ESORMA Mastermind: Chris Gunner.
How our work flow may change and the security implications of Covid-19
Hello, It's David White here. Thanks for joining me on this Mastermind call. The Mastermind we have with us today is none other than Chris Gunner, Group Cyber Governance Risk Specialist. A CISO with mid tier financial specialist to talk about some of the impacts of Covid-19 on cyber security. So, Chris, I spotted your article in LinkedIn and I just had to call you about it.
Security Should Be More Open
0:25. Chris: Thanks, David. Good to join you. Just for that particular piece, the one thing I just wanted to mention was I'm quite keen for us in the security community to be a bit more open and a bit more sharing about the information that we gather. I think a lot of us not necessarily including myself, but others come from quite a secretive military background where sometimes you feel that there are ears in every wall and people are very resistant to sharing information. I've certainly had experience in previous roles within the legal industry where we had some difficulty trying to put together the sort of community and information sharing groups, platforms, consortium's whatever you want to call them, where we could all learn from each other. Sometimes it was a concern from some of the legal teams about competition law and so on and so forth, which I do absolutely recognize. But particularly in that legal forum, we used to, at beginning in every session, stand up and say we as each other are not each other's enemy. Let's let the lawyers compete for business and everything else. Together, we're all in this together, and that's all learn from each other.
So I'm a great proponent of trying to share as much as possible, obviously maintaining all sorts of rules around commercial confidentiality and so forth. But that piece actually came from an internal knowledge sharing forum we have with my current organization just to try and make sure that everyone was being spurred with the same sorts of thoughts as everyone else. You never know who and in what part of the world in what organisation, what role even might suddenly have some great thoughts that could help someone else. So I try. Try regularly to post all sorts of stuff, you know. Most of them originate from sort of internal work. Anything I find interesting that you never know might spark someone else's ideas. I think that's the kind of stuff we should be sharing more as a community.
David: The biggest breakthroughs in technology and outside of technology actually come from processes and techniques that are employed in one industry that simply haven't been employed and transferred to another.
Genuine Compassion Is Essential
Chris: Exactly. So I think that the stuff that I didn't really want to cover in the article was the advice on how to work from home securely. Because I think really, we've had enough of that. I think everyone seems to be issuing all sorts of work from home guidance left, right and center, some of it useful I myself when trying to put together something for us as an organization, actually struggled to find something that was helpful for the end user. Digging around I found lots of vendors trying to tout their latest VPN software or lots of people saying put in a VPN software. But actually, I really couldn't find anything that describes some of the basics. So something I wanted to focus on in there is something I think we aren't doing necessarily particular well. Or at least we're not talking about it. Not sharing is how the end user can secure perhaps their home or their work environments. You know, to support us as we worry about the technology, they can do certain things. So the kind of things that I think are quite important to remind your users of first, I think is to remind them that this isn't normal. It's okay to not know what they're doing. It's okay to be perhaps perched on the edge of the bed or in the kitchen or anywhere. I've seen all sorts of fantastic backgrounds and locations in people's homes over the last few weeks while they are doing video conferencing and it's actually surprising the number of people who do seem to be perched in very much a makeshift source of sort of office environment or at the kitchen table. So I think first off, we need to demonstrate some compassion to our users. They will not be working as securely as they would in the office. We need to get over any idea that we need to pitch them at the same sort of security level. So the kind of things that I think a really important for people to do would be lock their laptops when they're not using them, when they are wandering around the house, perhaps they've got lots of people at home at the moment. Kids. It may be fewer house guests. I'd hope if they're following the rules, but they've got kids, they've got partners. You may even work in a related industry and therefore have some confidentiality issues there. But locking screens will stop perhaps a child wandering up, thinking they can just launch Minecraft on what is actually a work machine or clicking send on a half written email. That was perhaps one of those emails that you sort of write without the address in before you click send because you need a bit of a kind of mental decompression. To get, get some angst out. But then you delete the email and never send it. So little things like that. Well exactly, you know, certainly is yet another email that says No, I won't join your third zoom call of the day, Mr. Manager, you know, maybe don't leave that half written and unlock your screen.
