‘It’s not a case of if, but when’
This was the stark message from Eddie Hawthorne, CEO of Arnold Clark, Europe’s largest privately owned car retailer, when talking about the company’s high profile cyber-security attack on 23rd December 2022. Joined by Jude McCorry, CEO of the Cyber and Fraud Centre – Scotland, Eddie has taken a position of sharing the hard lessons learned from this crisis in a bid to highlight the very real and increasing threats from this major criminal activity to a wide variety of organisations and individuals.
Our guests heard how he and his team responded to the criminal attack, the key lessons they learned, and the strategies now in place to build both cyber resilience across the business, and personal resilience within the leadership team. Cyberattacks are a growing and inescapable reality, yet few leaders are willing, or permitted, to share their experiences. We are therefore grateful to Eddie for his openness.
Together Eddie and Jude provided some very useful and fundamental learnings.
It is important to be aware that a cyber-attack comes in four stages, with stages 2-4 happening very rapidly:
- Reconnaissance – the cyber attackers gather intelligence and identify weaknesses
- Landing and access – First entry to the system is gained
- Expansion – Escalation and gains control of the network
- Exploitation – The attacker executes their objective, such as stealing data or deploying ransomware. This is the stage where ransoms and demands are made.
Protecting, prioritising, proactivity and professional support are fundamental:
- Complacency is not an option – this is the biggest risk to any organisation. Cyber security should be a significant Board priority with dedicated resource and strategic focus.
- Kill Chain Response – Speed of response is vital to be able to stop a cyber attack. Introduce at least four layers of protection and defence across the attack chain.
- Prioritise Incident Response capabilities – engage your own Incident Response partner, or ensure your insurance company can offer this service. You don’t know you need it, until you need it, but better to have it in place.
- Internal cyber hygiene – Foster a no blame culture where staff can easily report any suspected security, spam or phishing emails.
- Test, Test, Test– akin to a regular fire drill, test your cyber resilience and incident response regularly with staff, suppliers and other stakeholders. This could be the difference in stopping or controlling an attack.
- Risk Register categorisation – Cyber threats should always be red and considered at every opportunity by the Executive and the Board, regardless of organisational size or data held.
- Cyber security skills on the Executive – embed cyber security expertise within your leadership team, or secure external advisors. As attacks become more sophisticated, dedicated expertise will be essential.
- Honest communication – Transparency with your staff, customers, suppliers or stakeholders, as much as is legally permitted, is welcomed and helps to mitigate reputational damage as well as build trust.
- Professional body support – working with the National Cyber Security Centre or Cyber Security Scotland to gain industry and policy advice is hugely beneficial to your organisation, but also to help others mitigate further crises.
In an era where cyber-attacks are escalating in both frequency and sophistication, the insights shared by Eddie and Jude serve as a crucial reminder that no organisation or individual is immune. Their candid reflections reinforced the importance of proactive cybersecurity measures, strong leadership, and a culture of resilience. The discussion underscored that cybersecurity is not just an IT issue—it is a fundamental business risk that requires Board-level attention and continuous investment.