Ransomware is your biggest threat, NCSC CEO’s tells business

As head of the National Cyber Security Centre, Lindy Cameron believes company leaders must improve preparedness and resilience by educating staff – and themselves

Lindy Cameron is a difficult person to reach. That’s understandable: as CEO of the National Cyber Security Centre (NCSC), she’s at the forefront of the UK’s fight against computer security threats. While it’s tough for a journalist to negotiate an interview, it’s reassuring that she’s dedicated to her task. 

The NCSC provides advice and support for public and private sector organisations, helping them avoid computer security threats. Cameron took the helm in October 2020, succeeding inaugural CEO Ciaran Martin, who stepped aside after four years in the job.

Ransomware presents the most immediate danger to the UK

Her assessment of cyber threats, themes and advice should be required reading for CIOs and other members of the C-suite. Indeed, on the rare occasions she has spoken in public since taking up the role, she hasn’t held back.

For instance, in March she warned of the UK’s need to be “clear-eyed about Chinese ambition in technological advancement”. Speaking in her first address as CEO, she chided China’s “hostile activity in cyberspace” while adding that “Russia [is] the most acute and immediate threat” to the country.

Ransomware: an immediate danger 

The former number two at the Northern Ireland Office has over two decades of experience working in national security policy and crisis management. She was equally forthright and insightful in October’s keynote speech at Chatham House’s Cyber 2021 conference, where she reflected on her first year at the NCSC and identified four key cybersecurity themes. The most alarming is the pervasiveness of ransomware, the scourge of business leaders.

In May, US cloud-based information security company Zscaler calculated that cybercrime was up 69% in 2020. Ransomware accounted for over a quarter (27%) of all attacks, with a total of $1.4 billion demanded in payments. And those figures didn’t include two hugely damaging breaches that occurred in 2021, marking an elevated scope for bad actors.

July’s ransomware attack on multinational remote management software company Kaseya affected thousands of organisations and saw the largest ever ransomware demand of $70 million. The REvil ransomware gang that claimed responsibility for the attack ordered ransoms ranging from a few thousand dollars to multiple millions, although it’s unclear how much was paid. The gang said 1 million systems had been impacted across almost 20 countries. While those numbers are likely to be exaggerated, the attack triggered widespread operational downtime for over 1,000 companies.

The Kaseya incident came two months after the attack on Colonial Pipeline, one of the largest petroleum pipelines in the United States. The attack disabled the 5,500-mile system, sparking fuel shortages and panic buying at gas stations. Within hours of the breach, a $4.4m ransom was paid to DarkSide, an aptly named Russian hacking group. Despite the payment – later recovered – the pipeline was down for a week.

“Ransomware presents the most immediate danger to the UK, UK businesses and most other organisations – from FTSE 100 companies to schools; from critical national infrastructure to local councils,” Cameron told the October conference. “Many organisations – but not enough – routinely plan and prepare for this threat, and have confidence their cybersecurity and contingency planning could withstand a major incident. But many have no incident response plans, or ever test their cyber defences.”

Managing and mitigating cyber risk

The sheer number of cyberattacks, their broader scope and growing sophistication should keep CIOs awake at night. The latest Imperva Cyber Threat Index score is 764 out of 1,000, nearing the top-level “critical” category. Other statistics hint at the prevalence of cybercrime in 2021: some 30,000 websites on average are breached every day, with a cyberattack occurring every 11 seconds, almost twice as often as in 2019.

Cybersecurity organisation Mimecast reckons six in 10 UK companies suffered such an attack in 2020. In her Raconteur interview, conducted a fortnight after her appearance at Chatham House, Cameron reiterated her concerns.

“Right now, ransomware poses the most immediate threat to UK businesses, and sadly it is an issue which is growing globally,” she says. “While many organisations are alert to this, too few are testing their defences or their planned response to a major incident.”

Organisations can prevent the vast majority of high-profile cyber incidents we’ve seen following guidance we have already issued

Despite the headline-stealing attacks, businesses aren’t doing enough to prepare for ransomware attacks, says Cameron. Cyber risks can and must be managed and mitigated. To an extent, CIOs and chief information security officers (CISOs) are responsible for communicating the potentially fatal threat to various stakeholders.

