Leading cyber security firm Templar Executives operates at the highest levels across the public and private sectors, helping shape government and corporate policy, developing national strategies and embedding capability across the UK government and FTSE 100 companies. Templar Executives’ deep and broad expertise in cyber security consulting, information auditing and training is supplemented by unparalleled technical expertise that is scalable through a robust and discreet expert ecosystem.
The European caught up with CEO, Andrew Fitzmaurice and Communications Director Kristina Holland from Templar Executives to discuss the rise in cyber crime and what businesses can do to guard against it.
There’s been an increase in high-profile cyber breaches making the headlines recently. Should organisations be worried?
Andrew Fitzmaurice: Yes, although ‘prepared’ is perhaps a more positive stance. Cyber crime is a hugely lucrative business and its threat to organisations is increasing exponentially in every sector. Cyber attacks are now costing businesses globally up to £400bn a year, often perpetrated by organised online criminal syndicates with clear motives to target people, systems and organisations – it’s no longer a matter of ‘if’ but ‘when’ a breach will occur. Naturally, organisations wish to benefit from the wealth of new technologies delivering improved business efficiencies leading to a greater dependence than ever on information systems for all business activities: communicating with customers, third party suppliers, partners and employees. All of this presents opportunities for the ‘digital mafioso’, criminals, ‘hacktivists’ and even nation states, who harness the speed and scale offered by interconnectedness as their method of attack. Then there is the biggest threat of all – ‘people’ and the malicious and non-malicious threat presented by an organisation’s workforce and supply chain.
Once a breach has occurred, be it based in fraud, intellectual property (IP) theft, personal data theft, ransomware, or denial of service, the pursuant reputational damage, loss of business and loss of credibility will be palpable to the business. On top of this, governments and regulators are pushing out to industry increasingly complex legal and regulatory requirements. The pressure on boards is relentless with businesses coming under intense scrutiny. There is an expectation from customers and shareholders that information is protected and shared appropriately. The EU’s General Data Protection Regulation (GDPR) will come into effect in 2018 and will see financial penalties of up to 20m euros or 4% of an organisation’s global turnover for breaches in data protection and the prospect of criminal prosecution for senior board executives. Being prepared is therefore key, as Benjamin Franklin famously said: “If you fail to plan, you are planning to fail.”
How do organisations combat this wave of threats?
Kristina Holland: At Templar Executives our globally acclaimed holistic approach encompasses people, process and culture – all supported by ICT. This drives a level of knowledge and understanding which has helped countless organisations mitigate against the risk of a cyber breach and associated penalties by ‘knowing themselves’ and ‘knowing the enemy’. As Sun Tzu, the Chinese military strategist once said: “If ignorant of both your enemy and yourself, you are certain to be in peril.”
Cyber security is now a recognised ‘business risk’ and as such leadership on the issue must come from the board. Templar Executives has over ten years of experience in supporting boards, across the public and private sectors; helping promulgate the correct message throughout organisations.
Templar Executives helps organisations to confidently demonstrate to their customers, stakeholders, partners and regulators that they can operate successfully and are compliant within legal and regulatory requirements.
We assist organisations to understand their cyber security risks in the context of their overall organisation, to identify key business assets, to allocate responsibilities and accountabilities within a clear governance framework and to implement mechanisms to drive good security management policy, procedures and processes throughout the organisation.
We help enable businesses to increase productivity by exploiting the latest technologies, new channels to market and global supply chains, without compromising the security of their organisation. By recognising cyber crime is a business risk and working with us to incorporate the cyber agenda into the governance structure the most critical information assets are protected and real competitive advantage gained. This was exemplified by one of our clients, a multi-national FTSE 100 company, which gained £7.2bn in new business contracts directly as a result of raising their cyber maturity posture.
What do you see as the biggest trends in the cyber security arena?
AF: There are three main trends evolving in cyber security. Firstly, there is a growing awareness of the significance of the supply chain and third party suppliers as an attractive target, rich in business intelligence and IP. Organisations are as vulnerable as their weakest link. Weak links in the supply chain can provide an easy route for those who want to attack an organisation.
Secondly, due to the rapid deployment of new technology and an organisation’s growth through acquisition, their infrastructures are often peppered with unsupported legacy systems, for example Windows XP. These systems represent a time bomb because of the ease with which they can be infiltrated and compromised. Organised criminal gangs and foreign intelligence services don’t necessarily want to destroy organisations rather continually skim off money or information and remain undetected. Legacy systems with little or no monitoring provide an excellent gateway for such activity.
Thirdly, the ‘insider threat.’ Attackers have learnt how to use people inside the organisation – we call it the ‘mosaic effect’ – to build up a picture from seemingly innocuous social media posts, press reports, engaging employees and discussing their work in a social setting. This and other open sources of information can be used to build up a comprehensive picture of how particular organisations operate.
Can Templar operate as a ‘one stop shop’ for organisations to address such threats or are multiple service providers necessary?
KH: Through our portfolio of advisory, assurance and academy services, Templar can address the entire spectrum, from providing strategic advice and assurance, audits and health checks to threat briefings, business intelligence services, incident response exercises and our world class GCHQ certified Cyber Academy with traditional and e-learning training courses.
Typically in the first instance Templar Executives would conduct a cyber security health check to attain an accurate assessment of an organisation’s current cyber maturity posture and risk levels based on their company, its partners, suppliers and stakeholders as well as our knowledge of the cyber threat landscape. The health check follows governmental best practice and is based on the GCHQ framework and/or the US NIST framework where appropriate. The aim is to improve and measure improvements in information assurance risk management, providing a common set of criteria based on recognised standards and to assess the information assurance and cyber security maturity of organisations. As a management tool this framework approach helps assess and provide a benchmark of current practices within the complex cyber and ‘information risk’ environment. The methodological approach is agnostic of organisational size and disposition.
A comprehensive report would then provide in detail the organisation’s current level of maturity, measured against leading industry standards and with a suggested roadmap of corrective actions developed to help raise the level of cyber maturity to protect the business and enable continuing operations.
A critical component of our service is to help educate the organisation so that they have the tools and the know-how in-house to maintain this elevated level of information assurance and to be cyber secure.
The Templar Executives portfolio of services embraces the entire journey from initial maturity assessment and pursuant-suggested roadmap through to the implementation of corrective measures and the deployment of advisory and GCHQ accredited academy services.