How seriously is cybersecurity taken in your organisation? Does your Audit committee see security breaches purely as a problem for the Tesco Bank’s, TalkTalk’s and Ashley Maddison’s of this world? After all, why would a cyber-criminal pay any attention to a housing association?
It may sound far-fetched, but it’s a live problem which is affecting organisations in the sector. Take the following hypothetical, but realistic example:
“Your server has been encrypted and any attempts to decrypt it will result in the permanent destruction of the data contained on it. The transfer of 5,000 Bitcoins* (instructions noted below) will resolve the situation in a matter of minutes and we’ll email the necessary code to you to un-encrypt your files. Please be assured, this is not being done to you personally – we see it as a commercial favour. Unless organisations like yours really understand the nature of the risks that can follow from poor cyber security (as yours obviously doesn’t seeing as you are reading this message…) then this amount of money is a relatively small investment in organisational learning. We look forward to hearing from you soon.”
* For your information (in case you don’t know the Bitcoin exchange rate in the same way as the dollar or euro) one Bitcoin = £588
Something like this, or generally a much less polite version, has already appeared on the desktop of senior executives in the sector. Having spoken to some, it is difficult to convey the sense of eye-watering, bowel-loosening panic that comes once you have processed the genuine meaning of this message – all of your data, all of it – has gone.
The key issue at the moment is not the technical solution (of which there are many, and a variety of choice) but in getting the Audit Committee in particular to understand the nature and severity of cybersecurity risk and thus the appropriateness of the mitigating actions; to paraphrase Spinal Tap – turn the impact dial up to 11.
Of course, you could always just pay up.