Cyberattacks are different from other shocks as they aren’t readily perceptible. They are deliberate and can be internal and external. They hit every aspect of an organisation – human resources, finance, operations and more – making them incredibly hard to contain.

“The impact of a ransomware attack on victims can be severe,” Cameron continues, “and I’ve heard powerful testimonies from CEOs facing the repercussions of attacks they were unprepared for. Attacks can affect an organisation’s finances, operations and reputation, both in the short and long term.”

Building cyber resilience 

CEOs can’t hide behind their security teams if breached by a cyberattack. Cameron warns that defending against these incidents can’t be treated as “just a technical issue” – it’s a board-level matter, demanding action from the top. 

“A CEO would never say they don’t need to understand legal risk just because they have a General Counsel. The same applies to cybersecurity.” 

Cybersecurity should be central to boardroom thinking, Cameron adds. “We need to go further to ensure good practice is understood and resilience is being built into organisations. Investing resources and time into putting good security practices into place is crucial for boosting cyber resilience.”

Cameron notes that the NCSC’s guidance, updated in September, will reduce the likelihood of becoming infected by malware – including ransomware – and limit the impact of the infection. It also includes advice on what CIOs, CISOs and even CEOs should do if systems are already infected with malware. 

Cameron, who was previously director general responsible for the Department for International Development’s programmes in Africa, Asia and the Middle East, echoes Benjamin Franklin’s famous maxim: “By failing to prepare, you are preparing to fail.” 

There’s a wide range of practical, actionable advice available on the NCSC website, she notes.

“One of the key things I have learned in my first year as NCSC CEO is that organisations can prevent the vast majority of high-profile cyber incidents we’ve seen following guidance we have already issued,” she adds. 

Low-hanging fruit

At the Chatham House event, Cameron acknowledged that small- and medium-sized enterprises are especially vulnerable to cyberattacks. “I completely understand this is getting harder, especially for small businesses with less capability,” she said. “But it is crucial to build layered defences that are resilient to this.”

SMEs are the low-hanging fruit for cybercriminals, as they usually don’t have the budget or the access for sufficient IT support or security. “We appreciate smaller organisations may not have the same resources to put into cybersecurity as larger businesses,” Cameron says. 

The NCSC has produced tailored advice for such organisations in its Small Business Guide. This explains what to consider when backing up data, how to protect an organisation from malware, tips to secure mobile devices and the information stored on them, things to bear in mind when using passwords and advice on identifying phishing attacks.

Criminals will seek to exploit a weak point, which could include an SME in a supply chain. Larger organisations, says Cameron, have a “responsibility to work with their suppliers to ensure operations are secured. In the past year, we have seen an increase in supply chain attacks with impacts felt around the world, underlining how widespread supply networks can be.”

Supply chain concerns

Supply chain attacks were another of Cameron’s four key themes at the Chatham House conference. Such vulnerabilities “continue to be an attractive vector at the hand of sophisticated actors and … the threat from these attacks is likely to grow,” she said. “This is particularly the case as we anticipate technology supply chains will become increasingly complicated in the coming years.”

The most infamous recent supply chain attack was on SolarWinds, said Cameron. According to the former CEO and other SolarWinds officials, the breach happened because criminals hacked a key password – it was solarwinds123. This highlights the importance of strong passcodes for companies large and small. 

“SolarWinds was a stark reminder of the need for governments and enterprises to make themselves more resilient should one of their key technology suppliers be compromised,” Cameron said at Chatham House.

The two other areas of cyber concern she promoted were the vulnerabilities exposed by the coronavirus and the development of strategically important technology. “We are all increasingly dependent on that technology and it is now fundamental to both our safety and the functioning of society,” she said of the latter.

On the former theme, Cameron said that malicious actors are trying to access Covid-related information, whether vaccine procurement plans or data on new variants. 