Something else we thought was important people was to remind them that if they're using a shared computer, a family shared computer and if you think about all the different types of people in the organization, some of them might not have multiple computers for multiple people. They might actually be using one between a variety of household members. So they're competing against the kids trying to do there schooling, someone's trying to watch a fitness video, maybe a couple of adults are trying to do some work, so remind them that that's okay as well. Those are the people you should really be prioritising to get their own, get a work device sent out to them or possibly move them onto some kind of virtual desktop interface to make sure that you know that computer that is also being used by the kids to watch YouTube and download all sorts of nasties off the Internet isn't also then connecting directly to your network. Yeah, so for me, all of this really, really goes around to an idea of this isn't normal, this isn't okay. We shouldn't assume that people, you know have exactly the same setups that we do or that anyone does and therefore think about the problems they might have. Other things we've reminded people of this is make sure if their office, for example, faces the road that they don't just leave their laptops and equipment set up overnight. I think alas, crime is gonna be on the rise over the next few months, as effectively traditional routes and crime and by that I mean people trying to nick your wallet on the street. That's not really possible anymore. So the criminals are probably gonna switch, and some of them, I'm sure, will walk up and down the road, smash a window and try and take a laptop. So little things like that, that people may not have considered, I think are important to remind them off and not only that, but it makes people feel like they're empowered. So if they can actually do something and lock away the computer, then they feel like they've actually contributed and they're helping.
New People Related Vulnerabilities
David: So new vulnerabilities, really.
Well, it's new people vulnerabilities, I think, Yeah, because all of this really just boils down, as I said a few times. But this is unusual. I've had my own challenges. I used to work from home, maybe one or two days a week, you know, on a monitor. That was kind of less than good for my eyes. I didn't really have a decent sort of headset or Voice comms set up. I was just, you know, managing with kind of a phone every now and again. So I personally have gone through and made sure my desk chair is actually tweaked properly, and I've actually bought some better speakers and better monitor, so I'm fortunate in that I could do that. But for me, it was quite a shift to work from one or two days, a week to five days a week. You know it certainly weeks and weeks on end. I realized I needed to actually set up my home in a slightly better way. So I try and try not spend any time in the room that we use as an office, which all I'll say is also the is also the spare room. It's also the kind of, you know, sort of clothes drying room, the junk room in our in our London flat. So I try and make sure that that's clean and tidy, a bit like I would with the office.
David: I'm in same set up and I daren't use a video.
Chris: Well, that's it. Yeah, I very carefully positioned my web cam so it's not, you know, it's tasteful background, and you can actually see my pants hanging in the corner on the drying rack. So for me, it's very much the one of the key things that I think we're missing as a community at the moment is that people focus on the working from home. Yes, there's all sorts of tech challenges, but I think we also need to engage with our staff. And this isn't a I've seen some pretty cringy sort of staff outreach programs. Maybe this is me being a bit of a grumpy, grumpy person. But, you know, I don't particularly want to join a company mandated Happy Hour. But if someone from the security team called me up and said, let's just talk through you know, have you got a wireless printer? Are you using some kind of shared Internet? You know, maybe I could talk you through how to fix some of these things. That would probably for me be a much stronger employee engagement peace than someone sending me a request to do a 30 second dance video that they're going to try and compile at the end of the week, you know, as a team spirit team spirit, let's go, type thing. So let's not Let's not forget there are people at the end of these computers. They need some help. They're not prepared for this. As much as we can push stuff down onto their computers, I think we can also don't try and engage with them as human beings, employees as well. Yeah, so that I think, was key for me and reminding people that there were there were humans at the end of it.
