Business Survival in the Age of Cyber Threats

Show Notes

Cybersecurity has become a boardroom imperative, not just an IT concern. In this episode of Governance Watch, Dr. Ruth Wandhofer explains why recent high-profile attacks signal a new era of risk and why boards must act now. We explore how AI is powering sophisticated cyber threats, why perimeter defense is outdated, and what it takes to shift toward a proactive “predict, prevent, and defeat” strategy. From understanding your most valuable data to managing third-party risk and challenging vendor promises, this conversation offers practical steps for directors and senior leaders to strengthen resilience and protect business continuity. 

Transcript

This podcast is brought to you in association with Nasdaq Governance Solutions, 

supporting boards and leadership teams with

technology and insights to navigate today's evolving governance landscape.

Welcome to Governance Watch, the podcast from Board Agenda, your essential source for governance intelligence.

Hosted by the Board Agenda Editorial Team.

We bring you insightful conversations with Board members, C suite executives, governance leaders, and investors, delving into the biggest issues shaping corporate leadership today. For expert perspectives and strategic insights, stay with us as we explore the leadership of business.

Governance Watch is a Board Agenda podcast.

Hello, and welcome to Governance Watch, the Board Agenda podcast about all things corporate governance.

In this program, we are talking about cybersecurity. Last week, the National Cyber Security Center warned that for far too long, cybersecurity has been a subject for techies when it should be a hot topic in the boardroom. Recent events bear that out. Marks and Spencer has reportedly lost hundreds of millions after a cyber attack shut down online orders.

Jaguar Land Rover was forced to shut down production at factories around the world after the company was also targeted. The costs of getting things wrong is now astronomically high. With us to discuss these developments and how boards should respond is Doctor. Ruth Wandhofer.

Ruth is a highly experienced non executive visiting professor at Bayes Business School, a director at cybersecurity firm Blackwired, and an expert in risk. Ruth, coming to you, our events at M and S and Jaguar Land Rover, a very raucous wake up call. And was the NCSC right to highlight this?

Absolutely. And I might just quickly quote Doctor. Richard Horne, the CEO of the NCSC, who basically said cybersecurity is now a matter of business survival and national resilience. We have seen roughly fifty percent or even more of incidents over the last year alone that were nationally significant.

And you pointed out two very good examples. In fact, maybe just for the audience to quickly underline Marx and Spencer not only lost three hundred million operating profits that were expected, making up roughly thirty percent of their annual expected profits, but also got one billion of stock value swiped out on the market. And similarly, Jaguar Land Rover has roughly one point nine billion loss so far. One of those billions is in stock market value.

So, one thing to bear in mind is it's an implication around actual business profits as much as it is stock market value. And the third piece, is critical in both and certainly very critical in Jaguar Land Rover, is the whole third party supply ecosystem, which gets dragged down as well.

So these are very much ripple effect incidents. And we've really seen in the last year an incredible acceleration of those types of attacks. So it is a matter of national security indeed.

Do we know what role artificial intelligence is now playing in cyber attacks?

Yeah, that is exactly the right question. Artificial intelligence has become so accessible through the publication of large language models and other types of technologies in the last few years that the adversaries are significantly leveraging automation everywhere. We do remember the good old times of denial of service attacks, which in fact had experienced yet another spring and summer in the last half year to year where AI is used as an automation tool so that literally organizations are being carpet bombed by DDoS attacks, which of course makes operation impossible and stalls productivity, etcetera.

These types of attacks are often the initial phase of an attack to confuse an organization because they're not necessarily yet in the data exploitation phase. But we also have other AI tools very much deployed in the ransomware context where AI trawls through an organization's data to identify the most valuable data in order to ransomware that data. So it's all about intelligence hurting you where it is the most difficult and hardest. And this is where AI is coming to the fore because all of these things are now done by machines.

Now, I mean, AI sounds frightening in this context.

Become pretty quickly becoming the of cybersecurity.

