they feel as if things have been done and there's been a mini investigation maybe, things have started to be deleted and it's almost as if we're okay, we're in a good place now. But I think that containment piece is really, really important. A thorough investigation. Don't delete anything because actually you need everything to do, a forensic investigation to really understand what was the root cause, where did the attack happen from? And actually has it been fully contained?
Jon [00:07:07] There's a bit of CSI here then, the crime scene needs to be preserved.
Sheila [00:07:11] Yeah, absolutely. Yeah. Preservation is really, really important, Jon, particularly if you want to try and get back to the root cause. And also if you're going to have to put new defences in place, for example, knowing where that attack came from, its origin, having as much information as possible to do that.
Jon [00:07:28] And Chris, what would you add to that?
Chris [00:07:30] I think just reflecting on the fact that we're a week into this role, Jon, the first thing I'll be trying to find out will be what's the instant response protocol in this organisation? If there is one, let's hope there is, because so many organisations scrabble around figuring out, well who do we need to notify? Who's in the comms loop on this one? What's the escalation path? And Sheila is quite right that priority number one is containing it. But really, I think priority number two, as you go through that containment, is just figuring out who needs to know.
Jon [00:07:58] Talk me through that protocol a bit more.
Sheila [00:08:00] We see varying types of procedures and organisations actually. We see the lack of incident response procedures and processes more than we actually see what I would call an incident playbook, which in effect is it's almost like a step by step guide. If this happens, what do we do and how do we deal with it? And it takes you through the lines of responsibility and accountability. Who's going to be responsible for PR? Who's going to be responsible for informing the regulator?
Lee [00:08:29] I think I think there's a really interesting point you raised there Sheila about the value of Playbooks. It's a standard tool is that you rehearse these things, you think about it. But I think the keyword there and in this scenario that perhaps makes it difficult is that they're only any really only really any good if you actually practise them and you rehearse them and you find out where they work and where they don't work. And I think interestingly coming into this job, you don't have to make some pretty brave decisions if your first week is faced with a cyber security challenge. So I think you do need to go to the playbook, I think it's there but you also need to look at, you know, the rest of your team. You need to look at who's on the pitch with you. Have they rehearsed cyber security before? Have they not? What's their maturity, what's their capability. And I think as well, because in this case, it's a third party platform. What are their credentials? Was their capability? Do they have a cyber book? And I think, you know, I mean, I'm looking at this job thinking, um maybe not.
Chris [00:09:32] Maybe not here for the long term.
Richard [00:09:33] I was just thinking here after the first week, if this is the first time you heard about it, and you might want to consider finding a different job. But I think just from my point of view, I agree with all the points, as the panel has already said. In this scenario, it's very tempting to start shutting things down, panicking slightly, but but really finding out your internal capabilities from a technical standpoint, because then you can have a think about what you're going to need to find in terms of a third party, because, you know, everyone needs help in some of these scenarios. So be ready to do that but identify what you have within your skillset first. I think it's quite is quite key.
Jon [00:10:12] And Lee, you obviously working for a large international organisation like Merlin have the infrastructure there to help. But again, where this midsize business, how quickly do you think you need to be moving? How important is it, those first few decisions that you make and how quickly they're made in order to resolve as best as possible, our situation?
Lee [00:10:31] Pace is really important, but measured pace. I think it would be really easy to come into a situation and make it worse. Come in panicking for whatever reason you're being overly vocal about it, you're being overly direct and the reality, I think, is that the response to a cyber threat needs to be a team effort. It can't be an individual and it's a huge amount of culture that's really important in responding to a cyber threat.
Jon [00:11:04] And that's a fascinating point that you raise around that the decisions that you make could actually escalate the situation rather than repair it. Expand on that a little bit more. What theoretically, what might you do that could perhaps make things worse?