09:09 Some of the some of the broader stuff that we were looking at as well. So my responsibility within our organization at the moment is really a sort of sort of an internal consultancy, so were available for doing all sorts of work for any of our member businesses. So recently, Actually, the focus has been far more on operational hands on type work. We've got some new operations that need a bit more but more closer support. But other than that, we are there to do things like threat intelligence and thought leadership, the kind of things that maybe it's better for us to do centrally as a business. So something that I spend a bit of time doing is helping our businesses develop their cyber programs. As a kind of broad, big picture look at how they're going to do security, not just today, not just this morning, but over the next 6, 12, 18 months and so on. So our business model really is driven by setting up good, solid businesses and then looking to divest them from the group. When we say solid businesses for us, that means a solid cyber security business as well. So something that we wanted to focus on and we have had this as well is our budgets have been cut. Our revenue streams have dried up in some markets. So we've had to think about all that money that we thought we were going to spend on some key things, some nice to have some operational efficiency things we've had to go through with quite a fine tooth comb and understand which of those we're going to be able to do which of those we're gonna have to put on hold, which of those we will never now be able to do. Which of those, for example, can be put on ice. By that I mean press the pause button and then hopefully un pause, maybe six months down the line with no misstep. Other programs, of course, need a bit of winding down and then winding back up again. So you've got to consider, I think, good stat I always tried to look at was that actually when making employees redundant, I think it costs something like 1.5 times their annual salary to replace them when you consider all sorts of things, like the loss of productivity for that employee and their notice period. So even if they're resigning, they're probably not working full capacity in the last few months, either because they're actively looking for work or because they just lost heart in the job. So you know they're not pulling those evening calls or those all nighters that they might have once upon a time. You're also looking at that the wind up for that new person when you finally get them in. So obviously they won't be fully productive on day one. They'll maybe take a number of weeks number of months to actually start to know the people they need to reach out to probably make some mistakes that requires him on picking. And then you've also got some harder costs. Maybe the severance pay. You've also got some recruiters Finder's Fees. Perhaps even you've got to pay the new person some more money because you're actually under paying the person who moved on. So it's actually quite significant cost both operationally and financially, to lose a an employee. And ultimately, I think this is why in the UK our government has set up this furlough scheme to try and minimize the amount of layoffs. But I think I think for us that applied to lots of the security things we were doing in our cyber program, so we had a for example, we were looking at a nice bells and whistles, gold plated risk management vendor management platform. It was all stuff that we were doing, but I'll be honest. It was still in the slightly old fashioned way of doing on spreadsheets. Lots of emails going around, lots of admin, you know, spending quite a lot of time, just digging through things and filtering tables and sending people a document saying can you fill this out? Can you capture this? So it's not that so we're now not able to purchase that platform. We've had to defer that decision, which is a shame, because we were very close to signing, but we've had to defer that. But I have spent the time to go through with the execs that I report to and explain to them that we're not necessarily losing security benefit by not purchasing that platform. But what we are losing is operational efficiency so really that platform was not gonna make us do security any better. It wasn't gonna tell us any security decisions or controls that we haven't yet put in place. It wasn't gonna tell us anything that we didn't already know. But what it was going to do is make it a damn sight easier for us to make those decisions quickly and efficiently and in a way that we could then dig out six months later and look back on why we made certain decisions or perhaps evidence those decisions to our customers. So going through the programs and figuring out what is easy to pause or what is easy to put on ice or what needs to be wound down and then wound back up and then also explaining to those who, who ultimately there is budget. You know, there is more money available somewhere in business for cyber stuff. It's just that it hasn't been earmarked for cyber. So I felt it was important for me to go to the exec and those people who actually have that decision to say, look, you, you've asked me to cut the budget by 50%. Here is the impact of that. It means that some of these things will cost more down the line because we now have to pick back up from where we left off. Some of the things will be done less efficiently I won't necessarily give you any examples. But some of the things that we're now not going to do will probably weaken our security response in the short term until we find an alternative. So I wanted to make sure that the execs and ultimately the guys who may or may not have been able to find some extra budget knew the impact of those decisions. It wasn't a criticism off them, but it was just to say, maybe if you're worried about these things, there are other things that you could perhaps find money from and shuffle budgets around in order for us to perhaps lose a bit more efficiency but instead maintain a bit more actual security in place. I think, alas, that's probably a problem that almost every business in the world is gonna have to go through with maybe a few exceptions who were doing really well out of this crisis, but unfortunately looks like not only do we have revenue problems from just the lack of economic activity at the moment, but I think it looks like we'll have some really quite severe recession over the next couple of years that will have to contend to with. So some of the thinking that we did back in back in the years after the 2008 crisis, I think, probably become quite important to remind ourselves of over the next few years how to do cyber in a recession. It's still a problem. If anything, the bad guys are even more interested in attacking us now because they can't do whatever crime they were doing before this crisis before the lock down, but they will be picking up their phishing scams. You know, their financial frauds, anything, anything they can do easily from home. They will do so the need is still there. But unfortunately, there the budget and the capacity to respond in most businesses is probably going to be going to be a bit constrained.
