Cyber Hygiene is EVERYONES Priority, get with the Program or else.

Posted on May 13, 2017


So, the world woke up to a weekend of Cyber hurt that is going to rumble on for some time to come, that you can guarantee, as the Wannabe Ransomware attacks ravage the computer systems and networks of negligent owners.  Negligence is not too strong a word in this instance. Under the UK Companies Act 2006, as under many of its counterparts around the world, Directors of companies have a duty to keep themselves informed and to seek appropriate advice in the face of threats to their business. Whilst Boards of Directors are entitled to rely on others, this delegation comes with the responsibility of educated oversight. In this case a Board of Directors should hang their heads in shame if they seek any other heads to roll other than their own. Operating a business with computer systems and software that are not patched or out of vendor support lifecycle is simply inviting a disaster which will almost certainly turn up in one shape or another. As for reliance on the last resort, a business continuity plan, those seldom go to plan.

There is little ground for sympathy. It is not as if the writing has not been on the wall, for years! Ransomware and its Wannabe pedigree is written across the Internet in news articles going back years. Here in the UK the Hospitals that have headlined the impact, were repeatedly warned about poor Cyber Hygiene also going back years. What do you expect when you are still running operating systems that have been out of vendor support for years across 5% of your workstations, it only takes one.

In fairness, Governments around the world have been picking up pace on mandating awareness programs to foster a greater minimum Cyber Hygiene baseline business culture. In the UK, the Government has been leading by example to mandate a baseline Cyber Hygiene Certification program in its public-sector supply chain. However, any hope that setting an example would galvanise the wider business communities to get with the program has been forlorn. The complacency in businesses, particularly the Small Medium Enterprise (SME) sector is embarrassing. This is of particular concern when you consider that the SME sector represents over 80% of businesses and the backbone of economies in most countries, an Achilles heel I have flagged up many times. Any wonder that we are now seeing regulation like the EU General Data Protection Regulations (GDPR) appearing with eye watering fines. The only way this type of behaviour is going to be changed is through sanctions and business can only blame itself for not self-regulating when it had the chance.

The UK’s Cyber Essentials Program is one of the most mature of these programs. Lightweight and purposefully designed for the SME sector, it delivers real Cyber Hygiene benefits. It would almost certainly have helped reduce the impact of this recent attack. It was created out of the ‘Defence Cyber Protection Partnership’ (DCPP), a joint UK Ministry of Defence (MOD) / industry initiative to improve the protection of the defence supply chain from supply chain Cyber threats.  Cyber Essentials has been adopted as the basis of programs in Ireland and Canada and is likely to become a recognised benchmark for many more. The advantages of evolving off a common awareness scheme are obvious. ‘By Standing on the shoulders of giants do we get to see further’. So one can hope that the recent tender from another member of the Commonwealth, the Australian Government, will be paying attention. Then there is the USA, only last week its House of Representatives was calling for a Cyber awareness program for its SME’s based on their National Institute of Standards and Technology (NIST).

This is however not just a national responsibility. The big platform providers and service companies relationships which harvest billions from us for the products and services that we rely on in our day to day lives, demand a new age of responsibility. These big Brands need to apply a strategic thought process to how Cyber risks evolve bi-directionally within their supply chain and become accountable as the impact this WILL have also falls on us the customer, their data subjects.

The leaders of this pack should be the IT behemoths and the Insurance Industry that already know better. We should be worried, very worried as the sound of silence from those quarters are deafening. The UK Government identified the business opportunity for and role of the Insurance industry in leading the way on this back in March 2015 in their report ‘UK cyber security: the role of insurance’. So for Insurers they should be paying up without a squeak for being almost complicit in not getting on-board with the program and lounging in a Cyber Insurance soft market. This may see it start hardening, and not before time.

Supply chain principles should be falling over each other to embody into their engagement culture baseline Cyber Hygiene demands, not expectations. If there was any doubt before, it has been swept aside, this has become the most basic of measures for any responsible Board of Directors.  To demand proactively of their suppliers clear Certified proof of a minimum level of Cyber competency and continuous development of that practice in mutual defence of a Cyber threat environment that is simply getting worse. If a supplier cannot demonstrate this proof then what in all sensibility is a business doing trading with a loose cannon.

It is by harnessing a discipline driven by commercial economic imperatives (demonstrate Cyber Hygiene or you don’t get the contract) that can swing the tide in what many are calling World War III. It is only when we start pulling the economic leavers from our side of the battle lines that the threat actors are driven by on theirs that we will have any chance of winning this war. For now, we resemble a one-legged man in an arse kicking contest.