Russell Kelly, managing partner, KPMG in the Isle of Man, says all bases need covering to ensure cyber safety.
We have recently passed the 30-year anniversary of the World Wide Web.
I have to remind my children, when they complain about a slow internet connection at home, about the pain (and boredom) I had to endure when we first got the internet installed, and at least a five minutes wait, to be connected.
Technology has come a long way over the last three decades from slow internet speeds and basic websites, to smart phones and being able to control your whole house by simply asking ‘Alexa’.
But when it comes to risk and how we view it, are we stuck behind the curve and not keeping up with technology?
While it may be conceived as yet another cost drain to a business’s bottom line and another task to add to the list, managing cyber risk is not just about compliance and box-ticking, but is a critical investment that can underpin an organisation’s long-term growth, value and sustainability.
I categorise these risks into three: business, reputation and regulation.
Looking at business risk, misconduct and fraud, governance and compliance and operational risk are all areas that could bring a business to a standstill if provisions are not in place prior, or policies aren’t in place during an ‘attack’ or breach.
Secondly, reputation. On the Isle of Man, trust is key, so ensuring you keep the reputation of not only your business but your clients is integral to success.
What can ruin reputations? Cyber and information breaches, third-party contact defaults, a lack of crisis management and business continuity and then finally instigator/defendant in a litigation case.
Finally, everybody’s favourite word, regulation: anti-bribery and corruption legislation, privacy, geopolitical drivers and local/global regulation governing suppliers.
There is no mention of computers or IT here, by the way, that’s because on average an estimated 70% of cyber doesn’t involve a computer or IT system…yet it is an area we entrust IT departments to manage.
It is sometimes the most basic errors and preventable situations that can cause the most damage to a business, such as disgruntled staff leaving and taking client data with them or staff watching inappropriate material on work devices and putting the business systems at risk from malware.
What checks are in place for this to be prevented? How often are passwords reset in a business and do we allow them to be P@ssword1 and then three months later P@ssword2? How easy is it to get into the office?
I often hear people say: ‘We need a high profile firm on the island to be hit for people to sit up and take action,’ which I find staggering.
Those kind of statements are like identifying issues with a boat and hoping that it is your peer’s boat that sinks, not yours. Ultimately, for the Isle of Man, one big breach, whether it be data, cyber or fraud doesn’t just affect that firm, it affects Isle of Man PLC as a whole. So what are we as an island doing to prevent that?
It needs to start at board level…so going back to my three categories of risk, what questions need to be asked at boardroom level and if we aren’t asking them, then maybe we need to start?
Business risks: Do firms have a risk management policy? How are the top risks identified and managed? Is the board make up a good cross-section of professionals with the right skill sets to assess risk? Reputation: are you prepared to respond to extreme events? Do boards even know what their current maturity level is and the impact cyber security has on their business? Is there a cyber incident plan and how often is that plan tested? Are you undertaking regulatory due diligence on vendors, agents and third parties?
Finally, regulation: do we have transaction monitoring systems to detect suspicious activity? Is there a reporting hotline for internal and third parties to report concerns? Are firms under any regulatory actions?
Again, no mention of a computer or IT systems.
Yes, it can appear all doom and gloom can’t it, but let’s flip it around to the importance of mitigating these risks to board members, shareholders and directors.
Improved awareness for threat identification and management creates a strong risk culture throughout the organisation, allows for more effective reporting, processes and internal controls, helps minimise disruption and, most importantly, enables better business performance. Ultimately all the risks will trickle down and impact clients/customers in some way.
I appreciate what I have covered so far from a cyber and risk perspective is quite negative.
It shouldn’t be seen as negative but rather good governance and ensuring the right policies and procedures are in place.
But, going back to my example earlier of the internet and smart phones and how far technology has come, what is next and what major advances are we seeing to transform our lives and importantly our island in the next 30 years, and what can be done to be at the forefront of risk so we’re not chasing our tails? There are two I want to focus on that I am excited about; the first is Artificial Intelligence/Robotic Process Automation and the second is blockchain.
Artificial Intelligence (AI) is not necessarily ‘new’ but I believe that, in conjunction with Robotic Process Automation (RPA), it will transform the way businesses operate, and I hope the Isle of Man can be at the forefront of this wave of digital technology.
We refer to ‘AI’ as technology that is able to perform tasks commonly associated with intelligent beings, and can therefore work like people, or better at certain tasks, whereas RPA refers to advanced automation of tasks, previously carried out by humans, through hard-coded/configured software. The process remains the same unless humans change the code, with the system unable to cope with undefined scenarios.
There has been a lot of talk in the press recently about how robotics will increase unemployment by up to 1.5m, and I fundamentally believe that this will not be the case; rather, it will enable businesses and their staff to evolve, enabling better efficiency.
Millennials, whether we like it or not, are really pushing the boundaries as to how businesses operate, recent statistics state work/life balance is becoming more important to career growth and status. The mind-set is changing, and as I mentioned with risk earlier, are we keeping up? The process of developing AI and RPA solutions could actually increase employment in a small economy such as the Isle of Man.
For AI to be deployed successfully, organisations and society need to be able to trust it to make the right decisions and/or not to make the wrong decisions. The accuracy of decision-making will largely come from training by humans (at least initially), and trust will build over time as these new systems demonstrate, consistently, the ability to make decisions faster and more accurately than their human trainers. As the architects of these systems, we should work to ensure they enhance the human experience, and one way in which they could do so is through the automated detection and management of risk.
Finally, blockchain, a word that was conceptualised by Satoshi Nakamoto (pseudonym) back in 2008.
Blockchain is a permanent record of transactions within a network. The network is then protected by using multiple ‘blocks’, which are individually encrypted and require all ‘blocks’ within the ‘chain’ to speak with each other when authorisation is required. For example, when used for a transaction, everything is recorded, including information on the date, time, participants and amount of every single transaction, of which there could be thousands, in a secure manner.
We are slowly seeing major corporations, institutions and stock exchanges adopting blockchain solutions, with it evolving in its utility and becoming more mainstream. It is therefore encouraging to see the island’s stance and approach with the launch of the blockchain office in February, and it is clearly an exciting time to be involved in that space. The island has a great opportunity to forge ahead in this space and create a robust ecosystem which can bring wider economic benefit.
One benefit of using blockchain from the risk management perspective is the transparency of transactions. When information is transferred between nodes on a blockchain, the details of that transfer is readable by everyone, which means that transactions can be monitored in real time. Blockchains are also highly resilient, as the records of these transactions are synchronously recorded by all the participants on the blockchain. Taking down one node on a blockchain does not erase data or change records, as all the information is stored immutably across all the nodes.
Naturally, new threats and methods of attack will arise over time, and our systems for detecting and managing them need to be up to the challenge. Risk management is a journey, not a destination, and good governance on the corporate side will help ensure the safety of our businesses and their customers.
So where is your business when it comes to risk? Are you the kind of person who thinks your risk is low probability, low impact, or high probability and high impact, or have you not even considered where you are positioned?
Even if your business is not large enough to bring in AI risk management systems (perhaps especially if so), it is vital to regularly review your policies and procedures to ensure vulnerabilities are kept to a minimum.
There are a number of good organisations and resources on the island that specialise in risk management for businesses.
For the benefit of you, your business, your customers and the island, I’d encourage you to review your risk, particularly around cyber, ensuring all bases are covered.