David: Well, it's absolutely right to involve the business in an awareness of, you know, what you can't now do. It is ultimately a business decision is to determine what budgets come from, where and what needs to be cut. Because foresight is not a perfect thing, is it? This way could let's go with you creating a plan and then running according to that plan, cutting our cloth accordingly and obviously, when there's more money about, we could do more things and when obviously there's less money about, we need to be aware. I'm very concerned about people working from home. I probably got a typical household of multiple rooms and multiple people of different age groups and different employees who managed to find different ways, including me, of working from different rooms. We don't actually compete. We are a family, but have completely different needs. And as I look around with my kind of security, I can see that the organizations that we are effectively interfacing with now remotely from home have no idea what systems we actually have at home. You know or the age of the systems, for instance, which must have an impact on potentially, you know, vulnerability when we are not supplied with laptops and we're having to use home equipment. Home equipment is not always patched and up to date.
Managing The Zoom Bomb
17:14 Chris: It's interesting, isn't it? So zoom is probably the hot topic at the moment, I think. I really think, in my opinion, it's probably been over hyped. As in security people are probably worrying a bit too much about it. We internally used zoom used in the past tense. Zoom, I think, is an interesting one. We as an organization, used to do, and that's past tense. It started back in January when there was vulnerabilities, I think about predictable, repeatable meeting ideas. It was starting to get headlines on the BBC, so we knew that some of our execs would start to hear about it. And next time they log into zoom go ooh okay, ask the security team what the problem is or possibly point the finger at us and go 'How could you keep us on this platform?' I've just been told, by the BBC that it's not secure. So we did some research, and dug into sort of why those particular vulnerabilities were issues and that helped us actually to deal with the problems that all the heightened focus that Zoom had maybe in the last couple of weeks, well, last couple of months. So for us, we wanted to educate our users. To say look Zoom is a platform. There are problems with it, but some of those problems are the same as with any other videoconferencing platform. You know things about backgrounds, pictures and things like that or people walking into the background. That's a problem with any video conference, so don't necessarily blame that on Zoom. Blame that on the video conference sort of model, generally. There were other problems which we wanted to categorize as things like privacy and public privacy. So I personally had to do some sort of tech and security support for some people I know who were doing a zoom, a semi work related zoom conference that was publicly advertised and then got zoom bombed and it got Zoom bombed with pretty much the most unpleasant thing you can imagine. So lots of distraught people. So what I found was interesting with some of their reactions were obviously they were shaken for a start. It goes back to what I was talking about with remembering that there were human beings at the end of all this. So some of them we're very shaken. So just telling them that they were really obvious security controls you should put in place. Wasn't really going to land, particularly with people who just seen pretty unpleasant stuff Zoom bombed on their call, the second thing I noticed was a lots of them didn't understand what the platform was and what the platform did. By that, you know, there was a really unpleasant video shared. They were concerned that those videos had somehow been saved onto their devices and they would then need to reset passwords, delete applications, you know, one of them was saying, I'm never going to use that computer again. People were concerned. They have to go to the police to report the fact that you know, they had come into contact with this material, you know, And so therefore if it was ever found on their machines down the line, there was at least a reference to say no it wasn't them, having downloaded that it was a zoom bomb so for me, that was a bit of a wake up call, actually, that some of these problems may have been easy to avoid from a technology perspective. And I think that's where really, we as security people should have done this already through either through awareness will just be a manhandling The Zoom management controls out of the hands of whoever husband. Just implement these changes to do that, but also that we need to educate our users and that those users might not understand what going into a settings panel actually looks like. And they might be really concerned that when they enable something, it's going to cause some huge problem with some important meeting that got down the line. So it was things like understanding the interface and the security risks with what I would call a semi public use of Zoom to me that things like the kids lessons that I have to go to zoom, you know, the singing lessons, the language lessons, all that kind of stuff. So my sister, for example, is a language teacher in Spain, so she uses Zoom. So first thing I did was get in touch with her and say right. You need to put these controls in place, and you need to check these sorts of things.
So I think insecurity. We sometimes focus on one, but not the other. And we failed to make the link between, you know, that awareness campaign might stop someone from browsing to a website which then means we don't have to spend hours cleaning their machine. At least IT don't have to spend hours rebuilding their machine because it's been infected with something. We need to think very much about you know what are the preventative things we could do before there's an issue and I think we're probably good at this security people, because we spend quite a lot of time thinking about risk and potential problems rather than actual problems. I think that's probably that the two disciplines problem, insecurity, the moment where some of us lean one way or the other. I know I lean far more towards the prevention side because my background is more governance and risk, but I think that's something where we can probably remember that that's often on alternative, either preventative or responsive approach with the same sorts of problem.
