“You don't need to be a cybercrime expert to use the toolbox. You just need deep pockets.”
This is how Lord Jonathan Evans, former director general of the British Security Service, started his keynote address at Infrastructure Investor's Berlin Summit today – and how he warned investors that cyber risk is not a remote and abstract threat.
Many in his audience were probably aware of the danger, he acknowledged. Looking at the corporate sector more broadly, however, he warned that the implementation of mitigation plans lagged behind alleged ambitions.
“When I hear an executive saying they have it all sorted is when I know they're not quite getting it,” Evans said.
Threats were heightened in the case of infrastructure, he noted, because a lot of it is “quite old”. Retrofitting IT systems to take into account cyber risks that did not exist when they were first designed would be a costly and complex endeavour, he observed.
Given their strategic importance, infrastructure assets had proven to be ideal targets for states looking to weaken adverse nations by waging attacks in cyber space.
But asset owners and their counterparties had to prepare for attacks sponsored by non-state actors, with Evans adding that the essential nature of water systems, power grids and transport networks made those responsible for them vulnerable to blackmail by sophisticated cyber-criminals.
Armouring assets against hacking would require good intelligence both inside and outside companies on the cyber state of affairs. A number of trade bodies and government agencies, he noted, had good penetration within hacker networks, making them a useful port of call for operators to find out about imminent attacks against given targets.
He singled out collaboration between peers as key. “Most companies are not uniquely targeted. They're in the crosshairs because they are part of a given sector or a group of vulnerable entities”, Evans said.
Getting top management prepared was also seen as paramount. “In the event of an attack the issue will definitely land on the CEO's desk. So you need to train him through exercising the corporate response plan. You need to make this a muscle reflex for him.”
Mapping out risk appetite over a business' various units, unlocking adequate resources and benchmarking vulnerabilities externally rounded out his list of recommendations.