Governance Bites #46: cybersecurity and director responsibility, with Philip Whitmore

Show Notes

In this video, Mark Banicevich asks Philip Whitmore about cybersecurity and director responsibility. Philip provides examples of cybersecurity risk, and the impact it can have on large and small businesses. They discuss the directors' role in managing cybersecurity risk, and what directors should do about cybersecurity. Mark also asks about the information management need to make good decisions about cybersecurity risk. 
Philip Whitmore is one of New Zealand’s leading authorities on cybersecurity. He is a Partner at KPMG specialising in cybersecurity. Philip is also a member of the Chartered Accountants of Australia and New Zealand, where he is Convener of the IT Special Interest Group. He has extensive experience in IT internal audit, risk management, controls assurance, and advisory. Philip regularly advises boards of directors on cybersecurity issues.
#governance , #cybersecurity, #governancebites, #boardroom, #boardcraft

Transcript

0:05

Hi. Welcome to Governance Bites. I'm Mark Banicevich, and today I am very lucky to spend time with Philip Whitmore. Philip, great to see you again, mate! Good to see you! It's been ages! It has been a very long time. Philip is one of New Zealand's leading authorities on cybersecurity. He's a Partner at KPMG, and he specialises in cybersecurity. He's also a member of the Chartered Institute of Accountants of Australia and New Zealand, and he's convenor of the IT [Information Technology] Special Interest Group. Lots of experience in internal audit, IT risk management, controls assurance, all that kind of stuff. Right? You've been in this game for a long time. I have. I have. And normally I don't tell people I'm an accountant, because they switch off. Yeah. People have a funny perception of what accountants are, and albeit I’m an accountant, I don't do accounting anymore. No. It's been 27 years, now, of cybersecurity. 27! 27 years in cybersecurity. 1997, I started cybersecurity. Wow! It just means I'm old. Cybersecurity is the topic du jour. We're going to talk about cybersecurity, and its relationship with director responsibility.