David: It's a very astute observation if I may say, when we looked at it by business continuity, disaster recovery, the number one thing that comes first on the list to look after is obviously human people, life. The way you just put it is, is that if you look at it from the human perspective, first, not necessarily the technological perspective first, which a lot of the materials and technologists will automatically look at technology which is often and in a process that occurs afterwards, that the key to it, a lot of it is actually preventive in the first place. Not necessarily. Technology is about what is it that your users are actually doing what, are they aware what they can and can't do?
Chris: Very much so.
David: Very interested in your views on phishing and phishing awareness. Phishing testing perhaps, seems to be a contentious issue. What are your views?
23:02 Chris: We have a phishing platform that we used to phish our own employees. The thing that won me over for that one. This was many years ago when I first ran into those platforms and programs and have that had very much this internal debate. You know, Is this really the kind of thing we want to do? Is ultimately it's our fault. As a security team. If the users aren't aware of this kind of thing, no one can expect them to be expert in spotting a phishing email if we don't give them the opportunity to see one in real life and actually test in situ, I guess within their outlook window, you know, when they've got all sorts of other things. I got a meeting in five minutes and actually they could really do We're going to the loo. They've got you know, they know that their bosses breathing down the neck for that report by the end of the day and, you know, they're distracted by all sorts of things. You really want to teach them that stuff in situ. So for us and for me, in previous roles, we put in place phishing simulation platforms. You know, almost as a day one activity. Um, because it's the only fair way to teach people how to response to a phishing attack I then echo that down in terms of the once we do the tests, what do we do when someone fails? I think the suggestion and I realised that some of this is a kind of shorthand among security people thinking. But the suggestion that sort of though we should go, you know, beat up the users for not following our advice, but actually, if you fit on the head and you think, well, if they don't know how to respond to this and maybe it's my fault for not having trained them how to do that, I think that goes back to what I was talking about earlier with the working from home angle, which is let's then reach out to the use and say, you know, what is it that I haven't done to help you? What is it that I have missed in your training, you to be aware of these things and once you start looking in that way, you realize that there's a lot of compassion that comes in that and there's a lot of self reflection. I think that says is my training good enough was my was my 45 minutes video on induction day was that really good enough to expect some of the everyone to be a security expert. I mean, really, of course it wasn't, but we sometimes forget that it definitely wasn't and we can see that through things like phishing simulations. So I think when you want to look at it as a I have failed as a security person to teach you how to spot these things. How can I do better than that's where I feel you really start to go from security training as a sort of one off activity in skills training to an awareness?
When they realised that you're actually a friendly person down the other end of the line, who's willing to help them and perhaps go the extra mile to help them and understand how they learn. Maybe they need a video instead of words. Maybe they need words instead of a video, different people learn in different ways. But once you take that attitude, then you start to build. I think in a way, in this culture where they're aware that the security team care about them and are here to train them in how to do something. I mean, if you worked in manufacturing, for example, you wouldn't just give your new employees. You know the keys to some large piece of machinery with all sorts of whirring blades and engines and stamping bits because, you know, you probably know that they're going to lose a finger quite quickly if you don't train them. So I think we need to do the same with some of the tools that we have given people as IT and security people. So we've give them email but have we ever trained them how to how to use email and I guess the key thing here is how to avoid a phishing email. Yes, um, it's interesting. Some organizations I used to be a consultant, so I've seen quite a lot of training programs within organisations, either that I've had to be inducted into as a consultant or I have gone in with the security hat on to review. But it's surprising how lots of organisations don't have any sort of training platform just for the basics. It's only maybe once or twice in my life, I've ever actually been formally trained on how to manipulate outlook to get it to do what I want and when I say manipulated, I mean draft an email, surprising the number of people who don't know what the blind carbon copy line is for and I think, unfortunately in the security world we see a lot of those where people don't blind carbon copy quite sensitive emails believe there was one in London where there was an HIV clinic that failed to blind carbon. Sending put to all HIV positive customers. So that was a huge data protection breach. But sometimes I look at that and think How on earth does someone not know how to do a blind carbon copy, but maybe they've never, never needed to do it before and they've never been formally trained. So, good organizations I've seen have quite a comprehensive training program when they will literally teach you how to format word document, you know, to get the right headings in place and understand under reference markers in the documents and create a table of contents automatically that kind of stuff. But a lot of organizations don't and I think in security we need to think more about the tools and capabilities that we are complicit in giving people like access to email and recognize that it's our job to teach them how to use that securely in advance of there being a problem, they're much the last thing we need to do is point the finger at users and go you fool, you really should have known this better. Or you should've somehow understood, you know, this esoteric training that I set out for you but never actually tracked your completion or for anything else, you know? How did you not know that this was a problem?
