As much about people as it is technology: Stephen Lake on Cybersecurity and Boards
Last year the world saw a number of debilitating cybersecurity breaches.
Yahoo, the NHS, and Equifax were all the targets of major hacks that compromised millions of accounts and, in the case of the WannaCry ransomware that affected healthcare providers across the globe, brought day-to-day operations to a halt. Yet few boards know exactly how to approach cybersecurity and put into place programmes and processes that may keep their customers, employees, and ultimately their businesses, safe in the future.
Beginning his career at the cusp of the Internet age and driving strategy for organisations such as Reuters and iVillage, Stephen Lake has been a Non-Executive Director in the Digital and TMT space for over 20 years, most recently for Ordnance Survey, where he is also Chairman of the Audit & Risk Committee. Our Associate Director of Board Search, Cathy Kay, spoke with him about cybersecurity and what boards should be doing to protect themselves as much as possible.
This interview has been lightly edited and condensed.
Cathy Kay: How do you instill a secure culture while not destroying the culture you have in an organisation?
Stephen Lake: I think you’re getting to the right point, that cybersecurity is as much about people as it is technology. That is an important point to understand upfront because a lot of cybersecurity breaches are generated internally accidentally, although sometimes maliciously, so having a culture or at least an awareness of the importance of being secure in all aspects is important. From that perspective, talking about cybersecurity in a business sense as opposed to a technical sense is important, as well as to be quite open about it in terms of communication. You can also incorporate it into people’s employment terms and conditions. That actually gets people’s attention, when you say we’ve got a whole new section on cybersecurity and here are all the things we’re expecting from you in terms of behaviours, and here are what additional training we will be providing you with as a result. I think making it visible in a multidimensional way and not making it just one thing, run by the techies– it needs to be communicated from HR, and communicated by the CEO as to why it’s important. CK: Do you think now at board level what it actually means to be under threat is fully understood? SL: No. People at the board level are still learning what cybersecurity entails and what its implications are. It’s not all about being hacked at the backend, deep in your network; people don’t understand the breath and sometimes think it’s all about hacking. But of course a lot of cybersecurity is not that at all, and comes about through, say, accidentally attaching something that shouldn’t be attached to an email and sending it out. There are systems now to stop that by spotting a confidential document that probably shouldn’t be leaving the network, which automatically gets stopped and flagged to the individual, “Did you mean to attach this document?”
CK: So is that a software you can install?
SL: Yes, it’s what might be called “information governance”: understanding what data you have– including multiple copies of the same data– categorising it by type and risk level, deciding who has the ability to access and distribute different types of data and very importantly knowing the answer to, “where is my data?” You can’t have good cybersecurity if you don’t know where all your data is, and a lot of organisations don’t know that.
CK: So GDPR targets are an opportunity for educating.
SL: Well, yes. But of course corporate data sits a lot wider than GDPR, which is a subset subject to regulation about personal information. There’s a lot more that is commercially sensitive. You know, how many copies of a commercial agreement, not just the finished one, but there are probably 15-20 drafts that people don’t realise have been stored on laptops and servers all over the place. It’s enough to give a lawyer a heart attack. Knowing what of your data is encrypted, so that even if someone got in they couldn’t access it because it’s very hard to break into. You have to work on the assumption that companies will always get breached in some kind of way, so we need to have layers of defense all the way down to understand where the crown jewels are, and having those protected in various kinds of ways. And then there are customer-facing aspects of the business that need to be understood.
CK: When you’re sitting on boards, how does your expertise inform your role?
SL: From a board perspective, having independent knowledge comes across into audit and risk. If you are chair of the risk committee, you need to get yourself educated on cyber risks. As I said it’s not just technology risks, it’s technology, it’s people, it’s information, it’s compliance. And what’s difficult is that modern organisations are all designed to be more open and collaborative, and you don’t want to stop that. So you’ve got a world where it’s difficult to protect your assets and protect your organisation from malicious harm of various types, but at the same time you’ve got a business that wants to be more open, wants to be more collaborative, wants to use workers that are part-time workers and full-time workers, all in groups, which pull in different directions, and so you’ve got to be clear how you enable both of those simultaneously. And that in part is why I mention information governance because you have to be clear about what it is you’re really trying to protect.