My first question for you: 1:04

when we talk about cybersecurity, what sorts of attacks and breaches are we talking? What is this whole cybersecurity thing? I think, sometimes, we talk about cybersecurity, we think there's hackers going to hack into our systems. That's part of it. But that's probably not the full of it. When we talk about cybersecurity, we're talking about anything that can impact your confidentiality of your systems and data, the integrity of your systems and data, or the availability of your systems and data. So, those threats that can impact that, are quite wide, and they come from inside and outside. So, it isn't just about hacking. It's about all sorts of things that we can do, that impact that. Certainly, hacking is a key risk that comes from a range of different threats in itself. Okay. Cybersecurity is often raised in director surveys as an area of concern. I think it slipped off this year, but in the previous years, it's been sort of top two. What is the magnitude of impact that cybersecurity can have on companies. And have you got some examples. You could be gone tomorrow. An organisation - it has that potential. I can think of a law firm that I worked with here in Auckland. No longer exists because of a breach they had, and the consequences that had. Not only on their information systems – they lost all their data, all their communications, everything – but also on the trust that their customer base had. The customers just went elsewhere, essentially. So, it can be that big. And then, and we go, “Well, that's not going to happen to many of us.” And it probably hasn't happened to many organisations at the moment. But the consequences are changing. At the moment, we're a non-regulated environment. We have little laws, regulations, in New Zealand, about that. That's changing. We've already seen that happen in Australia. Australia now, if you have a significant privacy breach, and that's generally the result of a security breach, now that, your fines can be up to $50 million. Where we're seeing class actions against directors, and against senior management, happening in the US, Australia. So, the consequences can be almost as big as your imagination, can be. And not just big for the firm, but also big for the directors, as you're saying. Exactly. I mean, I think we've forgotten, because it isn't written down, like health and safety is. There's not the words there. But we have a fiduciary duty to protect our organisation, and that includes around cybersecurity. Now, again, that isn't codified in regulation or legislation yet, but certainly case law overseas is starting to make that clear. And I think many organisations now, most directors, boards do understand that they're responsible. Just, potentially, not what that may mean to them as individuals, yet. And that's starting to play out in other parts of the world, and will start coming here. Can you expand a little bit on the types of cybersecurity breaches that we're experiencing? Sure, sure. Oh look, there's a myriad of ones. We have state- sponsored attacks, and we don't tend to think that happens in New Zealand, but it does. And certainly there has been advisories released by the Five Eyes intelligence communities which makes that quite clear. Particularly even this year, there have been a couple already. Working together, so, New Zealand, Canada, Australia, US and UK. About state-sponsored attacks out from particular countries. I suspect we'll see more about that in the media in the near future, too. We have opportunists. If you left home this morning and left your front door unlocked, when you go home tonight, your TV will be missing. If you left your door wide open, your TV will be missing. It's the same thing from a cybersecurity perspective. People will attack you, just because you're there. We have terrorists, and we tend to think that that doesn't happen in New Zealand, apart from, obviously, things like what happened in Christchurch [mosque shootings, 15 March 2019]. But there have been terrorist cells based in New Zealand, using the IT systems in New Zealand organisations, to undertake various activities. Basically they've hacked their way in, and been able to use those IT systems. We would, if we thought back to year 2000, Sydney Olympics. A terrorist cell being caught in Mount Roskill, here in Auckland. And now we, probably, most of us have forgotten about that. But there was one, and there was publicised at the time in the media. I won't go into details, but you can imagine what they might have been doing. And again, it's happened multiple times, as well. Terrorists, opportunists, foreign states, insiders. The people that you work with, or people that work in our companies. It comes down to, for an insider, what's the motivation?“I've got a drug problem”, gambling problem,“I should have been given that pay rise”, “it was due to me”. And you've got motivation. Then we've got opportunity. The cybersecurity is not strong. Now, we can't control both of those. Particularly, we can't control the motivation for an individual. But if the opportunity is large, and the motivation is large, that's when things go wrong. We have organised crime, and in organised crime, and it's probably what we're used to seeing in the headlines, money's been stolen, or scams, and the like. Often it's organised crime. Not normally based in New Zealand. In fact, almost never based New Zealand, to date. It's been offshore, targeting New Zealanders, because we are the soft underbelly. We are the least mature. Some of the least aware people that are out there. Why go target some country that is very good at cybersecurity, has very informed citizens. Why not target New Zealand? Where we are an easy picking. So, range of different threats. Right. And we are in a world, now, where it's probably almost impossible to run a business, without being connected to the internet, right. Being completely, because the safest way to be secure from cyber risk, would be not to be connected. But you can't. You have to be connected these days. And so, that opens up a whole lot of risks around, and essentially what we're talking about, is people getting access into your systems, to draw data out. Either to make money on it in some form, or just to cause havoc, right? It is. I mean, money is the main motivation, and has been always, and continues to be. But I might want to do you harm. I don't like you for some reason. I don't like what your organisation does. My view on life is different to yours. Or just for fun, sometimes. Or if I'm another country, to do you economic harm. Or to take intellectual property from people in your country, give it to people in my country. Why should people