Is it unstoppable though? There is room to maneuver, I assume.

Well, think the bigger question on AI and its evolution generally and how it impacts society is really the question here because it is not unstoppable. AI is integrated into every system, even if we think about how infrastructures operate, how airplanes are flown, how computer machines work. Everything has AI components in it for a very long time. And it's becoming now even more ubiquitous if we think about how financial service organizations and others are using AI to automate processes, Microsoft Copilot being rolled out left, right, and center, not necessarily with the productivity gains yet showing.

AI is now everywhere. AI is a big trend. But the bigger question is, where's AI going in terms of the investments that are being injected in Silicon Valley? And are we truly trying to create super intelligence, which of course would be our very last industrial revolution because agency would suddenly be with machines.

And you can only quote Terminator Genisys and Matrix and Minority Report in that regard because this is the bright future that could happen.

That's a finding future indeed. Now the classic approach to cybersecurity has been protecting the perimeter. I think we had a quick exchange about this that that broadly means stopping criminals from getting into your systems. But I think your view is that we are ready for an update in that paradigm in how we approach cybersecurity?

Yes, indeed. Since the 1980s, businesses that have increasingly digitized over the decades are trying to protect a perimeter which is no longer there in a hyper connected world. So only focusing inward, making sure that your firewalls are intact, that you have email security, endpoint security, and all the other types of technologies and tools that are being deployed there is not really sufficient. Ultimately, the perimeter is you as an individual.

If you take the wrong actions or if you are inside a fraud threat, for example, again, that perimeter completely goes out of the window. So what is really important is to actually focus on the outside external threat landscape. This is something that is really a specialization of certain cybersecurity firms. And again, we come from a tradition over the last decades where threat intelligence is a huge data dump of information that to ninety nine percent or ninety five percent is really not relevant for your particular organization.

Something has been identified and documented in open source to be a threat. But it doesn't mean that it attacks your organization because threat actors tend to be very specific across industry silos. They would have specific banking trojans that are not deployed in manufacturing companies, as an example. And so, threat intelligence has become a little bit of a kind of a necessary, unnecessary type of product because it really doesn't give you the intelligence you need.

You have lots of false positives, which is why the larger the firm, the more people are being deployed in cybersecurity teams to identify where the false positives are. So, there's a lot of manual and analyst work involved here. And I think we're now getting to a point where technology is actually capable leveraging cyber artifacts, databases, leveraging AI, machine learning, natural language processing tools, which have been well researched and are mature now in the market over the last decades to actually identify from the threat landscape who's the adversary that really wants to go against your farm.

And this is where the outcome of all of this is direct threat intelligence, which is organization specific.

This can now be done. It can be visualized in three d. And the way that it's done is really using sensors in the market, using information from the OSINT model and the dark web, and combining all of that data with cross matching into a large cyber artifact database and AI models to see that this particular small piece of code in a very innocuous file somewhere outside in the web is actually bad code.

And as soon as you start to identify bad code, you can cross match and you can start to see the adversary, for example, in the AIM phase, doing a passive scan of your organization, which is the first sort of step to identify that they want to go against you, particularly as an institution as opposed to the whole industry or the whole world. You have then the readiness phase where you can see the adversary building up infrastructure and campaigns, phishing campaigns, ransomware campaigns, development of certain malware solutions to ingest in order to data exfiltrate, which is always the first big piece.

And we've seen lots of the hacks in decades now being focused on data filtration and then the abuse of that data to impersonate, to financially defraud, etcetera. And then you have the final fire phase. And this is really the three step process that adversaries always follow. It's always aim, it's always getting ready, and it's always fire.

There can be incredible time lags within those phases. So you could have a campaign being ready for thirty, forty, one hundred days, two hundred days until a threat actor decides now is the right moment to strike. And that would be the fire phase. And of course, as you start to see all of these phases building up outside already with that threat intelligence tooling that you can have technologically, that is when you can ingest this information into an organization's endpoints.

