The cyber industry is awash with events and trade shows, but one that really made an impact on me was last week’s Wired Security 2017. This event brought together some of the most inspiring and influential thought leaders in the industry. They shared knowledge, provoked debate and discussed both abstract ideas and very real threats that will help us avoid myopic thinking as we pursue security in an era of cyber vulnerability.
Nominet was delighted to get involved, and I took part in a panel discussion that tried to answer the hypothetical question; “your company has been breached – now what?” And just as important, how do you make sure you minimise the chances of it happening in the first place?
Wired are covering the discussion in a forthcoming issue. But it won’t be too much of a spoiler alert to say that along with fellow panellists Jim Wheeler, Angela Sasse and Allison Miller, we covered everything from whether insurance for cyber is worthwhile, how to create corporate ‘muscle memory’ through cyber drills, to using nudge theory to create a culture of security. We were in violent agreement about one thing – that preparation is crucial.
As a CEO, doing all you can to prepare for a cyber attack is as important as taking responsibility for the aftermath. Accepting the inevitability of a breach at some stage is a crucial first step, and Board directors have a fiduciary duty to do all they can to protect their business. This includes firm, thorough and careful plans to manage, mitigate and recover from an attack.
At Nominet, we work to create a culture of security, including the aforementioned nudge strategy, introducing changes in an incremental, unobtrusive way, rather than seismic shifts to keep staff on board and allow new procedures to be easily assimilated into daily operations.
I was struck by the discussion on the complicated issue of insurance against a cyber breach; specifically, is it worth the money spent? It’s a tricky question to answer. Businesses need to have a thorough understanding of the compliance required and know exactly what the entitlement might be. As Angela Sasse pointed out, you can bet the insurance firms have thought it through more carefully than you and you may find you are not entitled to the compensation you’d hoped.
Our panel formed just one part of a day filled with intriguing speakers. Dmitri Alperovitch from CrowdStrike discussed the different nation-states and the type and level of cyber threat they pose – he said it’s North Korea’s cyber capability keeps him awake at night. We got some fascinating insights into Russian internet culture and the influence of the Kremlin from Red Web’s Andrei Soldatov. We also learnt from Charlie Winter, senior research fellow at ICSR, that IS has a centralised propaganda strategy and makes use of mobile app Telegram to deliver it.
Google’s Allison Miller made an interesting point in her keynote about considering language use when trying to persuade people to make the right choice in response to everyday cyber threats. Don’t make it too bland; if you have the actionable intelligence, give people more clarity on how they should respond.
The challenges of cyber security impact all society nationwide and could be seen as one of the most pressing issues of our time. In an industry in which the landscape is always changing, discussions and information sharing are pivotal in helping us all better protect ourselves and maintain the country’s status as a digital leader.