Thirty years ago, cybersecurity meant dealing with geeks and hackers seeking bragging rights, or disgruntled employees taking revenge on a company. Over the past 10 years, cybersecurity has become a far more serious concern. Hacking is now an industry in its own right.
Today, the worst cyberattacks can leave an organisation’s reputation in shreds or destroy the business altogether. An increase in highly damaging data breaches, intellectual property theft, compromised financial systems as well as stolen records sold on the ‘dark’ markets, ransomware attacks and more, have brought cybersecurity to board level.
Traditionally an IT responsibility, boards now have an inescapable legal and fiduciary duty to protect their corporation’s assets and shareholder value against all business risks, including cyberattacks. How can your board manage cybersecurity to ensure it maintains data security and gives your organisation a competitive advantage?
1. Determine who is responsible for cybersecurity
Cybersecurity is a mission-critical function that touches every corner of public and private organisations. It is everyone’s business. The natural home for the security of any organisation’s information systems is with those who are ultimately responsible for that organisation – your board.
Typically, boards have placed cybersecurity under their finance or risk management committees. Increasingly, however, boards are giving cybersecurity to a security sub-committee, or finance, audit, risk and security committee, to ensure cybersecurity is
not lost under the risk umbrella.
2. Identify what needs to change
Organisations need to shift from a compliance focus (“What are we going to do about cybersecurity?”) to one of governance (“What do we need to do to govern cybersecurity from a strategic perspective?”). For your board, this means taking cybersecurity out of the “fear and risk” category and gaining a better understanding of business operations by asking questions to management. Your board also needs to understand what motivates hackers and cyber criminals, and make strategic investments in the teams and technologies that will secure the business.
3. Move with the times
Many boards are already attempting to create more diversity by attracting younger directors who are more comfortable with technology. Including this expertise in your board will equip all directors with a better general awareness of cybersecurity and its impact, as well as provide the opportunity to discuss the drivers and evolution of cybersecurity.
4. Test your responses
Your board must identify key cyber risks and incorporate these into your disaster recovery plan. The plan must minimise the potential for cyber risks to occur as well as the impact if an attack does occur. The plan must also be tested every six months, or at least annually, otherwise the plan is useless.
5. Create new revenue streams
Your board needs to view cybersecurity from a revenue perspective and put the right governance in place. This will not only ensure the organisation’s survival, it may even create a competitive advantage and new revenue streams. Rather than a resources and money issue, this is a matter of creating intellectual and cultural awareness.
Your board also needs to determine the value of what they are protecting from cyberattack, such as intellectual property or customers’ privacy, and what the organisation stands to lose if there is a cyberattack. The board can then decide how much the organisation will invest in cybersecurity.
6. Put cybersecurity on the agenda
An ongoing discussion item is the simplest way to keep cybersecurity on your board’s agenda. Inviting people, such as managers from the business and independent contractors, will educate the board on the IT aspects of cybersecurity. Chairs of other boards can be invited to speak about governance, strategic aspects, and due diligence aspects of cybersecurity.
7. Implement strong processes and strong culture
Most breaches are a result of human nature – the social conditioning that dictates what we do with technology. The people in your organisation must understand what they are doing when they click on email attachments or share their passwords with colleagues. The right policies for hiring and firing must be in place and employees must have minimum access to the network. Third-party contractor access must also be carefully considered. Your board needs to be clear about the culture it wants to create, and it make that desired culture a KPI for the CEO.
8. Define the risk level you are prepared to live with
How much control the board is to have, must be weighed against the risk the organisation is prepared to take to grow. This becomes part of the organisation’s risk strategy. No board should remain in a state of inertia; it must be prepared for the possibility of a cyberattack and minimise the impact when (not if) the organisation is attacked.
The tools of the hacking trade are easy to find and hackers are cheap to hire. With many networks easy prey, the risks of a cyberattack are increasing. 1 On the dark web, hacker services can be hired to compromise any network from denial of service attacks that bring down whole websites by bombarding them with thousands of requests, to simple email hacking at around A$300 per address.
When cybersecurity is elevated from a standard risk management and compliance issue, and an IT responsibility, it has strategic implications and gives your organisation potential competitive leverage.
This board ‘to-do’ list was prepared in conjunction with Diligent Corporation, Conscious Governance and Advisory Boards Group.