Board Communications

Avoiding Cyber Confusion in the Board Room

It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size.

The article outlines five key steps that can assist Directors see the cyber trees from the forest.

 

The frequent use and misuse of terms such as cyber security, cyber risk, cyber risk profile, and cyber resilience confuse even the most skilled and experienced directors and executives. Boards grapple with a myriad of cyber security reports from management, briefings from consultants, and well-intentioned but confusing industry and regulatory publications.

The rapid growth of the cyber security industry has seen an increase in the number of cyber frameworks, industry guides, and organisational functions and roles. As a result, it is often challenging to see the cyber trees from the cyber forest.

The significant cost, business disruption, and reputational damage of cyber incidents have however raised the stakes considerably. The expectations of shareholders, regulators, business partners, customers and the wider public require that companies and organisations fully understand cyber risks, are well prepared for a cyber-attack, and can handle incidents effectively.

In 2020, we have seen several high-profile private sector incidents. The UK- based foreign exchange group, Travelex, was the subject of a ransomware attack in January this year. Its business operations were disrupted for many weeks and months following the attack. As a result of this incident and COVID-19, Travelex was subsequently placed into administration. In Australia, the Japan Post-owned logistics group Toll Group was the subject of several major cyber security attacks that resulted in a number of its critical IT systems being shut down and significant business disruption.

How does a board get its mind around managing cyber risks in its organisations – with or without a cyber security specialists?  Faced with complex technologies in every aspect of a business, increasing tech-led business partnerships, and prescriptive regulatory requirements (such as GDPR in the EU), boards must quickly cut through the industry terminology and implement well thought out and achievable strategies to address the cyber threats.

Firstly, let’s deal with the terminology. In simple terms, cyber security, cyber risk, cyber risk profile, and cyber resilience are, as follows:

Cyber Security – the measures taken within a company or organisation to protect itself (its assets, data and information, and business activities) from a cyber-attack or cyber event.

Cyber Risk– a somewhat generic term that is an individual cyber risk or group of cyber risks that a company or organisation faces risk the company is exposed to.

Cyber Risk Profile – an assessment of how well prepared the company is to defend against a cyber-attack taking into account the investment it has made in cyber security, its policies, processes, and practices taking in to account the size, shape and nature of its business.

Cyber Resilience – Similar to Cyber Risk Profile. It is an adjective to describe how good (or bad) or strong the company’s defenses and preparedness for a cyber-attack, incident, or event. The term also refers to the ability of the company or organisation to recover from a cyber security incident.

In the spirit of keeping it simple, it is often best talking about cyber security (the strategy, the plan, the measures in place). This is with the goal of becoming as cyber resilient as you can be (or is feasible).

For the boards of larger companies and organisations, the management of cyber risk is a significant exercise involving investment in the millions, the development of detailed security strategies and initiatives, and the recruitment of teams of cyber security specialists.

 

For all boards – irrespective of size – there are five key steps to address:

1. Develop a Cyber Security Strategy

Have a plan. Understand what your key assets are, understand your business practices are and identify what is required to protect them from cyber-attacks.  It is important to undertake an assessment of the current risk profile of the company or organisation and develop a strategy based on this.

To help businesses get started and increase awareness, government bodies have made available a wide variety of free resources for all businesses. In the US, the FCC and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency have published range of resources for small, medium and large businesses. In Europe, the SMESEC consortium recently launched a framework to protect SMEs against cyber incidents. In Australia, the Australian Cyber Centre has a range of resources for small, medium, and large businesses. Implementation of these strategies will invariably require specialist support and advice.

Related Whitepaper: The Silent Cyber Risk Threat in the Boardroom

2. Governance, Roles and Responsibilities

The Cyber Security Strategy will include in it an outline of the governance and roles and responsibilities within the company or organisation. There must be clarity on how it all fits together. In addition, there needs to be an assessment of the level of funding and resources required. Again, this will require specialist support and advice. It is also important to make sure that cyber security is incorporated into any strategic planning, business planning, and investment approval processes.

Related Article: Risk Oversight and the Board of Directors

3. Regular Reporting

Like managing any other aspect of a business’s activities, regular reporting will be needed.  It is important to establish a reporting rhythm that provides the board with comprehensive, yet ‘fit for purpose’, cyber security management reporting. It needs to be in a language the board understands and balances the reporting of the current environment, incidents and near misses, and emerging cyber threats. Make sure you get information on what and how is being done – not just meaningless statistics. If there is a road map in place to improve cyber resilience the reporting should include updates on projects and initiatives underway.

Related Article: Is your governance up to scratch? Let the ASX recommendations be your guide

4. Frequently Review Cyber Risk Profile

Nothing stands still. This applies to cyber security also. It is essential to, as a minimum, set aside time for formal half yearly or annual deep dives or workshops on cyber security.  The board needs to stay abreast of the company or organisation’s risk profile as well as changes in the external environment. This is often best coordinated with – or after – any external reviews that have been undertaken. These workshops can also be done in conjunction with board education sessions.

Related Article: Boards of Directors lead in Cyber Security

5. Board Education

Regular board education sessions are essential. New cyber risks are emerging every week (the threat landscape is changing as it is termed), the cyber security industry is evolving, and the regulatory environment is constantly changing. Board education sessions should be at least once or twice a year.  Even for small to medium-sized organisations it is a good investment. These sessions can be as technical or non-technical as the board wishes them to be. A range of business partners and suppliers can assist.  Auditors, IT business partners, government bodies, and other third parties are always willing to conduct board education sessions.

There are no guarantees in life and there is no certainty that a business will never be the victim of a serious cyber security attack or incident. In fact is it more likely that a business will have an event take place. However, do not wait for the incident to take place before acting.  A modest investment in cyber security can significantly improve the cyber resilience of the company or organisation.

Related Article: Director Due Diligence

See how Diligent can help

Diligent’s suite of governance solutions adheres to the highest security standards, including 265-bit encryption, remote locking and two-factor authentication. And it’s all backed by industry-leading support, including 24/7/365 concierge-level employee support with unlimited user training.

To discover how Diligent can help your organisation, contact us at info@diligent.com or request a demonstration.  

Most Downloaded Whitepapers

Featured Blog