“Some groups may also seek to use this information to undermine public trust in government responses to the pandemic. The coronavirus pandemic continues to cast a significant shadow on cybersecurity and is likely to do so for many years to come.”

CIOs must keep this in mind as many organisations grapple with post-pandemic ways of working. This involves more remote workers using personal or poorly protected devices on unsecured networks, all of which play into the hands of bad actors.

“Over the past 18 months, many organisations will have likely increased remote working for staff and introduced new online services and devices to stay connected,” says Cameron. “While this has offered a solution for many businesses, it’s vital for the risks to be mitigated so users and networks work securely. Our home-working guidance offers practical steps to help with safe remote working.”

Post-pandemic cybersecurity 

Providing other essential advice, Cameron underlines the importance for organisations of all sizes to build their cyber resilience. 

“It’s vital that organisations of all sizes take the right steps to build their cyber resilience. Educating employees is an important aspect of keeping any business secure. Staff can be an effective first line of defence against cyberattacks if they are equipped with the right understanding and feel they can report anything suspicious.”

Businesses should put a clear IT policy in place that guides employees on best practices, while staff should be encouraged to use the NCSC’s “Top Tips for Staff” training package. 

“These steps are about creating a positive cybersecurity culture and we believe senior leaders should lead by example,” she adds. 

The NCSC’s Board Toolkit is particularly useful for CIOs, designed to help facilitate cybersecurity discussions between board members and technical experts. It will “help ensure leaders are informed and cybersecurity considerations can be integrated into business objectives”.

These conversations are now critical, as advances in artificial intelligence, the internet of things, 5G and quantum computing multiply attack surfaces. Reflecting on the NCSC’s work since its inception five years ago, Cameron says the organisation has achieved a huge amount, including dealing with significant cyber incidents, improving the resilience of critical networks and developing a skills pipeline for the future. 

“This is delivering real benefits for the nation, from protecting multinational companies to defending citizens against online harm. However, the challenges we face in cyberspace are always changing, so we can’t rest on our laurels.”

This article was first published in Raconteur’s Future CIO report in November 2021

FSA CIO on her career in tech: ‘It’s where the future is already happening’

The FSA’s groundbreaking CIO talks the future of technology careers, data openness and going beyond the status quo

What makes a successful chief information officer (CIO) in 2021? Ask Julie Pierce, the trailblazing director of openness, data and digital at the Food Standards Agency (FSA), who ranked fifth overall and was the highest-placed woman in the venerated CIO 100 list for 2019. 

Having learnt the news about the CIO 100, which recognises the UK’s “most transformational and disruptive” CIOs, Pierce recalls feeling “happy [and] honoured”. Following a pause, she adds: “And surprised.” Why? “If someone had told me I would be recognised at this level back when I was, say, 30, I would have thought it impossible, for so many reasons. So my reaction was: ‘Oh my God!’”

To an extent, her reaction to the accolade is understandable in an industry dominated by men. But the recognition is also a cause for celebration. Given that only one in six technology specialists in the UK are female and just 10% are IT leaders, the Bristol-based Pierce proudly serves as a role model for other women seeking to reach the top in tech.

The incredulity is misplaced, though, when one considers her groundbreaking 41-year career. After starting off with a misstep in oil exploration – more of which below – she enjoyed 13 years as a consultant at PwC, where she was one of the first female partners. Her CV also includes stints with the Home Office and the Metropolitan Police Service.

More recently, Pierce has excelled as CIO at the Animal and Plant Health Agency and the Department for Environment, Food and Rural Affairs (Defra). In August 2015, she moved from Defra to the FSA, a non-ministerial government department which monitors risks and issues of concern regarding food.

The case for data openness

As director of openness, data and digital (“a long but pretty cool title”) at the FSA, she performs a raft of duties. These include the CIO role, while also covering science and Wales. 

Importantly, Pierce is a fervent advocate of open and transparent data. Indeed, in the public sector, and further afield, the FSA is often held up as an exemplar of what is possible through opening up data. This progressiveness is in no small part thanks to Pierce.

“Being open and transparent [with data] is so important to me,” she says. “And at the FSA it is fundamental to our core being; we are here to be open and transparent on behalf of the consumer.” 

