Black Arrow Cyber Consulting co-founder, Bruce McDougall CA, stresses why cybersecurity must be owned by the board
Bruce McDougall CA, co-founder of Black Arrow Cyber Consulting, tells Ryan Herman why this business-critical issue is too important to be left to squeezed IT departments
One of the great boom “industries” of the past few years has been cybercrime, which received a significant boost from the pandemic. Organisations typically used to hold all their precious information systems within the neat perimeter of their offices. Occasionally someone, needing to travel, would dial into the network from their hotel. But with remote working becoming the norm, and staff using their own devices to access corporate email and other information, that perimeter looks like more of a paint-splash that stretches into employees’ homes and public locations.
This has greatly increased the risk of cybercrime because the protections that prevented unauthorised access were designed for a different world. The cost of taking your eye off the ball can be catastrophic. Recent research in Europe and the US reported that 21% of companies said their solvency had been materially threatened by a cyber-attack, and 11% laid off staff following a successful attack. Companies in seven of the eight countries surveyed ranked a cybercrime as the number one threat to their business.
There has, though, been another development in cybersecurity that isn’t generating any headlines but is of growing importance to FDs, CFOs and finance teams. “Increasingly, within many organisations, the cybersecurity team is nestled within the IT team, which, in turn, is allocated to the finance director or chief financial officer along with other departments such as legal and marketing,” says cybersecurity expert Bruce McDougall CA, co-founder and Director of Black Arrow Cyber Consulting.
“In other words, the FD/CFO has full responsibility for protecting the organisation from one of the biggest threats to its survival, and has to trust that it is being done correctly by a specialist team sitting two layers below the FD/CFO and out of sight. This has grown organically, and IT is often given to the FD/CFO along with other critical support functions,” he says.
“That may have seemed like a rational fit and probably not a bad thing to do at the time. But then, as online risks have evolved and the sheer number of attacks has grown, this has become a much greater risk than IT can manage alone.
“What should happen is they should take it out of IT and say this needs to be managed at a global enterprise risk level, because this risk has been growing slowly over the years without many FDs knowing it was happening. And they don’t necessarily have the skills to be able to manage it.
“The changes in the attitude of the cyber-insurance market give a strong signal that it is a matter of when, not if, an organisation experiences a successful and potentially hugely damaging cyber incident. When the FD/CFO is responsible for the organisation’s ability to protect itself against this, it is essential that they are sufficiently skilled in cybersecurity and have made a knowledgeable critical assessment of the reports and information that they receive from their internal and external control providers, including the IT team.”
To put this into context, McDougall says: “A finance director would not ask their own accountant to audit their own work. They would get an internal auditor to come in and do a check, which will prepare them for the external audit. But when it comes to the biggest risk in the business, they assume that the person they’re talking to in their team must have it all sorted, must be making all the right decisions, and therefore the business is safe. That’s a massive risk, and we see the results of that.”
CA insight
McDougall has been a specialist in this space since becoming HSBC’s Group Head of Governance, Metrics and Reporting for Cybersecurity in 2017. He sees it as a natural progression from his CA training – as he is fascinated by what makes a business tick.
“The ICAS qualification is great in terms of being able to help you understand how businesses function, being able to understand how to govern a business, being able to run a business,” he says. “I trained as an auditor. So that allowed me to visit many different organisations I was auditing. That gives you a great insight across different sectors, and different businesses of different sizes, to work with the leadership teams as part of the audit, and to be able to see what makes a business successful or not.”
After qualifying as a CA, McDougall went on to work with the global IT and management consultancy Capgemini for seven years. He then developed a career in HR with Barclays and Mercer, before moving to HSBC in 2011. After 18 years living and working in London, he wanted a change of scenery. He moved to Guernsey, where he co-founded Black Arrow Cyber Consulting with James Martel and Tony Cleal, the latter of whom had worked for British intelligence, including for the UK government’s National Cyber Security Centre, protecting critical infrastructure against attacks from nation states, terrorists and criminal groups.
“During my time at HSBC, it became quite clear to me that ultimately cybersecurity is about risk management,” says McDougall. “It’s about understanding the risks, and what controls or protections we need to have in place to protect ourselves.