Lee [00:11:20] So what Sheila made a really good point at the beginning around, you know, there needs to be a follow up. There needs to be order. There needs to be some sort of CSI involved and you can come in and stamp all over the evidence. But of course, when you're facing up to a cyber threat, probably the last thing in your mind is, am I smudging a few fingerprints or am I kind of, you know, preventing the investigation and finding out what happened? But let's say you're faced with a with a cyber attack, that you've lost data and it's a really important operational system. It's underpinning your business. You've got a choice. One of the options you could take is turn the system off. But then are you doing a disservice to the business? Are you taking away what is actually keeping the business going when in fact, the cyber threat? It might be important, but it may not be catastrophic. It may be containable.
Sheila [00:12:07] I think you're raising a really good point as well there Lee. What you're touching on is that business impact analysis part of, you know, what generally used to sit under another procedure, which was more around business continuity planning. But what we've seen is incident management, crisis management, I.T. disaster recovery, data breach recovery. It's all sort of merging together now. And there needs to be that connection between everything.
Lee [00:12:32] And I think that's largely because business these days are so digital.
Sheila [00:12:35] Absolutely.
Lee [00:12:36] Because it is so dependent upon technology. Technology isn't a back office function.
Sheila [00:12:39] Yeah.
Lee [00:12:40] In many industries it is the business and decisions you can make. You know, if you're turning off a system, there may not be manual workarounds. There may not be a way that the business can operate. If you're turning off one of their core systems, you need to consider the business impact of the decisions that you're making.
Sheila [00:12:57] Yeah, yeah. And Jon, you mentioned about, you know, who do we bring in? And I think, Richard, you'd sort of said, I'll go to my legal counsel again. Ordinarily, there is somebody who is a data protection officer or a designated data protection officer. You might have even outsourced that function if you're a middle market business. At some point, depending on the nature of the data that's been lost and the volume, again, that's got to be risk assessed. And, you know, it's ordinarily that individual who should be in that process risk assessing. Do we need to do anything else? Do we need to let you know, employees know, customers know. Do we need to let the ICO or the FCA or any other regulator know?
Richard [00:13:39] And that's hugely important, that role, because not only is the technical, you know, the kind of bits and bytes in the background as you're unpicking everything and doing that forensic part. Having someone there that there's got a clear, measured head from a PR standpoint is incredibly important, as we've seen with many public cases in the past where people have, you know, shared a little bit too much, too early and that that can be very damaging. So it's certainly something you have to you have to think about as it as it unfolds.
Jon [00:14:05] As the chief technology officer, in this scenario, obviously, those within the business will be looking to you for answers. But just building on what you said there, Richard, the reputational risk that comes with this as well, not only do we have the financial implications, but the reputational side of it as well. How heavily does that weigh on the decisions that you make at an early stage as to how you deal with this? Because, you know, we've seen so many stories of businesses negatively impacted, TalkTalk, TSB, just to name a couple and no business wants to be the next.
Richard [00:14:36] I think it's hugely important to us internally and it should be to any company I think it's um, you know, no one should be embarrassed about having a cyber breach, you know, a problem around cyber in this day and age as we see some huge names out there and along with a lot of small names. But, in a scenario such as this one, I would be very tempted to keep it pretty tight lipped until we were, you know, probably two or three days down the line and had some really good technical detail on what we thought the problem was. And generally just just go go with a holding statement to say, yes, we have an issue, we have fantastic procedures and great third parties that are helping us deal with that will let you know as soon as you possibly can. That's pretty much all you can do, I think.
Jon [00:15:19] And Lee, just thinking about the the next stage here, you've dealt with the the immediate onset of the crisis, what are the next stages one might expect?
Lee [00:15:32] There's a there's a real need to learn something from this event. And that covers a couple of things, I think one is, you've got to make pretty certain it doesn't happen again. So what caused it? Why did it happen? Who were the key players? Who was involved? You know what could have been done differently? Everything that goes wrong as an opportunity to learn and that needs get fed back into the cyber cyber playbook. You also need to understand, you know, what is the what is the organisational damage? You know, as Richard said, there may be a comms plan that needs to needs to come into place. And if if it's been a particular high profile one, you've got to rely on your PR teams, your media comms teams to to help you out with that, because there's there's two fronts. There's the outward front and then there's the inward. We've got to learn. We've got to prevent it happening again. We've got to update our procedures, our policies.