there have to work for it, when I can just take it. Yes. Also, and potentially, to cause harm to people in that country. A common tactic, before you roll troops into country, for example, is to take out communications in that organisation. Hack into systems, hack communications, take out the ability to reach out and help. Also, we start seeing this happening in America, with foreign states are targeting America to impact its critical infrastructure. Impact water, waste water, energy, those sorts of things. Again, doing predominantly economic harm. But potentially, real harm to individuals, as well. Wow. Now, you gave an example of the New Zealand law firm earlier, and we also had the example of one of the DHBs [District Health Boards] that had its data hacked, was that - that was last year, too, wasn't it. What would you say would be the likelihood of this happening to New Zealand business? Really, a different magnitude. A listed company, as you say, a utilities company, or a small business somewhere in New Zealand, that really doesn't have a lot of... Look, I think the likelihood, regardless of the sector, regardless of if you're big or small, can be relatively high. Particularly New Zealand at the moment, because we are so low in our maturity, the likelihood is relatively high. And the impact, - It can be huge. - it comes on the basis of the nature of the organisation. But, sometimes we think that likelihood is not high, because most of the time when we see headlines, they're offshore. Or we see headlines in New Zealand about cybersecurity attacks, or breaches, privacy breach, whatever it may be. One or two a month. Well, that doesn't sound very much. Most of the time, though, the information about what has happened isn't public. The ones that we see are public, tend to be things that they can't control it, because it's very public facing. Yes. A hospital, people find out. I mean, I walked into the hospital next day with my mother for some treatment, so it became very obvious that something wasn't quite right. Headlines. So often what we see is the headlines about public sector organisations. Because they're very public in their nature, in terms of interaction with citizens. Or we see it about large organisations, with large customer bases, where it gets impacted, or where the cyber criminals themselves have wanted to embarrass the organisations. And just because they're there, or to extort money. So, we see a very small piece of what is happening out there. So, it's a much bigger problem than we know about. It is a much, much bigger problem. And I think directors understand the size of the problem, but it's challenging, about what to do with it. What should directors then do about it? What role do they have to play, and what should they then do about cybersecurity? Look, it is hard, because most directors, in most organisations I come across, it's not something that they're used to have dealt with. Often they've had different careers in the past, that aren't IT related. I think having someone to assist the board. And I'm not saying necessarily a board member, because they're hard to find. But it could be a board member. Or just an advisor. Is of value. Someone to help them. To talk about it more, carry on talking about it. It's taken us a while to realise, yes, it is a problem. But we all do now. But talking about it. I think it is asking, I call them hard questions. They're not particularly hard questions, but asking some clear direct questions to our organisations. I mean, at the moment, we've been gathering information. People tell us about the company, about what's happening, but it's probably time to ask more direct questions about what's happening. And we don't, it's not about being geeky, and techie, and all know a whole bunch of things. Really, cybersecurity is just about risk management. It's just risk management. And a different topic. The challenge tends to be, the IT people talk one language, the rest of business talks another language. Particularly when it comes to risk management, is that translating. So that's what that advisor - whether it's a board member, or an advisor to the board- can help that, work out that translation between these languages. Because that is the challenge. Absolutely. Management, the IT team, CIO [Chief Information Officer], often doesn't know how to communicate things in one way. The board doesn't know how to ask questions in one way. And we get lost in translation. And then sometimes ends up being,“Mark is cybersecurity okay?" And you go, "Yes, it's fine."“Yes, we stopped a million viruses this week.” “That's good.” And we go, “That's good. Keep doing a good job.” Now, I am being a bit facetious there, but it does feel like that a little bit sometimes. Because it is a difficult subject. So, what information should the board of directors ask for from management to actually keep them properly informed about what's going on? Yeah, sure. Look, it is a base set of information. It's a base set of KPIs [Key Performance Indicators], it might be a dashboard. What it isn't, I'll start with that, and I'll come back to what it is, what it isn't, it isn't things like how many viruses we stopped. Because if it was 10 million, is that a good number? Is that a bad number? What did we let through? Unfortunately, often those statistics are things like that. We stopped lots of things. Or we did lots of things. But it is fairly simple information that's not overly IT related. It might be, what are our top 10 risks? And how are they travelling in terms of that risk? In terms of risk reduction, how they're traveling over time. It might be, what is our compliance status against our relevant framework? There are different frameworks out there. If there isn't one being used in your organisation, I would suggest one to start would be the CERT NZ [Computer Emergency Response Team] critical controls. CERT NZ is now a division of the Government Communication Security Bureau, the GCSB, focused on helping New Zealanders, us as individuals, small companies, big companies, be more effective at cybersecurity. And to help manage incidents. They publish, every year, the critical controls, the 10 most important things we should focus on. Because they're the 10 best things that can stop an attack, limit the impact of attack, and recover from attack. So if we haven't got a framework that we're measuring ourselves against, that's a fantastic one to start with. How are we doing against the critical controls? There's just 10 of them. It sounds easy. But I've yet to come across an organisation that has all 10 in place. There is some great information coming out of CERT New Zealand. And it's freely available. They do a fantastic