“A lot of Black Arrow’s work is about dispelling assumptions and asking the right questions that may reveal a company doesn’t have the level of protection in place they thought they had. However, there also needs to be a clear understanding that you will never be 100% safe. Because every day across the world, hundreds of thousands of people wake up in the morning and their objective before they go to bed is to find a way through the things you thought, until five minutes ago, were keeping you safe.”
Protect and secure
There is also an understandable fear that cybersecurity may become a second-tier priority during a recession. It’s a step back from the sunnier times, when the introduction of GDPR in 2018 focused a lot of minds on the issue – not least the headline figure of being fined 4% of global profits in the event of a data breach.
“Organisations do tend to take very seriously their obligations with regards to GDPR,” McDougall says. “Because they recognise that it’s about people’s data, it’s about people’s lives. But they often conflate data protection and cybersecurity. So, they think that because they’ve worked on data protection, their cybersecurity is sorted. But they are two different things.
“It’s a Venn diagram in the sense that they do overlap a little bit. But one asks questions such as, ‘Do I have a lawful reason to hold this data? Is the data up to date?’ Cybersecurity doesn’t look at that. Equally, data protection is not interested in whether your money is safe, or whether your company’s internal financial reports are safe from being published online. If cyber gets meshed into the IT budget, at a time when companies may be taking a haircut of 5–10% but you still need to get these laptops for these employees, which one is going to suffer?”
So what does McDougall see as the best piece of advice for businesses juggling multiple priorities while seeing their profit margins come under pressure? “The absolute number one thing is cybersecurity must be owned by the board,” he says. “A critical first step is to recognise that an organisation will never be secure without aligned controls across people, operations and technology.
“To give you an example, think back to the attack on Uber last autumn where a contractor was tricked by an attacker into approving multi-factor authentication (MFA) notifications to gain access to their corporate account. When the contractor complied, the attacker gained extensive access to Uber’s information and systems and then posted messages on the company’s Slack channels to tell everyone about it. Although Uber’s IT team had implemented MFA as additional security, it appeared to have been undermined through weak people controls because the contractor did not understand or care what the control was for.
“Equally, strong operational controls are needed to detect payment fraud, for example, if an attacker impersonates a vendor and requests a payment to an alternative bank account controlled by the attacker.
“Another obvious mistake many businesses make, especially SMEs, is thinking they will know when an attack has happened. For example, we were looking at the Health and Safety Executive in Ireland, which suffered a massive cyber-attack in 2021. And the attackers were in for eight weeks before the ransomware was launched.”
But ultimately, McDougall says, the success or failure of a business’s cybersecurity systems is a matter of good governance: “It’s a fast-moving topic, which also makes it more dangerous for the business. But it’s a topic that truly relies upon every part of the business being part of the solution. It relies on HR doing its bit, on operations, including finance and payments, and all employees doing their bit, from entry level hires to the C-suite and NEDs. The controls and protections need to fit the business such that it can still flourish, but flourish more securely because its strategy fits the business.
“And that should be governed by the board.”
Meet the next big cyber-threat – ChatGPT
“Okay, so this is frightening,” says Bruce McDougall CA. ChatGPT was launched by OpenAI in November 2022. Just a few weeks later, at time of writing, Microsoft looks set to invest $10bn (£8bn) in the company, which uses generative AI – meaning it can produce a piece of original written or artistic work from scratch.
GPT is short for generative pre-trained transformers. McDougall explains: “GPT is an online artificial intelligence tool that will generate things for you. So if you put in ‘write an article for me on a given subject’, it will write a pretty convincing article for you.” So convincing, indeed, that ChatGPT has already been banned from New York schools, as the city’s education board suspected students were using the tool to write their end-of-term papers.
ChatGPT obtains information by scraping data from a variety of sources. Although it doesn’t yet have the capacity to produce an article based on events of the past 12 months, it is easy to see how it could work if a student is writing a paper based on historical information. Users can feed data into the chat facility and it will produce responses as if having a normal text conversation with a friend or colleague.
This is why McDougall says the implications for cybersecurity are frightening. “We see in specialist media malicious actors trying to bypass ChatGPT’s safeguards to generate very convincing emails,” he says. “The days when you could spot phishing because of bad spelling and grammar are becoming a thing of the past. This is sharp. People need to be vigilant – you’re up against some very sophisticated adversaries.”
Search for more resources on cybersecurity at icas.com