For robust cybersecurity, make risk relatable

UKPN keeps the lights on by making cybersecurity meaningful for individuals at all levels of the business

A robust cybersecurity posture is about more than technology and frameworks but companies often struggle to convey why it matters. Matt Webb, UKPN CIO explains why he takes a human first approach to cyber.

Critical National Infrastructure (CNI) refers to the essential systems, assets and services that a country depends on to function. UK Power Networks (UKPN) is designated CNI due to its role of distributing electricity across London, the Southeast, and East of England. A disruption to UKPN’s services could lead to widespread power outages, with all the knock-on effects on other aspects of CNI.

Cybersecurity is of the utmost importance at the company and Matt Webb, UKPN CIO is ultimately answerable for it.

“It's a big function,” Webb acknowledges, “but there is value in having those technology-oriented functions together.” The alternative structure is cybersecurity reporting into the risk management line but Webb argues that at UKPN this simply wouldn’t be effective.”

“When you look at what the cyber assurance framework entails, it cuts across all facets of IT as you expect. To have it as a separate body, imposing change on those that are doing it would increase complexity so having us all within the one tent allows us to have much better cohesion and hopefully a better result.”

The cyber assurance framework Webb refers to is a cybersecurity framework that UKPN adheres to. It’s a robust framework covering areas such as managing risk, protection, detection and mitigation. Nonetheless, given the increasing bleakness of the geopolitical outlook, and the rising likelihood of more severe cyberattacks, regulators are raising the bar.

“It's a well-established cyber standard, but there are different levels of maturity,“ Webb says. “We have the level of accreditation that's currently required from a regulatory standpoint but OFGEM, because of the increasing cybersecurity threat, is driving the need to have an enhanced profile, which is the top level of resilience across all the different facets of cyber.”

The regulatory target is to have this enhanced profile by the end of 2027, but Webb isn’t planning on hanging around.

“We're not waiting to tick that box in 2027 we're looking to accelerate that and achieve that level as soon as possible. There are certain areas where we're more mature and already enhanced profile, and others where we're on that development pathway. Each DNO [Distribution Network Operator – there are 14 in total across the UK] is going through the same process.”

Keeping it real

Webb understands that cybersecurity is a very people-oriented discipline – or at least, it should be. However, the cybersecurity industry hasn’t always helped itself by making sneering allusions to people being ‘the weakest link.’ Webb frames the challenge with considerably more diplomacy.

“You can have the best technology in the world, but it’s the squidgy human that poses the greatest vulnerability in most instances. The behavioural, cultural and awareness aspects of cyber are part of the cyber resilience program of work as well as being delivered under BAU [Business as Usual].

“For instance, we have sustained phishing test campaigns where we put out spoof phishing emails and follow up with mandatory training if they fail. What we are beginning to do more of is trying to bring it to life and make it more meaningful to individuals. Everyone knows about cyber security. You can't turn on the TV for five minutes and there not be something to do with cyber so the awareness is there. But we need people to ask ‘what does it mean to me? What role do I play? Why should I care?’ That’s where I think there’s a gap.”

Part of Webb’s strategy is to bridge this gap by sharing pertinent use cases which occur in the real world and illustrate real world consequences. This adds context and colour to the concept of cybersecurity which can often appear to individuals as abstract or esoteric. He continues:

“A good example of that is the increasing instance of AI enabled deepfake images or videos to extort payments. That’s not what most people think about when you talk about cyber security. An example I gave recently where a CFO authorized a payment off the back of a deep fake Teams interaction. We share use cases that make it a bit more real.

“Equally, we target every level of the organisation including our executive team. There's always a challenge in making these test exercises feel real. The goal is stopping them being purely academic exercises and to test things in anger with real world concepts and scenarios and by sharing examples of the impact.

“For instance, one of the things we did with the last round of testing was to ask an independent party to scan the Internet to understand what we could find in terms of publicly available information about our executive team. We then put that in front of them and asked if they were aware of it. It’s about how you make it real, and that's one that might change behaviours and inspire a little bit more diligence when it comes to cybersecurity.”