Australia is facing an unprecedented threat to cybersecurity. As the number of attempted malicious attacks escalate, the methods used by malicious actors are also rapidly evolving. Are Australia’s boards adequately prepared for this growing threat?
Boards set the tone for how an organisation will manage cyber risk
Diligent’s 2017 survey The Silent Cyber Risk Threat in the Boardroom found that fewer than three in 10 survey respondents felt confident that their board communications were currently secure (29%). The Diligent survey of 118 directors, governance professionals and senior executives across more than 350 listed companies in Australia and New Zealand mirror the ASX’s Cyber Health Check Report. The report found that 80% of boards believe companies should do more to protect themselves from cyber threats with 93% of respondents saying that their board colleagues take cyber risk very seriously.
At a minimum, a single, secure and convenient platform to access and review board materials and communicate with each other and management is critical. Yet, of the surveyed organisations, only 40% have implemented a secure board portal with only 57% of those with a board portal saying the portal is used regularly.
Cyber risk is everyone’s concern from the boardroom to frontline staff
Cyber risk affects everyone. To reduce the risk of data breaches, leaks, litigation, regulatory fines, sanctions as well as financial or reputational loss, boards and data security departments must collaborate in an enterprise-wide approach. IT and data security departments need to be involved to provide infrastructure and expert advice as well as to monitor adherence to security protocols.
The Diligent survey found, however, that in almost two-thirds of cases, IT or Data Security is not involved (51%), or its role is unclear (14%) in board operations. Fewer than one in five organisations (18%) report that IT monitors the board’s adherence to corporate communications guidelines. Only a quarter of respondents (24%) say there are regular security audits of the board’s communications practices.
Cybersecurity training, testing and audits need to occur at all levels, including the board
If directors are to effectively oversee risk management of cyber issues, they must adhere to the same IT security protocols as staff members. Yet only 15% of respondents in the Diligent survey said that their board is required to participate in cybersecurity training. For those few who were involved in training, annual training is most common (50%), while a significant minority undertake it as a one-off activity (22%). While still well below ideal, large organisations are twice as likely to require their directors to do cybersecurity training (31%).
In this climate of growing cyber threats, no board can afford to be complacent about the risk of cyber attack. To defend against and respond to growing threats more effectively, boards will need to continue to instil awareness, build capability and expand understanding.