Multi Media Messaging Super Powers
David: Yeah, absolutely. A lot of it is down to repetition as well. In other words, we provided the training once does not mean that the those individuals know forever...
28:05 Chris: Yes, and I've started doing that in the last month, actually, for us as a businesses that I'm sending out on, I've been very careful with the tone. I hope it's being received well, I've got a couple of messages from people saying thanks for this, but I've written it from me as an individual. We are a small organization that the community groups that I'm sending his message out to. So the personal touches is appreciated as a business where we're a lot more informal than I think most would be anyway. But I send out messages every week or so, mostly with security. I say its about 75% security stuff. So updates on zoom and updates on how to work from home securely. But I made it a rule for myself to repeat myself from a couple of weeks ago, so I tried to twist the words a little bit. But the idea is that repeat the same advice that if they didn't listen the first time, maybe they listen the second time. But then, I've also added maybe 25% of the remainder of the email is other stuff that's not work related, so I don't want to. I'm not particularly kind of touchy feely, and I don't want to turn into one of those one of those people that setting up enforced happy hours virtually and things like that to try and try and engender some work spirit that perhaps was never there in the first place. But, you know, I'm trying to include stuff that links to how to maintain your mental health at home, just trying to add that to the personal angle, so that so that people see me as a person that's approachable and they're aware using that awareness word, they're aware that I'm the person that's approachable. Also that, you know, they can sort of see me, perhaps as a human being on the other end rather than just some robot to dispense of security advice. You know, when you press a button on the top of my head and I think that's quite important as ultimately they'll come to me when they have a project that they're trying to run that has some security implications, you know, that's when they really need to know that me as a person you know, is the kind of person hopefully that they will want in their meetings, who can offer that good advice when they are, you know, perhaps thinking about doing something that you know, they would otherwise worry about the security person.
David: The obvious question for me, for you on that is you know, how are you finding it? Has it working out? What kind of results, response are you getting? That type of messaging i.e. you're not being too touchy feeling, but you're being personal, personable on giving or sharing information, even repeating information but changing it slightly to make it interesting and not like you're just, you know, hitting the same nail with the same hammer. What response are you getting to that?
Chris: I feel it's working. I certainly having picked up this tactic in the last month or so and tried to do that more personal touch. I've now started receiving messages from people saying Hi, Chris, Thanks for this message. It was appreciated. Thinking about the fact that different people might want the information in different ways has been interesting and enlightening. I think I think it does appear to be working at least with anecdotal evidence. So that's definitely something I'll take into consideration going forward if we ever get back to normal, is that we really need to be offering a variety of different the information in a variety of different ways. Yeah, so people could absolve it in whatever works for them. Yeah, it's different for different people that different times, isn't it? Sometimes I'm quite happy to read a long article. Other times I need something really short just scroll through on a phone type thing we just need to offer those options to people.
31:49, David: The future, we just talked about the past...
Resilience and Business Continuity...
31:47 Chris: Mmm, I think I think it's interesting, the anecdote I've been using quite a lot. I guess this all about operational resilience, which I think is probably where cyber will lead to. A lot of conferences in the last year were starting to talk about cyber resilience. And I think it's the evolution or perhaps the formalization of a lot of what we have been talking about saying that we need to consider the breach as a when, not if type scenario. We need to focus, perhaps more of our efforts on those response activities or capabilities, rather than hoping that the defense will be will be everything we need. But I think operational resilience is certainly what the Bank of England used to describe that sort of combination of, I guess what I would call it: it's a bit of business continuity, it's a bit of cyber security, it's a bit of financial resilience.
