Security Panel – The Cybersecurity Show – S1Ep6 Part 2
NAYOKA OWARE [00:00:31] Hello and welcome to episode six of Security Panel. I am Nayoka Oware and today I am joined by an amazing guest by the name of Sandip Patel QC. He is a barrister and the chief legal adviser at OSP Cyber Academy. Welcome, Sandip. How are you?
SANDIP PATEL QC [00:00:47] Thank you. Very well. Thank you for having me.
NAYOKA OWARE [00:00:49] Good. I’m glad to hear that. Thank you for joining me now to talk a bit about yourself.
SANDIP PATEL QC [00:00:53] Right. I’m a barrister and I’m also head of the data protection team at Scarmans, which means that I do all things data protection, cybersecurity and so forth. I am also cyber crime prosecutor. And in the past, I’ve been involved in some fascinating cases described in the popular media as the Facebook hacker, the boy who almost broke the Internet, according to The Washington Post. And I also was involved in the prosecution for the first time with members of Anonymous, the hacktivist organisation that targeted governments, government agencies and private organisations, including the FBI. CIA here CS organised crime agency, PayPal, Visa. The list is endless.
NAYOKA OWARE [00:01:39] In light of the latest record fines handed out by the ICO due to data breaches at B.A. and Marriott. What are your thoughts on organisations, current data management in general?
SANDIP PATEL QC [00:01:51] Right. That’s an interesting question. Reminds me what my teacher used to put in my report must try harder. And in my experience and according to all the research organisations must try harder. For example, SME’s good research. Recently, 66 percent of SME’s do think they’re open to a cyber attack. Now, that is just blinkered, in my view. Only 16 percent of those surveyed thought that cyber security should be a top priority. And 24 percent so quarter thought that cyber security was too expensive. While twenty two percent and this is the alarming figure in all of this. 22 percent didn’t know where to start.
NAYOKA OWARE [00:02:48] Surprising.
SANDIP PATEL QC [00:02:49] Well, yes. And so in my experience, my personal experience, organisations still. Aware of the problem, but not acting upon that, that awareness for the reasons which those facts, statistics I’ve just given to you. If 22 percent don’t know where to start. That’s a fifth almost of those surveyed. That’s a real problem.
NAYOKA OWARE [00:03:15] It’s an alarming problem. They don’t understand the importance.
SANDIP PATEL QC [00:03:19] Because there is plenty of knowledge out there and expertise for them to know about.
NAYOKA OWARE [00:03:26] Fair enough. What do you think are the key areas for success? Successful data breach management.
SANDIP PATEL QC [00:03:33] Right. First of all, a good incident response plan setting out who was involved in that response. So there should be a team already and the team should obviously have someone who sits on the board or has access to the board. If the company has a CSO, that should be that person, obviously personnel obviously, internal lawyers, possibly external lawyers, and there should be clear lines of communication. And so people must know what they have to do when an incident arises. But according to again, Grant Thornton in a recent report that survey businesses and two thirds of the business interviewed did not have a board member responsible cyber security, according to another survey. Six out of 10 mid-market organisations SME didn’t have an IRP in place, which is quite startling when you think about. Secondly, staff training is hugely important and effective in raising awareness and capability. It should be engaging regular and ongoing. There should be also regular rehearsals. We have fire drills. Why do we have cyber instant drills? so people know what to do and what not to do. Yet in an incident and in my experience, such draws are hugely effective and substantially limit damage. Also knowing the supply chain. So knowing the organisation, well, who has access to the organisation’s records and where they are recorded? And also asking your suppliers and partners what their systems are. You think it’s a it’s basic. But two thirds of response in a recent survey confessed that their supply chain partners had weaker cyber defences than the organisation itself. And then finally, cyber insurance. Most important, it should be tailored to the peculiarities of the organisation and by process of obtaining cyber insurance. Organisations already made an assessment to its cyber defences as to whether they are fit for purpose. So those would be my main takeaway key aspects of a good data breach management.
