Malicious cyber activity is well publicised and we see continuous attempts from state-sponsored and criminal groups to breach our protective controls to steal data. As a water utility and operator of critical national infrastructure (CNI) we are further exposed to the increased risk of targeted attacks intended to cause disruptive impact to the UK.
We also need to consider the threat posed by a complex partner ecosystem that supports our increasing reliance upon new technologies and cloud services that underpin our digital strategy. Equally, the advancements in technology that make our lives more efficient and interconnected also start to blur work/personal boundaries, thereby increasing the threat.
The most significant cyber risks for our organisation are:
- Breach of customer, employee or sensitive business data resulting in the data reaching the public domain or unauthorised groups;
- Critical service, technology or data unavailability resulting in disruption to business processes and system failures;
- Loss of data integrity leading to operational/ customer impacts and exposure to the risk of fines and penalties; and
- Compromise of operational resources by malicious groups, leading to service disruptions, loss of supply or environmental breaches.
Cyber risk mitigation
We take a holistic view of the risks and mitigation options to define the strategy, control framework and plan by which we protect our data and information assets. We deliver this through our governance framework, which includes executive level engagement and regular reporting to our group board.
Our security controls framework includes the following:
- Through the integration of our IT and Operational Technology (OT) functions within our Digital Services business unit, we have integrated our security operational management practices and implemented a single delivery programme for our security strategy.
- A security strategy covering all areas of our business that provides the baseline for our compliance with the Network and Information Systems Directive (NISD). Our strategy is underpinned by our security investment plan, which has been set to deliver the required control capabilities.
- A cyber incident response plan that includes the services of third party specialist forensic responders, including government agencies, who provide support in the event of a critical cyber incident.
- A suite of testing options to validate control effectiveness, e.g. penetration testing, audits and scans. We periodically take this testing a stage further and employ specialist 'Brand Damage' experts to simulate a real attack on our business.
- Through our information security team we undertake assurance activities across the full life cycle of all technology and data solutions.
- To provide the most secure environments possible for customer data and services, we undertake comprehensive, always-on monitoring of all critical IT systems for any unexpected security events.
- Through proactive government and industry engagement we have developed good practice guidance and created support communities to foster collaboration. Our staff currently hold the chair positions of the Water Sector Strategic Security Board and the Water Security Information Exchange.
- We have an extensive employee cyber education and awareness programme that highlights areas of risk, policies and controls to provide the guidance and understanding of the cyber threat. Beyond employee education, we have also invested in specialist training and certification for our information security team who hold internationally recognised accreditations.