Unless you have been “off grid” for the last few weeks you will be very aware that this month saw a significant cyber attack on vulnerable organisations around the globe including, in the UK, our very own NHS. Unsurprisingly many of the more sensationalist of the media and commentators have heralded this event as a signal that we are entering a new age of technological warfare and that we are under a grave, imminent and unavoidable threat of major technological meltdown. As compliance professionals we don’t scare easily and wanted to come to our own conclusions on the lessons that can be learnt from this attack.
By way of a reminder, this month’s specific software attack sought to extort money, (in bitcoin), from victim organisations whose data had been encrypted and rendered inaccessible until a ransom was paid. If no ransom was paid the organisations were threatened with the permanent destruction of their data. What added a bit of extra glamour to the James Bondesque “global cyber threat” rhetoric surrounding this particular event were indications that the rogue software originated in the labs of the NSA in the States.
So, are we all destined to live in a dystopian world where every piece of technology we have come to rely on will be permanently under a dire threat from global hackers and criminals? Or, whilst acknowledging that there are serious and important threats to the technology we now rely on, is it possible to take the same view of managing these cyber risks for our organisations as we take with all the other elements of our organisations – e.g. a sensible, considered risk based approach. I think you can guess where we are going with this.
Having had a chance to reflect and talk with our own network of cyber security experts it looks as if – although the cyber threats to our organisations are very real – if they are properly identifed, assessed and mitigated, using a risk based approach, organisations can confidently protect themselves from all but the most pernicious and targeted attacks. And, even, if or when, these secure organisations are targeted, the well prepared ones will have effective back up plans in place to rapidly restore disrupted service. In fact word on the street has it that even the spymasters at GCHQ believe that the reason for the widespread vulnerability to the cyber attack was down to organisations failing to manage their internal protections and failing to install upgrades etc. rather than the genius of technical criminal masterminds
However, and here’s the interesting thing – despite IT systems and their resilience and security being very much part of the FCA’s list of things that they expect firms to care about and manage the compliance of – what we have found is that many compliance functions struggle to get to grips with actively monitoring and assessing their own firm’s IT software and infrastructures. Instead, in many instances, IT departments are very much and somewhat uniquely left alone by the compliance teams to self-certify their own resilience and attest to the validity and adequacy of their own plans and arrangements. As you might imagine this creates its own risks and vulnerabilities and is not what is supposed to happen. Clearly in a world where cyber security is more important than ever compliance needs to be on the front foot when it comes to monitoring the IT function.
So why is it that Compliance seems to back-off in its oversight of technology and the related cyber security issues? Well, without claiming that our viewpoint is either scientific or comprehensive, our interactions with Compliance professionals suggest the following issues contribute:
Compliance professionals can feel out of their depth when dealing with technology issues – anecdotally we know that many compliance professionals don’t speak IT, it wasn’t part of their training and they don’t feel confident to query a technology process or interrogate a technically worded response.
There is an inherent trust in “those clever people who do technology” – the phrase blinded with science definitely applies here. The science of IT actually creates a somewhat false impression of smartness and orderliness. Those of us that know IT well know that this impression is often far from the reality and it absolutely shouldn’t hoodwink compliance – but it often seems to. Once an algorithm is working and generating output it is rarely questioned and is assumed to be correct and functioning as it was designed. Our experience suggests this is not the reality and that greater monitoring and review of IT processes, products and functions need to take place.
Finally, there is the continuous challenge for compliance bandwidth. All too often the factors above just force the monitoring and review of IT to the back of the queue for compliance attention and what should be regularly reviewed and monitored gets bumped or postponed due to a lack of compliance resource.
Taken together the factors above can create a ticking timebomb for organisations who then discover too late that they are seriously exposed to technology risk – especially the risk of cyber attack.
So what should compliance be doing…
Our simple observations, from those organisations that manage the compliance of IT well is as follows:
Do not ignore IT – ensure that the product, processes and outputs of IT are firmly on your compliance monitoring plan.
Don’t believe the hype – yes IT can house some clever people, but they are still people and just as likely to cut corners, take unwarranted risks and hope for the best as any of the rest of the organisation’s staff. They should be under the same level of scrutiny as the rest of the organisation.
Ask for help – if your not confident in completing the required monitoring ask for help – specialist IT compliance resources do exist and they can help to carry out the necessary reviews and monitoring. Do ask us for details if you require them.
So that’s it. We don’t think that we are entering a new world of cyber paralysis – but, this is a wake up call for compliance and for organsiations who have had blind faith in their own IT. We look forward to seeing a new level of monitoring and reviewing of IT departments.