So of course, organizations need their security stack. Of course, they need firewalls and endpoint security, email security, identity management, etcetera. But once you start ingesting this data in an automated way, the attack can come and will not hurt you. You can even see ahead of time the phishing email you will get sent by the time the threat actor is deciding to send you this email.

And even if you have somebody internally back to the perimeter point clicking on the email, the phishing email will have been deactivated. So there's no harm that can happen. So this is technologically possible now.

And this is really the way you can defend forward by moving from detect and response to a proactive predict, prevent, and defeat strategy, which is really high time that the whole industry globally across any industry silo has to adapt because the losses are just getting out of control.

That's quite a gripping development in the technology. I wonder how, I suppose the big question if I'm a board member listening in, I wonder how I reorient my organization from the protected perimeter to the kind of approach that you're talking about predict, prevent and defeat? How does that process work? What are the things that have to happen?

So depending on the organization, what we've seen, and even sometimes irrespective of size, many organizations, if we just look at the UK, really haven't extensively implemented cyber essentials, which is step one to even having a minimum cyber hygiene, which has to do both with physical and digital security, with training teams, making sure people don't use simple passwords, don't share passwords, all the things that we really know for a long time. But if that minimum hurdle isn't there for any adversary, it's so much easier just to walk into the door. So certainly, Cyber Essentials is the first must do for anyone who hasn't done it.

And I would hope that Maxine Spencer Corp, Perupps, Jaguar Land Rover, and even the recent hack of the Chinese surveillance network itself in June, which is hilarious, there were four billion records exposed, including bank details and home addresses of individuals that were subject to Chinese surveillance. So it is interesting to understand that even China gets attacked at the highest government level terms of their own surveillance technology, which is sort of in a way awesome.

If we think about the minimum standards, they have to be there, and that has to be table stakes, like even below table stakes. The second step, what I do see is that until a breach happens, and clearly sometimes organizations need a lot of time to identify that a breach even has happened, because it's not as obvious as turning off the systems and giving you blue screens in some of the incidences we have seen, the board only usually gets involved when something bad has happened. So here, I would say this has to be another complete mind shift from a board level because you need to be proactive now to understand what is my current cyber posture, what are my tools and protections back to the minimum perimeter at least, what am I doing? How do I leverage actually threat intelligence?

Small organizations usually haven't even heard of threat intelligence. And here, we're really talking even about the specific direct threat intelligence. Large organizations tend to buy solutions that don't give you really the right intelligence, back to the false positives.

But the larger you are, the more you need to really be focused on having the real intelligence that protects your organization from being attacked and really challenging your vendors to say, What is out there? Please show me the threat that is going to attack me. Because this is now possible. So I think everybody has to start probing along those lines in larger players.

In the smaller players, there's usually not sufficient budget for all of these things. So this really is about having functioning firewalls, functioning policies and procedures, email security, physical security, and all the other things. But I think what a board member really has to do, if it hasn't happened yet, particularly in the current environment, is to say, can we please have a stocktake of our current cybersecurity management? What is our estate in terms of tooling?

How effective is it being used? What is the feedback from the vendors in terms of how they protect you? And some vendors may say they do protect you even though they don't. So you have to be very careful with that.

So understanding those certain postures and promises in the market as well is important because you need to be challenging your web vendors, making sure that you even do have somebody who is responsible for security and cyber. Some organizations may have a head of risk. Some may not even have a head of risk. Usually cybersecurity is one distinct silo under risk.

But ultimately, it is the most important when it comes to keeping the company as a going concern.

So, clearly, for listed companies, you are already at a size where the going concern implications have to translate back into how operationally resilient am I. We have, of course, in Europe, the Digital Operational Resilience Act, which is very specifically focusing on this area. The UK is also along those same principles and further adding regulatory pieces. But this is really about your own interest to keep the lights on.