CK: Does that level of debate happen in the boardroom, in terms of what we’re really trying to protect? SL: Sometimes it just gets dropped a level to a committee but it shouldn’t. There should be a briefing at board level so that we understand what the organisation design looks like. There have to be conscious decisions made and people need to understand what those are. I think that is a broader debate or discussion.
CK: What’s the level of awareness on cybersecurity at the moment?
SL: If you take Ordnance Survey for a start, they’re quite knowledgeable of different aspects, but like many organisations they didn’t have all the tools at their disposal to be able to proactively monitor risks. So a challenge is, what size is your organisation and what can you do? A large bank has plenty of money and plenty of people and can spend a lot of money to protect their systems than a medium sized organisation. In Ordnance Survey now we’ve upgraded a lot of tools, we’ve trebled the size of the cybersecurity team, we’ve been proactive with things like white hat, or ethical, hacking, so under controlled circumstances we hire a hacker to break in to test. We run online training for all staff on all aspects of cybersecurity on how to identify a suspicious email, phishing, all these types of things, and we do some tests of our own, so we will send fake LinkedIn invites to people that when clicked on will come up with a, “oops, you shouldn’t have done that”, you need to go back and take this module of training.
CK: How often do you change your password?
SL: I don’t. I use different ones for different things but I have quite a complicated one.
CK: Do you use a password manager?
SL: I think that’s a good idea to do, yes. That’s particularly something businesses should be looking to enforce more. So actually one of the things people ought to be paying attention to more is the new National Cyber Security Centre in Cheltenham which issues a lot of practical information and guidance and they’ve designed some programmes for different parts of the business to get themselves up to speed and accredited. So they have something called Cyber Essentials. That’s a good programme for a medium-sized business to put themselves through. It’s now being linked to insurance, so there’s a practical, commercial link where companies that have got a Cyber Essentials accreditation are going to have an easier time with insurers around data than someone who doesn’t have it. There’s something called Cyber Essentials Plus that’s, no surprise, is more robust than Cyber Essentials for a slightly bigger organisation. Larger organisations are going to have something more sophisticated than either of those two programmes already, but for a vast majority of businesses, going through Cyber Essentials or Cyber Essentials Plus programme is a good thing to do. The National Cyber Security Centre also have a lot of practical advice on passwords. And the recommendation is not to change your password, but also to create one that’s very hard to crack but relatively easy to remember. They recommend three random words strung together, so you can have staple, goat, avalanche. You might put some letters in capitals. But something very easy to remember.
CK: What is the most important piece of advice you might give to a CEO of a large organisation?
SL: It’s to talk about it, and to acknowledge it’s as much a people issue as a technology issue. We can’t just rely on the technology to protect us. It’s about behaviours. Talk about the reasons it’s important from a business perspective. Just giving tangible examples of things that are all good things to do or cautionary tales, of which a common one is an email reportedly sent from a supplier asking to update the bank details. But you have to ask, how did they know that this company was part of your supply chain? So they knew that this company was due to be paid, they have some good information. Emails reportedly coming from the CEO or the CFO asking someone to process a payment of some kind. Those kinds of things are extremely common, as are the different kinds of phishing emails and bogus invites to LinkedIn.
You want people to understand the risks. But going forward it’s more that you want people who are conscious of what needs to be done, and coachable, because there will be new things that come along all the time that need to be introduced.
Stephen Lake pursues a portfolio career as an Independent NED, business mentor and interim CXO for high growth companies – with a specialisation in Digital, Cyber & TMT businesses.
Stephen worked as a senior executive in large global businesses – Reuters & QinetiQ – and high growth entrepreneurial businesses for 25 years – including taking iVillage, a VC backed digital start-up, from pre-revenue to £60M in revenues and an IPO in three years. At Reuters, Stephen co-founded Reuters NewMedia division and its corporate venture capital arm Reuters Greenhouse. At QinetiQ, Stephen was responsible for new business creation and technology commercialisation as Head of the New Business Accelerator.
Stephen is currently NED & Chair of Audit & Risk at Ordnance Survey, Non-Executive Member of the Digital Strategy Board for Parliament and NED for Investing for Good. He also actively mentors the founders of several high growth start-ups and is incubating a new venture in cyber security solutions for mobile devices & blockchain. He is a UK Chartered Accountant and holds an MBA in Technology & Innovation.