Pierce explains that her agency raises the alarm when “things are not quite right for consumers concerning food safety and authenticity”. As an example, she points to a recently implemented service that uses predictive analytics and machine learning to monitor global risks. 

The FSA publishes 70% of its datasets. Pierce argues convincingly that fellow CIOs should push to open data and drive collaboration internally and externally. The FSA has been trying to persuade businesses to be open and publish their data, she says.

At the FSA it is fundamental to our core being; we are here to be open and transparent on behalf of the consumer 

“We can see the large amount of data collected about food in public and private sector. For instance, we can see the opportunities from data-rich digital platforms where they may be sitting on real insights as to food risk, allowing us all to take action before something goes wrong.”

Under Pierce’s direction, the FSA has “put as much effort as possible in the last few years” to develop the infrastructure necessary to open data and make it “easier for businesses to consume that data”.

Beyond the status quo

Pierce believes in “transformation through the application of modern digital technology and insights from predictive analytics to business problems”. And in a clarion call for fellow CIOs, she has urged on LinkedIn: “Let’s be really different; let’s go beyond merely automating the status quo.”

Pierce has always sought to go beyond the status quo, but she originally had little interest in technology. Having graduated from the University of Wales, Bangor, in 1980 with a first-class degree in mathematics and physical oceanography, Pierce sought a hands-on role in the oil-exploration industry. The fact that it was “completely male-dominated” made it more attractive because of the challenge.

Ironically, she switched directions and flourished when the path was blocked in her chosen profession because of her gender. As a woman, she was forbidden to step foot on either the boats or the rigs. Pierce’s impressive career in tech can be traced back to that early change of tack. 

Let’s be really different; let’s go beyond merely automating the status quo

However, the combination of fierce ambition and talent has elevated her. It is this desire that modern CIOs must possess to excel, she suggests.

“My FSA role includes the CIO and a lot more. That in itself is one of the things I’m most proud of: that I have risen and gone above the CIO role into other aspects of the business.” Indeed, to secure a place in the boardroom, CIOs must demonstrate the many different ways they can add value. 

Pierce says there has never been a more exciting time to embark on a career in tech and climb the ranks to CIO and above. “It’s an absolutely fascinating sector, as it’s moving and evolving so quickly,” she says. “It’s becoming more relevant, ubiquitous, and essential to everything we do. Therefore, you can choose any sector to work in – food, healthcare, financial services, whatever.

“What makes a career in tech so attractive nowadays is that it is accessible in so many more ways compared to when I began. You can come in through some of the more innovative data ideas, such as artificial intelligence or robotics, or via looking at accessibility and the way users engage with the tech, or the hardware route.”

After a final pause, she adds: “It’s the place really where I think the future is already happening.”

This article originally appeared in Raconteur’s Future CIO report in September 2021

Five priorities for CIOs in 2021

Trends accelerated by the coronavirus crisis present challenges and opportunities; dealing with both has increased the workload for chief information officers

1 Regulatory compliance and security

The entry might have been number one in the charts for the past few years, but the mass jump to working away from the office catalysed by lockdown has meant chief information officers (CIOs) must be on top of data management, security and compliance. 

“The shift towards remote work and digital operations has meant the information security posture of many businesses, faced with an increasing amount of threats, has had to improve,” says Federico Baldo, CIO at Eurotech, a multinational company supplying internet of things solutions.

“Security starts at the top of an organisation and, while chief executives do not need to be security experts, they do benefit from an accurate understanding of the relevance of security to their organisation. And for many smaller businesses, in particular, it is the CIO’s job to lead the internal security programmes.”

Caroline Carruthers, chief executive of data strategists Carruthers and Jackson and former chief data officer at Network Rail, says a mindset transformation is required. “My biggest piece of advice for CIOs when it comes to regulatory compliance is they need to stop thinking about security and privacy as a tick-box exercise,” she says. “It’s essential they see this as a positive opportunity rather than a hurdle to overcome.”