Chris [00:16:23] Yeah. And I do think that beyond the initial containment of the data breach and just dealing with the full fallout of that, then you move into reputation management. And we've seen some really interesting high profile examples recently of both good and bad of that. I seen some great examples of firms, you know, in the legal sector recently that suffered a data breach. But actually the way they responded was really proactive. As Richard was saying, you know, they didn't try to deny it. They owned up to it. They explained carefully the impact. And then they were saying, look, these are the steps we put in place to manage it again. And actually, it was quite low down on the news agenda as a result.
Lee [00:16:58] I think that's really a really important point there you raised Chris. I think there's a there's increasingly I've observed in the press a huge sensationalisation of cyber crime. And you kind of get this James Bond villain stuck in a layer somewhere with that kind of organised state terrorism. There probably is that but there's an equal number of threats that aren't organised crime. They're opportunistic, but there's a huge sensationalism to it. And I think that creates pressure on executives that, executives really need to manage well, because it's really important that your team feel part of a safe organisation and that, you know, if your first response is to hang somebody out to dry, chances are they're going to try and hide their skeletons from you. And as a CTO, as a CIO, you really do want to know where the skeletons are and the people that know where they are, are your team. And so if they're constantly living in fear for your judgement on them, chances are they're not going to come forward and you're going to be living with more threats than you otherwise would be.
Jon [00:17:55] An interesting, very, very interesting point you raised there Lee. Richard, I'll put it to you. How good do you think companies are at acting in just the way that Lee was suggesting
Richard [00:18:07] I think there's a massive variety out there, Jon, to be honest. And I think in this scenario, coming back to Lee's point, which is a fantastic one, this is an opportunity to increase the maturity of that organisation. You know, learn about all of the things we've spoken about now, certainly not hang out to dry individuals that have made an honest mistake, because as Lee quite rightly says, you know, we all make mistakes and it's about learning from them. And actually the fact of actually making those mistakes in the first place actually gives us the opportunity to maybe zero in on what was already a vulnerability that was sitting there anyway.
Jon [00:18:42] Would you would you still go for this job? I know given the circumstances, would you be running a mile now?
Lee [00:18:47] I'd want to check the contract, that's for sure.
Richard [00:18:49] I'd be on a plane somewhere if I was allowed to.
Jon [00:18:52] Yeah the ink hasn't quite dried yet, so you might be OK, but great. Well, I want to have a chance to put another scenario to you. Our second loop challenge, a slightly different scenario, but one that I think opens up again, some interesting possibilities. So, again, you're the chief technology officer for a business, but you've been in the role for a while and you haven't had the problem that we've just been describing. It wasn't suddenly thrown at you. The business has progressed well with its digital transformation. Your business has recently invested heavily in a new company website. Many of the staff, including yourself, have profile pages on the website that describe your education, your expertise, career history and a bit of personal information as well that describes the kind of people you are, makes you as a business, more approachable, more human. And these pages include some basic contact details as well. And your senior executives, the people that you work with, the big fans of social media, I don't know that's a good or a bad thing when it comes to a CEO. But your senior executives are and they like to share what they're doing, both in and outside of the workplace on various social media platforms. So you get an email. It's an email from your CEO. You notice it looks like it's from their personal email and contains a link to something that they want you to read. Just a link. What are you going to do with that email? I'm going to I'm going to come to you first on this one, Richard.
Richard [00:20:17] Well, Jon, this is kind of very much smells of a fishing or whaling attacks straight away. Lately I've witnessed exactly this within Savills and I think if you speak around the panel, most other people have as well. What do you do? You make sure that no one click on the link, that's the quite that's the obvious one. If it's coming in as it's coming in via a mobile provider, so it is pretty much nothing you can do around kind of chasing down what you know to to the person sending it. For us is about the education piece, this is you know, we are not going to stop whaling attacks, we're not going to stop fishing attacks out there. What we are going to stop or what we'd like to stop is people actually being taken in by them.