We had a plan. We had a business continuity program, well done. You know, pat on the back of setting out already. You would be ahead of a lot of organisations. Actually, we also have a pandemic scenario in there you go, well, fantastic. You know, it's the first thing that you really or maybe the most disrupted. Certainly low likelihood at least it felt like low likelihood yet as we have seen now, massive impact and, actually, it's interesting having personally never worked that closely in business continuity. I always assumed that pandemic response was the thing you sort of did once you've got all the other playbooks out of the way, but actually digging into it a bit more now I realized that I was looking, for example, if it turns out at the business continuity regulations that the Bank of India requires all of its financial institutions to follow and it has a whole section on pandemic response and this is a document back from 2013. So they've been thinking about it ages. So business continuity people kind of saying, yes, we have a plan. Fantastic. We even had a pandemic response plan. Fantastic. They then say the problem was, we got tested in section three out of six or whatever in our plan, and it was titled Returned to Normal, which, of course, isn't something that's going to happen for a long time and may never happen. Most business continuity playbooks are built on this concept that you have an incident, you have a period of disruption and then after that's been contained, you then focus your efforts on returning to normal. So you get people back to the office, you redeploy some hardware, you figure out methods to kind of keep the business running without while going back to the plan A as it were So I think what we're finding now is that most businesses we're on Plan A back in January. At least in the West Plan B was evoked very quickly in the middle of March, I guess when the lock down was put in place and certainly a week before that, it felt like a lot of businesses suddenly went right. That's it. Will start working on it. But then we've now got to think rather than a return to plan A. We've now got to think about a plan C. So what are you going to do if Zoom goes down? What are you going to do if? Well, if your CEO gets Zoom bombed and instantly decrees that zoom is not gonna be used anymore. How you gonna train people? What platforms you gonna use? Will your alternatives cope with the work flow. I think the UK had some problems with mobile networks going down the first day of sort of wide scale look down. So how are you going to deal with that? I know we just had the problem where WebEx has cut out. You know, we sort of have plans, you know, ad hock where I was able to dial in via the phone. So I think a lot of business continuity now will be thinking less about that return to normal and more about the how am I gonna maintain this current state? And how am I gonna evolve this current state into something that sensible long term to the business? I think normally what you do for business continuity is you should buy down that risk. You temporarily set up some processes and business operations that means you have to temporarily, accept an additional level of risk. And then normally what you do is you buy that down. So you undo the work that you've done so that you go back to where your risk tolerance was before, I don't think we're gonna be doing that at the moment. We're going to have to be building on that new risk baseline to develop whatever Plan C looks like. So as businesses evolved, some businesses are pivoting quite significantly, everything from, you know, a restaurant that has realized that they're probably not gonna have customers coming back in any great volume any time soon. So they need to sign up to deliveroo or maybe set up their own delivery processes. Those are the kind of things that I think people are gonna have to look at. How are we gonna evolve our business continuity programs to think less about a response back to normal and thinking about how is the future going to, how we gonna have to respond to any more shocks that come in the future?
Changing Business Processes
36:22. David: Well, the whole point of business continuity and disaster recovery planning is all about reviewing the current processes. i.e. What is it that we do in light of the current knowledge. As a result, you will streamline and change the processes that you employ and in effect, re evaluate and potentially innovate. Make things better and better maybe that you have greater coverage or capability. Better maybe that you have actually reduced costs. May even decide to get rid of, avoid certain risks, simply take them out of the picture, and, of course you could evaluate why do you do things the way you've always been doing them?