Because coming back to Doctor. Richard Horne, this is about business survival. And I do think that it's now the time for boards, particularly with the publication of the NSCS study, to go back to their teams in the next board meeting and say, We want a specific deep dive on what are we doing on cyber? What were the things where we've been exposed, how did we resolve them?

If we've not been exposed to anything, it's going to come. How high are the risks? And also, what is my third party ecosystem? Because a lot of cyber attacks are being started by third parties as the launch pads.

So it becomes less obvious. And if you have a third party that is vulnerable, third parties are often not aware of this. So again, technology exists to monitor your third parties and how threat challenged they are and how vulnerable they are, as soon as you get into that discussion, you're also doing the right thing in terms of having your operational resilience across third parties. But being aware of your third parties and what they supply you with is absolutely critical.

And if you take a sort of higher step outside even the cyber piece alone, just with the recent AWS server problems that have taken down a number of companies globally for quite a few hours, this is a huge third party risk. It's complete concentration. Everybody's sitting with Microsoft, AWS, Google Cloud, Azure.

So, and operating system technology concentration is so high, particularly in industries like financial services, that you need to apply a rethink to say, how do I get a backup? How do I get an alternative provider? How quickly can I switch? And this is, again, really operational resilience at the core. Cyber always plays into it because you could have also a hack of a third party in that instance that brings your service down. But if the service is down, the knock on across you and your own supply chain can be significant.

That was very revealing. I want to take you back to the beginning of what you were saying. You talked about the board ordering some kind of stocktake of cybersecurity.

I often ask this question.

I think what's key is that the board understands the answers that they get from that kind of stocktake. And I wonder what that requires. Can boards rely upon their or board members rely upon their all rounder knowledge and experience?

Or do you need a specialist in the boardroom to gather those answers from the stocktake and declare whether the board is now satisfied or dissatisfied.

So general attitude should always be dissatisfaction because the risks are always there and they tend to exponentially increase. But I would say certainly for listed firms that will have a budget on training and board members go through regular training across every type of area, anti money laundering and you name it, geopolitical risks, economics, etcetera, cyber training should have already been part of this training cycle.

I think getting cyber experts in that had hands on experience with real incidents. I remember years ago I was on a board and we got the CISO of Maersk in who talked about how Maersk goes down for several months and how that basically shattered the whole earth of global trade.

These are the most interesting sessions where you get a total walkthrough how an incident was revealed, how the first responses were, what the challenges were, what the lessons learned were. Because a lot of it has to do also with what happens if something happens.

You need a cyber playbook on an incident. So again, that's unfortunately detect and response after the fact. But you need to be set up for if something happens, how do we react?

And that you can do with training. You also need to have a bit of a minimum vocabulary around the types of incidents, the different uses of technology, because this is becoming now really ubiquitous and real time.

And you need to make sure that you have whatever you can do in terms of your cyber essentials and internal security in place. But I think that next step is then really to challenge maybe a menu of vendors that you have to find out which vendors have maybe not given you what they promised, have said that they will protect you from attacks, it hasn't happened. Clearly, not every firm has been attacked yet.

But the problem is that the ability to attack is so much more easier now for the adversaries. And we do see across the globe that we have incredible threat levels rising exponentially.

And these attacks will all eventually unfold. I think it's also important to remember critical national infrastructure, which is something we haven't necessarily touched upon. But this is another huge area that is now ripe for attack because all these old operational technology systems have outdated software, have unpatched vulnerabilities, weak authentication.

And I think there's maybe, unfortunately, an assumption that these systems are not really connected to the internet, but they are. They are very much exposed. And we're starting to see more attacks on critical national infrastructure, which is a way of cyber war exercises by third country rogue nations. It undermines economic ability, public confidence, and it really needs a fundamental rethink of national security. And again, that was also very much highlighted in the NSCS report because these vulnerabilities are even higher than some of the more established industries on the listed stock market. So that is coming and that can really truly create unrest in society.