Jon [00:20:58] But the emails from the CEO is from the boss. And so there is a pressure there isn't it? How do we deal with that? That's about education, I guess and about experience.
Chris [00:21:08] It really is. And this is where staff training is so important and it's one of the key defences, as I'm sure Sheila would agree from her clients. And what I'd also say is, I know the scenario talks about it being from the CEO's personal account, it could just as easily be from their corporate account because that that level of sophistication of fishing and whaling is really getting there. And sometimes they'll even go so far as to watch the tone of voice that the CEO or whoever is using. So that it almost sounds like, you know, and there's been instances where someone's received an email from someone asking for you to send them some data, because that's the other scenario here. I know in this scenario it's about clicking on something, but the email could be without attachment, but it could be asking you to send something. And that's where it's really about, look, does this feel right? Does this smell right? And there's no substitute for training there, because if there's no attachment, then no antivirus software in the world is going to pick that up.
Lee [00:22:02] I think training's really important, though, Chris, because everyone thinks they're never going to fall for it. Everybody you think, how would I fall for that? Of course I'd see it, but people do. And you'd be surprised how many people do and I think one of one of the best tools actually companies have to condition people is try and fish your own team. Do it in a safe way, but simulate a fishing attack and see how many people do actually fall for it. And you'd be really surprised how many people actually do.
Jon [00:22:33] Sheila, at RSM, is that the kind of thing that you do for clients, the simulated approach to the kind of challenges that they face?
Sheila [00:22:43] Yeah, absolutely, Jon. I think what the team have been talking about is different aspects of social engineering. So you know fishing, whaling, you know, even tailgating into buildings, bin dipping. You know, there's all sorts of things, there's vishing, there's all sorts of things we can talk about.
Jon [00:22:59] Vishing? Just explain that one a bit more.
Sheila [00:23:00] Yeah. Yeah. So, you know, it's a again, a type of fishing, but it's very virtual in nature. So, you know, again, sort of targeting more social media types of accounts and, you know, there's a whole host of these different types of attacks out there. I think that's the thing to be aware of. You don't necessarily need to know the technical terminology. It's about the awareness that's really important and actually the culture of the organisation in terms of that awareness, the training, the education, it has to be driven top down. And if we've got a team of senior executives who are sitting there who sort of understand cyber, don't really understand what the cyber threat landscape is and thinking, well, I've got an I.T. team and they can go away and sort of deal with this for us. I'm afraid that culture is not going to permeate down to the level that you need it to be right from the top, right down to the bottom, because cyber criminals are really, really clever. You know they will profile individuals right across your organisation and they're always looking for the weakest link. And that weakest link could be at any layer in your organisation. So, you know, tone from the top. Accountability actually sits with the chief exec for cyber. So, you know, you might have the most wonderful IT team, you know, with some great CTOs and CIOs leading these teams. But when there is a big data breach or cyber attack, I'm afraid it's the CEO. It's going to get dragged onto the TV to explain what happened.
Jon [00:24:24] We've spoken a lot about the risks here, the challenges, the problems. Are there any reasons to be optimistic? I'm going to come to you first on this Lee. Can we be optimistic amid all of this?
Lee [00:24:36] What I'm generally optimistic about most things is but I do I do think, yes, we can and we absolutely should. I mean, the the increased attention to this is is actually a good thing because industry as a whole needs to respond and is responding. And as quickly as cyber security, cyber criminals innovate, so do those people that are defending against it. And I think collectively the bar is getting raised and it's getting raised more quickly than it has in the past because it is now such a hot topic and people are talking about it. It's never going away. This this, to coin a phrase, is the new normal and it will be a constant cat and mouse game between cyber criminals and cyber defenders. And I think businesses as a whole will need to adopt information security and cyber security practises as a core component of their operating model. It'll need to become a differentiator. It'll need to become a reason that companies succeed. And I think increasingly there's awareness at board level and beyond that, this is something to take really seriously. So, yeah, I am I am hopeful.
