Cybersecurity rises up ESG agenda

As the reach of hackers extends, GPs are increasingly viewing strong cybersecurity as a critical pillar of responsible investing, writes Victoria Robson.

What’s the issue that most keeps chief finance officers and compliance executives awake at night? Cybersecurity and the worries about being hacked. “This is on the top of my list,” one finance chief told our 2017 CFO survey. “I am very concerned about phishing emails and other possible intrusions.”

Wanna Cry or not?

To guard against attacks, companies need to take a more proactive approach to testing for vulnerabilities

The WannaCry ransomware attack in May last year reportedly affected more than 300,000 computers running Microsoft Windows in 150 countries, including those supporting critical services in National Health Service facilities. Taking the simple step of installing the latest Microsoft security upgrade could have prevented the attack. To guard themselves against increasingly virulent attacks, companies need to be vigilant, including taking the following steps:

  1. View cybersecurity as a strategic issue

Cybersecurity is a business-wide concern, not an IT one. Crosslake Technologies consultant Breen Liblong advocates establishing cybersecurity as a standing agenda item at the board level. It is in the directors’ interests, he adds, as they could be liable in the case of an attack, says Alasdair Redmond, head of service delivery and technology and Intuitius: “If someone is appointed at the board [to take responsibility for cybersecurity] they start driving that culture throughout the organisation.”

2. Be aware of vulnerabilities

Whether it is risk of phishing, denial of service, privilege misuse, or point of sale intrusion –among a range of possible threats– businesses need to understand their weaknesses by undertaking a comprehensive security assessment. This includes testing infrastructure, applications, digital and network configuration and penetration testing. “All companies should do a security assessment even if it is light touch,” says Karl Keyte, Crosslake Technologies senior consultant.

3. Establish an emergency response plan

This includes designating an emergency response team, monitoring and assessing the impact of an attack, taking remedial action, alerting staff about an incident and communicating externally, as well as conducting a root cause analysis, says Keyte.

4. Remember that testing is only the first step

Test appliances and software regularly and review plans, including modelling, measurement points and intrusion detection systems. “Don’t do a security assessment, find a vulnerability and think you are done,” says Liblong.

5. Put awareness at top of agenda

All employees from the chief information security officer and down the management chain must be trained on cyber risks, best practice and procedures. “The human element is a significant factor in cyberattacks,” says Liblong.

6. Keep up to date with industry standards

“Organisations that have chosen to, or their customers have obliged them to, get certified are in the best shape,” says Keyte.