NAYOKA OWARE [00:05:58] Okay. You mentioned that we have fire drills. We should have cyber security drills as well. Is that something you’ve incorporated in your company or implemented?
SANDIP PATEL QC [00:06:08] Yes, I have. So not only my own company, but also in the work which I do. So part of my work involves advising companies on how to promote and develop their capabilities. And so one of the things that I do through various organisations or ISP is provide actual training so scenarios whether they be acting or whatever, but a hypothetical cyber incidents occurred. What do we do? How do we deal with them?
NAYOKA OWARE [00:06:45] Ransomware attacks are continuing to make headlines with some organisations refusing to pay ransoms while others comply. What are your thoughts on this?
SANDIP PATEL QC [00:06:55] All right. This is a very contentious subject, ransomware, especially at the moment. In my view, ransomware is a global threat which will only intensify unless organisations purge themselves of a culture of complacency and adopt appropriate cyber hygiene measures. And in my view, my personal view is never pay the ransom at where attackers, because that only rewards them for their malicious deeds and breeds more attacks. But I accept. Ultimately, it’s a business decision. But contrast to recent cases, if I may. The Norwegian aluminium producer Norsk Hydro was recently hit by a severe ransomware attack as a result of which the hackers took 22000 computers off line at 170 different sites around the world. Now, Norsk took the view that they wouldn’t cave in to the ransomware. Demands. They took the view that they would deal with this internally and spend money in order to restore their files from records. And so they turned to their backup servers, which they did. They spent 45 million pounds on that, which was far in excess of what they would have had to pay the ransomware demands, but they chose to do that as a company. Contrast that with the Eurofin Scientific, which is the UK’s biggest provider of forensic services and provides forensic services to lots of police forces in this country. And it’s the major one. It was also hit by ransomware virus attacks very recently, which resulted in the shutting down their systems that had an impact on 77000 criminal cases which have forensic evidence each year and also resulted in court cases being postponed. Now, according to a BBC report, the company paid a ransom. The company will not admit that it had or had not paid a ransom, but it seems that they had. Now, which begs the question, why did they not have adequate backup systems and a restoration process? Now, the National Crime Agency, which is investigating this matter. Eurofin scientific, their position is as a matter of the victim. But ultimately, in my view, it’s counterproductive in the long term to pay these criminals.
NAYOKA OWARE [00:09:36] So your advice would be to invest money in dealing with it internally.
SANDIP PATEL QC [00:09:39] Indeed, prevention rather than dealing it that way. So it’s not beyond the capability of an organisation to have proper backup systems with a restoration process. So that’s my position.
NAYOKA OWARE [00:09:56] It’s a good position to stand in. From your experience, is there a strong or any alignment between a business I.T. department and the board of directors when it comes to cybersecurity?
SANDIP PATEL QC [00:10:10] Right. Sadly, no. In my opinion, the board and the I.T. department not speaking the same language in relation to cybersecurity. The board consider cybersecurity to be an I.T issue. When I’ve already explained that it is not, it must be at the heart, I.T. security must be at the heart of any organisation’s proper governance. And that includes the board. But again, according to the Grant Thornton survey, two thirds of boards do not formally review risk management and therefore remain ignorant of the risks of dangers of hackers. And that’s according to their most recent survey. Two thirds. Now, bearing in mind that UK businesses have lost 37 billion pounds in the past 12 months Cyber security breaches and cyber related incidents and these startling facts of those most severely hit. They lose 25 percent of their revenue and those also company, which can sustain that impact. But according to another research, 80 percent of companies which are hit by a major cyber event are dead within two years. So this is what I say to my clients. These are the stark facts and they cannot be ignored. And so the vocabulary of CTI cyber threat intelligence needs to change in order in keeping with business and strategy. So that’s my position. Let me give you an example of cyber security partner. A very recently carried out a phishing test on a very substantial law firm in this country. The emails were marked important notice periods with a request to open an online form, but first entering his or her password. Now 19, took the bait. And and completed the form eight of those who did use the same password as each other. As a result of that, the testing firm gained access to the firm’s entire outlook account. Including database, so all emails sent in and out from clients, all the attachments, all the documents, the testing firm gained access. By that simple phishing exercise and this was a substantial law firm, I could only imagine the regulatory and reputational consequences if this was a cyber criminal.