Jon [00:25:51] And Richard, would you share Lee's cautious optimism?
Richard [00:25:54] 100 percent. And to add to that, to Lee's comments, we're seeing clients now saying, you know, you need this level of maturity. You need to prove to us that you have these controls. You can recover from bad situations because they happen to all people. So I would absolutely echo Lee's point regarding the raising of the profile of this. I think it's a good thing in a in some ways. Also on another slight point, the tools that we have around us now that are readily available are so much better than they ever used to be. I mean, just to to pick one example, just the fact that most people are running Office 365 in the cloud now in a pretty much pretty much all major corporate world have that have that application. And the sophistication behind it is really quite impressive. And this isn't something that you have to pay hundreds of thousands of pounds a year to achieve. You can achieve, you know, some good basic control just with the things that come out the box. So I definitely have a look at your existing tooling and ask the vendors and say, look, you know, what else can you do to help us protect ourselves in this area? And I think that that's a that's a it's a good thing.
Jon [00:27:04] I think some fascinating insights and thoughts from all of you. What we like to do, though, here on The Loop is finish with a top tip from each of our guests. So while we're still on that optimistic notes, you can take it in any direction that you like. But we'd like your top single piece of advice that you would give to a middle market business when it comes to cyber security. Sheila, I'm going to come to you first.
Sheila [00:27:29] I think focus on the basics, core controls. You know, some of this is not new. Antivirus, patching, user education and awareness policies and procedures. We're not talking about something that is earth shatteringly new here.
Jon [00:27:42] And, Chris?
Chris [00:27:43] I think for me, I would try to avoid treating information security in isolation from the rest of what you're doing around data governance and indeed staff training, because I think that's where it gets more interesting for our people is, you know, for example, we're trying to drive a big data literacy programme within RSM so that every every one of our four thousand people understands the importance of data in the organisation, how to govern, how to deliver insight from it. And if you build an information security training into that wider, you know, skill set development because they'll see something, they'll see that kind of training as something that's good for their future careers rather than just a box ticking exercise. I've got to do the information security training again. If you make it something that's part of something that's useful for their careers, I think then they're much more likely to engage with it and remember it.
Jon [00:28:31] And Richard, from your perspective, what would your single piece of advice be to that middle market company?
Richard [00:28:37] I think my single piece of advice, Jon, would be everyone needs a friend, I think, in this scenario. So third party relationships find someone that can help you out, play through you know said scenarios, build a relationship with them, because if you're a middle market company, as we said earlier on, you're not going to have all the skills on the bench that you need. So find the skills out there, foster a good relationship with them and get ready to have to call them, you know, should should the worst happen.
Jon [00:29:04] So cooperation, name of the game here.
Richard [00:29:06] Absolutely.
Jon [00:29:07] And the final word to you, what would your piece of advice be?
Lee [00:29:11] Take Rich's advice. But I mean, I think that's particularly salient and very important. I think the only thing that I would add to that is stepping into this role, you know, spend some time finding your skeletons, but do it in a safe way. There will be something that's gone wrong in the organisation today. There'll be technical doubt, there'll be things that people are probably hiding for fear of repercussions. Create an environment where those skeletons can be discussed and talked about and drawn out in a safe way. Culture is really important. I think your team are your best defence, but they could also be your biggest weakness if you don't get them on site and you don't get them working with you. So find your skeletons, but create a nice culture that allows them to expose them and talk about them in a safe way.
Jon [00:29:59] Well, it's been a fascinating discussion, but unfortunately, we are out of time. Lee, Richard, Chris, Sheila, thank you all very much indeed. And if you want to find out more about cyber security, then please have a look at our RSM's most recent Cyber Security insights report. You can find it at rsmuk.com/real-economy/cybersecurity. Easier to say than perhaps to write down. We're always keen to hear your views, so please do rate us and leave a review. And to stay in The Loop, please subscribe to The Loop and listen to our next episode, where we'll untangle more of today's big business issues.