job. And it'll be interesting to see how they evolve now that they're part of GCSB, as well. Yes. The NCSC [National Cybersecurity Centre] element of GCSB, the public facing element, which works with, predominantly, government agencies. It's interesting. Similar structures in Australia, UK, and elsewhere. Very helpful. But yes, CERT NZ, if I was a small business, or an individual, I'd often start there. Because it is good practical information. It is. In a way that we can all understand it. Yes. And what role is there for ensuring that staff are trained in basic internet security? Yeah, look, I think it's important. If you look at that, again, those critical controls. The top 10 things. Security awareness is sitting there, one of them there. Some years it floats just below the 10. Sometimes it floats back into the 10. But it's important. If I'm not security aware, I don't know, understand the basics, and how it relates to my job, I could potentially undermine all the good things in place. Because I don't know what to do in a certain situation, or how to behave. In saying that, we see many organisations who just spend all their time focusing on security awareness, education. Do this training once a year. Here's a phishing test. You failed. Do better. It's all good. But that's not focus. At some point, there are other things that are far more effective. It's important, but it's not the most important. Yes. Sometimes we focus on them most of all, because it's a bit easier to understand. We do a phishing test, people fail, we put a range of activities in place, they get better. We can measure it, and that's good. But it is a key aspect. It is, as you suggest, a fairly limited approach, as well. Because the attacks are getting so much more sophisticated. A couple of months ago, I received an email in my personal account, purporting to be from our managing director [MD], asking for my support in a secret project. Which is not unusual for our MD to have some quiet projects happening on this, bubbling away. But the fact that it was my personal account, and then when I followed it up, and because I replied, and I then followed up directly with my MD by text message, who then came back and said, “No, it wasn't from me.” When it's in your business account, you can put software in place to do phishing tests, and things, as you say. And to identify this stuff. But when you start targeting the personal accounts of your staff, you can't put that stuff in place as easily. No. But again, and I feel like I'm picking on the critical controls too much, one of those is about multi-factor authentication [MFA]. Which, put that aside. But verification, about having business processes in place to help verify the identity of people making requests for higher-risk activities. For making payments. That Hong Kong case recently. Exactly. It's about having processes in place that verify that. And it's not responding to that dodgy email saying, “Are you real?” It happens. And, of course, the answer comes back, and says, “Oh, yes.” It's about people requesting a password, people doing other things. So again, there is business processes in place. But many organisations are missing those. And putting cybersecurity aside, I put my accountant’s hat on, those are just normal processes for validating payments. Yes. For the payments aspect of it. It's only one area. But it's a key area. And that's missing so many times. Or can be circumvented, so many times. And sometimes it comes down to culture of an organisation. An organisation where the CEO [Chief Executive Officer] says jump, and you ask, “How high?” It's probably more likely to happen. Yes. But regardless, there should be these processes in place. I've seen a New Zealand organisation lose in excess of $10 million in single payment, of someone else's money that they were holding in trust, - Wow. - because they got what appeared to be instructions to send it somewhere else, and it wasn't. Yes. That didn't hit the headlines. So often, they don't. It's quite embarrassing for the organisation. Luckily, they had the ability to get the money back, and pay the legitimate customer. But it came at a lot of cost itself. Yes, absolutely. And the case that I mentioned before was the recent one where, in Hong Kong somebody called into a video meeting - Yeah. - with their CFO [Chief Financial Officer], and the CFO was a deep fake in the meeting. And handed over a significant sum of money.$26 million, or something. It is interesting. Yeah. And this is only going to get harder, right. With the advent of artificial intelligence [AI], particularly in the space of photograph and video. It's so much harder to identify individuals. Correct. And it becomes difficult. And that technology is, say, it's nothing new. The consumer- based versions of that is, you and I can probably do something very similar right now. Let alone with a little bit of effort, a little bit of motivation. And $26 million, whatever it is, is a lot of motivation. Yes. It can be done, and that's troublesome. Worrying, isn't it. Absolutely. And I think one of the biggest things you've raised, that to me is the most concerning, is just how much of it we don't see. We're going have to wrap it up, so I don't take up too much of your day. Final question for you. What's the best governance advice you've received? It's a good question. That is, what's the best governance advice? I think I'd come down to having the advisor on your board. Or someone on the board. Or to supplement the board. Right. Right now. Now that will evolve over time. Given five years down the track, that role is probably not needed anymore, because new board members will come through. Come through with a bit more IT literate. But right now, that might be the right thing to do. Hard to find, but certainly worthwhile. And I can probably broaden that out a little bit, about all sorts of skill sets, right. If you’ve got seven people on a board, you may not have all of the skills required. So taking external advice, bringing an adviser into the boardroom for particular issues, cybersecurity being a key one, is a great way to supplement the skills that sit around the room. It is. Someone on board side, on the board side, not the management side. Yes. Not saying management versus board. But just someone to give an impartial view. Some guidance. Even when a cybersecurity incident happens, someone to help inform the board. To help their decision-making process about what they should be doing and asking, and how they should be responding. Right. Philip, thank you very much for your time. No, thank you. Great conversation. It’s been great. Excellent. I look forward to catching you again soon. Right. Cheers.