NAYOKA OWARE [00:12:58] Terrible. I’m actually shocked by the information with regards to the board of directors, why do you think that they refrain from learning about cybersecurity? Do you think it’s too long winded? I understand that you said they think it’s an I.T issue, but It affects the whole organisation if they are attacked.
SANDIP PATEL QC [00:13:17] Indeed, I think I think it’s also cultural from organisations. It depends what the organisation’s culture is. It also depends on the board members themselves, depending upon how IT literate they are, how our interests they are in the processes. But it goes back to the language, CTI language. At the moment, CTI language is very technical and it needs to adapt the terminology needs to adapt so that it becomes more comprehensible to the board. And until that happens, I think. I think so. I think. I think the major organisations understand. I’m more concerned about the SME’s as well, which don’t. But we can see look. I’m just giving you the example of Norsk Hydro, one of the world’s largest aluminium producers is not immune from attack. But in fact, no organisation. No company is.
NAYOKA OWARE [00:14:10] Thank you for that. What cybersecurity advice do you have for viewers from a legal standpoint?
SANDIP PATEL QC [00:14:17] Right. Okay. Guard against cyber sleep. I mean, I’ve been speaking about this during this course of this interview guard against cyber sleep and some I’ve suggested in cyber coma. But if the business believes that it has not suffered a cyber attack or data breach. Putting aside whether it knows what it has or it has not, then it is in the minority. And it is only a matter of when and not if we know that. So the three important facts are governance at an organisational level, risk management both contextually and intelligence driven and capability. Cybersecurity by design and by default using standard framework applied to context. These are really important factors and have a strategic CTI in place. And no. As I said, no one size fits all. So it must be tailored to the organisation’s needs. I mentioned the NCSA 10 steps which is can be of significant benefit to an organisation in protecting its data and we’re all familiar with the info graphic which your agency produces and deal with. My advice would be we deal with risk management. Address risk management. It cannot be ignored. Say, for example. Have an information security executive of a high level, which I’ve already mentioned. The other factors I mentioned insurance, cybersecurity policies and backup procedures documented, accessible, understood by all employees. Sound backup procedures and regular testing on a quarterly basis. For instance, everything should be reviewed. Maintain and revised on a periodic basis. Multi factual authentication to MFA. I’ve mentioned cybersecurity training programs should be mandatory and conducted regularly, penetration and vulnerability testing. The former which tests you perimeter defences that should be done on an annual basis at a minimum. Vulnerability testing, in my view, which scans all the networks devices should be done on a weekly basis at least once, in my view. Records management policy is most important, defined responsibilities and assigned some accordingly. Cyber investment. Full disk encryption. Data loss prevention services and the list is long. That’s technology scans, documents, emails and so forth and types of data leaving the firm. And also I mentioned this, the supply chain third party risk assessment is very, very important. So those are the things I would say. There’s the headline themes, which I would advocate it in my advice in order not to avoid legal liability, because you’re in the position where let’s say you were the victim of a cyber attack. But certainly if you have all these things in place, you certainly mitigate your liability, whether it be to the ICO or in the court of law or on the victims if they’re looking for compensation.
NAYOKA OWARE [00:17:40] Unfortunately, Sandip. That’s all we have time for. But it has been an absolute pleasure speaking to you.
SANDIP PATEL QC [00:17:45] Thank you very much.
NAYOKA OWARE [00:17:46] Thank you for your time.
SANDIP PATEL QC [00:17:47] Thank you for having me.
NAYOKA OWARE [00:17:49] Join us next time for another episode of Security Panel. I have been Nayoka Oware and I hope that you’ve enjoyed this discussion just as much as we have. Thank you for watching.