Expert: Steve Mair, Protection Group International
Facilitator: Colette Dunn, Milliman UK
The expert kicked off this session by asking what we mean by ‘cyber’. There are various definitions and every organisation should have a shared internal understanding on what it means to them. His view is that it is “anything to do with computers”. He expects the term ‘cyber’ to disappear within the next 5-10 years as it will just become how we all conduct business.
Cyber criminals fall into a number of categories:
- The lone teenager sitting in their room. Probably learnt to hack because they wanted to find a way around an online game they were playing;
- Hacktivists – who hack for a reason/belief;
- Organised criminals who are seeking financial gain;
- Competitors;
- State-funded cyber-crime. For example, countries seeking military intelligence or political advantage.
Cyber-crime falls into three basic categories:
- Ransomware, where a ransom must be paid or the criminals will do something damaging, for example, leaking information or destroying/locking key databases;
- Malware;
- Phishing
One of the future technology developments is the Internet of Things (IoT) which is where various smart devices, such as fridges, heating, PCs, etc are linked. The IoT offers new opportunities for criminals and an easy way to put-up a barrier against these criminals is to change all passwords that these devices are delivered with.
Basic advice for organisations on cyber safety is:
- Keep anti-virus software up-to-date;
- Ensure passwords are regularly changed and have protocols around this process;
- Update regularly with patches;
- Have privileged account management so employees are only able to access information they need.
About 80% of systems can be protected by getting the basics right.
The government provides online information and guidance to organisation, for example, the ‘Cyber Essentials’. There are various kite marking schemes and ISOs to be achieved.
The National Cyber Security Centre is free to join and also provides useful advice.
The main worries amongst the Advisers in the room, is keeping employees/users in check. It was recommended that education is regular and that audits are carried out. Any errors should be shared within the organisation rather than hushed up. They are learning opportunities.
TISA has been looking at an industry best practice guide. Its focus has been on ISO GDPR around protocols.
Wealth Mosaic is a new organisation which is building ‘The Industry Fact Book’ on this subject.