37:03. Chris: Yeah. A good example for us was that we were procuring something from an Australian business. So typically, what we would have done was fax or print that off in the office, sign it, fax it over or email and scan it to our Australian office and then have it delivered to the Australian counterpart for them to receive that signed copy contract. We realized that a huge pain because actually, the person who needed to put their signatures didn't have a printer and a scanner at home. So we just went back to the vendor and said, what else can you do for us? And they said, We can put it on Docusign for you if you like. And we had a very quick, quick thinking when he said, Actually, this is the kind of thing we can trust to Docusign and we realise the value of the contract is low enough that if ever we had some dispute over whether Docusign was a credible way of signing something of this value, we'd be happy to take that risk. So the vendor came back and said we can do Docusign so great, we've now moved to Docusign for everything below a certain financial sign off limit. So whereas we did have a complicated manual process beforehand. All it took was just a question from you know me who's not really a procurement person at all just to say, what could we use something else? Because of a micro frustration I guess, lock down would have put in place. So I think when we talk about business disruption and that digital transformation there's often a bit of a thinking that it has to be done by a some, innovation committee, that becomes a sort of huge piece of work. That's a strategic initiative or something like that. But I think a lot of it could be done particularly these days by, you know, people I guess more at the bottom of the pile just going well, Hey, what if we did something a little bit differently? What if we just turned this thing that normally need to sign off into an email form? If that's okay, you'll find that probably people are more amenable to that kind of, and I want to call it ad hoc change, but it's a less structured change of the way we do business, and as long as that's done in consultation with when it comes to things like legal, sign off the contract thing, make sure the legal department know that you're doing this and have had their had their time to think about it. But you might find that now is a great time to try and put in a few more disruptive or at least modernizing and innovative processes in place that would have just seen anathema a couple of months ago when everyone thought that the world was always going to stay the same. I think innovation often gets dragged into this space, where it feels like it needs to be some revolutionary change the world overnight, a paradigm shift. I think that that's really unfortunate because actually, innovation in many businesses is a straightforward as someone a new joiner who just says, Well, actually, my previous place, we used to do this. Could we try that? If that happens 1000 times then you end up with a far bigger overall change to the business than if you did where some central exec level committee went right, we're gonna move our platform on to some digital something or other. You know, we're gonna go paperless.
The New Normal...
40:00. David: That was very interesting. Very enlightening. Thank you very much for your time. Any final words?
40:07. Chris: I think for me it's this'll idea of the new normal. I think we're all we're all recognizing this. I feel like a few weeks ago I was still in the head space where, and this is socially and economically as well as within the cyber security world and personally, was that we were going to get back to normal at some point, and I was waiting for that to happen. Um, that, but actually that the concept that you know there probably is never going to be a return to the good old days of January 2020 and February 2020 at least for those of us in the west before significant lock downs came in place so we need to start thinking about the kind of world and the businesses that we want to work in and operate in going forward. Those decisions weren't necessarily been made. Well, actually, they will be made for us, but they won't necessarily be made with us. So I think the opportunity is for us to kind of decide how we want the world to look and obviously that sounds like a bit of a grandiose statement but a lot of it can happen on a small level within the organization. So a couple of things that pop to mind is. I know some friends who had to cut their working weeks down to 80 percent salary and time because the businesses has asked them to do so. And actually, I know one of them. A good friend of mine said this is actually really quite good for him because he's not, not necessarily financially out of pocket because he's not commuting, and he's not paying for child care, for his kids, and he's getting to spend an extra day week with those kids. So for him, I think the question will be whether he ever wants to go back to five days a week. I think a lot of yeah, a lot of people are thinking actually, if I don't have to commute to, then what will I do with those two hours? I think it's worth remembering that, you know, there are lots of people struggling with this who don't have the luxury of going, Oh, I have two extra hours to go, go to the gym or actually not to the gym but go outside for a run or something. But for those of us who are maybe in a fortunate position where this is disruptive rather than, a complete overturn of our lives, I think we need to think about the kind of conversations we want to have when, when things you know where the questions are asked. Do people want to be office based workers anymore will prove to people right now that you don't have to be in the office, be as productive as you could be out of the office, and then that conversation will be a lot easier. Conversely, if you do want to go back to the office when it's all over, then remind people you know that you are struggling with whatever situation it is at home that means you enjoy going to the office, or that your focus is better in the office. I think if we just let these things happen to us, then someone at corporate will decide, actually. Well, going back to the office, or that, we never go back to the office and that won't necessarily please everyone. So a bit of thinking right now as to what we want to do in future, I think would be helpful in 6, 12 months time when at least lock down stops, unlocking and offices, start opening again.
42:49. David: All right. So I am really glad I had this chat with you. Thank you very much. Thank you. No problem, I'm happy to talk. Yeah, It's been good to hear your perspective, your point of view a real Mastermind, which was the objective. Inside information on what we need to do to deal with security issues that Covid-19 has presented and raised for us. Thanks very much for joining us today and good luck with the future.
Chris: No problem, and the same to you David, stay safe.
43:20. David: Thank you. All right, That was Chris Gunner Group Cyber Governance Risk manager with mid tier financial specialists. Talking with me about the impact of Covid-19 on cyber security. Thank you for joining this Mastermind session and, if you'd like to know where you can download a transcript or listen into more of our Mastermind sessions, just visit esorma.com. That's E S O R M A dot com and look for the Mastermind recordings page, thank you.