Uh-oh. Anyone listening to this, I mean, listening to your comments about the strategic approach, the stock take, role of board members might also ask themselves, well, what's the role of traditional risk governance here? Do the three lines of defense still apply?

Yeah, it's a good question. I mean, lines of defense are certainly better than two or one, so I wouldn't want to challenge this at all in terms of the need to have it. But I think the most important piece here is that cyber has to be on the CEO agenda all the time.

And I think back to your introductory comments, cyber has always been a little bit of an afterthought. If it's not on the CEO agenda that keeps him or her awake at night all the time, then it's not in the right place. It has to be also on the top of the mind of the CFO or the chief investment officer because we have so much financial fallback through these types of attacks. I mean, ransomware being one of them.

And I may just say a few words on ransomware because that's always been a bit of a debate. Do I pay ransomware? Do I not pay ransomware? How does this work?

And will the government ban me from paying ransomware? That is currently not the case. But the real challenge is, in reality, ransomware attacks, which, as I said earlier, which identify very valuable data in your estate and obviously lock that data and tell you to pay X amount of crypto, which these days also is not Bitcoin often. It's often Zcash or Monero, which are the very private cryptos that can't really be traced very easily.

And therefore, you need to actually have some sort of standby facility with an incident response team and your insurance to be able to even source this stuff because that doesn't happen overnight either.

But the big problem here is that ransomware attacks do not need to be perfectly executed. Statistically, Hiscox has recently shown in a study that only roughly sixty percent of ransomware recoveries where the business is paid the money and they got the encryption keys in order to unlock the data, only sixty percent of the cases were successful. That is almost a fifty percent unsuccessful rate, which is a real problem because people are paying quite a lot of money and may not be able to actually get their data back, or their data gets leaked if they don't pay back quickly enough. And what we do see is that these types of ransomware attacks sometimes are really badly designed on the fly because of fraudster, once they get the money, they don't really need to perform to SLAs to make the decryption keys work well, right?

So we do have situations where either the challenge of decrypting is something that is technically difficult, where you need the right teams to help you with that, or the decryption keys just don't work because they haven't been designed properly.

And of course, by now, the fraudster is over all hills with the money and doesn't need to care about that problem. So this is something to also keep in mind when a board is faced with that decision, which really means that right now a board has to say, okay, what are our valuable data assets? Where do they sit? What type of backup do I have for these data assets in a secure location that is very hard or impossible to hack? Offline, of course, really important, because anything online can be hacked.

If you protect your assets proactively in this way, a ransomware attack may come along, may decrypt encrypt your data, but you still have backup. And therefore, you wouldn't pay the ransomware and let them do what they want. If, of course, that data is very sensitive that you don't want it to be leaked, you are in a different position and the fraudsters will know this from the start. They will encrypt the most valuable sensitive data and they will threaten with publication on the dark web.

Again, businesses can there are cyber businesses out there that can trace all of this. And I understand whether any data has actually been leaked or not because this stuff is often very invisible to businesses. So there are different ways of going about this problem, but it starts back to the point, you need to understand your cyber estate, you need to understand the most valuable data, and you need to have data backups offline for the most valuable data. There's no way around it.

And if you haven't thought about this until now, now's the time even on a Friday morning to start action.

Always the best thing to do on a Friday. I just want to quickly ask on that, there were stories around about the government intending to ban paying cyber criminals for ransomware attacks. But I thought I also detected more of an appetite, if I can use that term for refusing to pay. I think there was a notable public body that recently refused to pay up during a ransomware attack and they still managed to deal with it relatively effectively.

Yeah, and I think that's exactly where people should get to, which means understand your data protected, understand your systems, their vulnerabilities, try to patch what you can, and use also direct threat intelligence to really avert attacks, which includes ransomware. If you come back to my early example, there's technology out there that can see a ransomware attack when it's being built.

So that means the ransomware attack tries to hit you, tries to steal your data to penetrate your systems, and it cannot because the code of what it looks like is already known to the technology provider that has already ingested it into your endpoints.