There are enormous advantages for the organisations that get compliance right, she insists, from increased customer trust to more secure intellectual property.

2 Modernise IT infrastructure and systems

COVID has tested the robustness of supply chains, business models and information technology systems alike. In many cases, it exposed worrying vulnerabilities. 

“After the immediate response to the pandemic, it allowed the time to look at IT systems and assess whether they remained fit for purpose,” says Jean-Sébastien Pelland, deputy managing director of Eland Cables, a global supplier of cables and cable accessories.

“Businesses constantly evolve, requiring IT systems to adapt rather than making wholesale changes, simply due to the pace and perhaps uncertainty of the new avenues. Now is the time to make sure the systems match the business as it stands today.”

This chimes with Sharon Mandell, CIO of Juniper Networks, a multinational cybersecurity company. “As we ‘cloudify’ and ‘SaaSify’ our entire product line, Juniper also needs to update its IT architecture. We need one that’s more nimble, that brings new capabilities and that’s more user aware to enable the experience our customers and partners desire throughout their journey with us,” she says.

Like many organisations, Juniper has pivoted its offering, in part because of the pandemic fallout. “Modernising IT is a priority now as many of our systems were built around a business model that delivered hardware, with embedded software only, and traditional technical support and services,” says Mandell.

3 Ensure real-time visibility of critical data

“The world we’re living in is moving faster than ever and organisations relying on data even one week old are behind the curve,” warns data strategist Carruthers. “The nature and speed of change in 2021 will make real-time visibility of critical data the single biggest factor in winning new business across almost all industries this year.” 

She advises that “CIOs need to make sure they have insight into what is going on in their industries in real time” to make accurate predictions.

Rich Murr, CIO at Epicor, a global provider of enterprise resource planning software for the manufacturing, distribution, retail and service industries, agrees. He calls actionable data “the holy grail” of IT. “And sometimes it’s seemingly just as difficult to obtain,” he says. “The challenge is less about systems and more about the business processes that produce and consume the data. 

“CIOs need to educate their business peers, not to sit back and expect clean data to appear magically in their systems, but instead to take strong ownership and execute the hard business process improvement work necessary to create actionable data.”

4 Engage and educate the workforce

On Murr’s point of driving education and training, so employees can use all IT systems capabilities and have a good handle on data management, this is another important CIO task. “IT needs to work for the worker,” says Tim Christensen, chief technology officer at workforce communications platform SocialChorus.

Football Association CIO Craig Donald says: “Facilitating tech literacy will be central to my role in boosting enjoyment and attainment as the football community comes back to life in 2021. Particularly in non-tech organisations, CIOs shouldn’t just go in there being the mystical gurus of technology. Get a dialogue going and show how tech can directly impact relationships.”

Educating staff is particularly challenging for Jo Drake, CIO of The Hut Group, the retail and property company that in September attracted the largest initial public offering on the London Stock Exchange since 2013. “As part of a global business that is expanding at a rapid rate, it’s important to have the best team possible and the right talent to grow with us,” she says, pointing to several schemes that attract and nurture tech talent.

5 Make full use of cloud computing 

Eurotech CIO Baldo urges businesses to “go full-on cloud”. He says: “If the business gross margin is not sensitive to slightly higher costs, there are many more advanced and integrated security capabilities that smaller businesses can leverage through the use of cloud services from AWS, Azure, Google or IBM than could be achieved on-premise, within the same budget.” It is the CIO’s responsibility to manage the move to the cloud and beyond.

Dr Anjali Subburaj, chief architect of digital commerce at multinational manufacturer Mars, believes businesses can move up a level in this area. “Adoption of cloud computing allows IT teams to focus exclusively on driving business outcomes via their endeavours instead of grappling with IT infrastructure issues,” she says. 

Once the cloud is embraced, more tech opportunities become accessible. “CIOs should also be prioritising the introduction of an artificial intelligence-embedded approach,” Subburaj adds. “This will improve the accuracy and relevancy of outputs, such as supply and demand, and personalised product recommendations to consumers.”

This article was originally published in Raconteur’s Future CIO report in March 2021