So you can prevent ransomware attacks very effectively before they happen.

And I think this is sort of of, I guess, the extreme point. If you have budget and you challenge your vendors and you see that there's something out there that can deliver it, that is your ideal position. But for anybody who's not at that point or in that kind of budgetary cycle or is not willing to replace maybe some large vendors that really don't deliver that much benefit, then think about for sure protecting your data in the right way so that you can end up refusing. I think the bigger concern I have going forward is critical national infrastructures being attacked by ransomware and the role of governments. Because we have seen governments pay ransomware without declaring this to their population, and that is obviously taken out of the taxpayer's kitty.

And that becomes a bigger question, again, on national budgets.

Even if you think about the whole too big to fail Jaguar Land Rover dilemma, in the past, we had to save banks, right? That was still sort of feasible and somehow we all kind of self corrected in the market over the years. But if we are now saying that a Jaguar Land Rover and any other potential big entity could be too big to fail and I extend a government guarantee of sorts, that can become quite expensive quite quickly. So again, very careful with too big to fail arguments here. Try to be preventative. Yeah.

I was just looking at some background information and in fact, there are some statistics kicking around showing that ransomware payments dropped off last year at least. So it sounds as if organizations are becoming more robust in their response. Ruth, I want to ask, in terms of the governance of cybersecurity, where does the governance most often go wrong? Where are the key failure points? If you could go through those very quickly, say give us a top two or three.

Just identify the things that people should look out for as common failures.

Yeah, think the first failure is that people only get alerted to cyber when something bad has already happened, which is really too late, leads me into the preventative, prepare, understand. I think understanding your own business to the extent that you know which data is valuable and necessary to operate, which systems cannot be breached, this is the critical point. And I think very often this is overlooked because there are operational elements which sort of are also not always at the forefront. I think now we see so much third party risk.

I think the operational piece is coming to the fore more. But really understanding what you really need to protect as a business is really the second point. And often, once you start looking at an incident and you say, Well, okay, how do we protect it? What is important?

What do they have? You start to answer, hopefully, those questions then when it's too late. So, two are really linked. So, I think having that real understanding and then having the preventative measures to make sure that that data, which is essential, those systems that are critical, have fail saves, have backup facilities, have offline data is really the second.

And also, I think what I always found striking is CISOs are actually really important in today's world. They usually operate at heads of risk.

And heads of risk are really important. And usually, of risk, unless something totally breaks down, are also not very much listened to by the business, right? So, I think the board has a role similarly to maybe years ago where compliance was a huge issue and nobody wanted to listen to a compliance officer, which is actually still the case today, certainly in banking, we need to be able to elevate these conversations and to have an opportunity of certainly having the head of risk at each board meeting, which tends to be the case, but also getting the CISO in more often. Because you want to be able that you have the right CISO, the right team, and that you have a right allocation of vendors to FTEs.

Very often, you don't need hundreds of people necessarily because the efficiency of a human tackling a machine in a machine war is diminishing very rapidly, which again leads into that sort of vendor and technology discussion around how we can optimize something. Because what you want to be really careful with is internal vested interest. Sometimes a CISO may have a big team of hundreds of people, a big budget, spending lots of money without really getting the result they need. And if some new technology comes along that is much cheaper priced and could replace part of your team, it could be that the CISO is not very keen on doing that because they will lose internal power and budget, right?

So I think being very clear on internal thiefdoms and vested interests, which in this instance would be very much a barrier to protecting the business going concern, is absolutely critical and can often be a very weak point.

Ruth, thank you very much for that all pertinent advice. And I'm sure events at Marks and Spencer and Jaguar Land Rover has everyone moving this to a much higher position on their board agenda. We refer to the National Cyber Security Centre report that was out last week. You can access that if you're listening at ncsc dot gov. Uk. Ruth Vondhofer, thanks very much for joining us on Governance Watch today.

Thanks to everyone for tuning in. I've been Gavin Hinks. Goodbye.