Cyber-risk is a major threat to organisations. So what’s the Board’s role in guiding a risk-management strategy in this setting?
Cyber-risks are no longer a challenge for the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) alone - these incidents are now a significant operational risk and one that has consequences for every aspect of an organisation's risk profile. Addressing this challenge must start with the Board, as directors now need to dedicate more time and energy into developing a comprehensive strategy to mitigate cyber-risks.
BDO USA’s 2015 Board Survey highlights that more than two-thirds (69 per cent) of corporate directors surveyed report their Board is more involved with cyber security than it was 12 months ago. This is a noticeable jump from 2014 when only 59 per cent of directors cited an increase in time spent on cyber security.
Australia's changing cyber-risk landscape
There's no doubt that cyber-risks have quickly become a major concern for organisations. High-profile cases in Australia and overseas have highlighted the significant reputational risks that accompany a major security breach. Likewise, the emergence of more interconnected enterprises and the increasing frequency of cyber-attacks have all led to this risk profile increasing rapidly in recent years.
The range of potential targets for a cyber-attack has also increased. Historically, those cybercriminals seeking to make money from their attacks have mainly targeted those organisations holding personal financial information, such as banks and retailers.
However, their focus is now expanding to include sectors like government and healthcare, which hold non-financial personal information that can be used for financial gain, e.g. identity theft that criminals use to gain access to an individual’s bank account. Small and medium-sized businesses are also increasingly being targeted, as these organisations may have less mature security measures in place compared to larger organisations. At the same time, Board members often don't have an in-depth knowledge of cyber-risks. Many Board members won't have a background in IT security, which means they are often lacking the basic technical knowledge to fully understand these risks and their potential impacts on a business.
The first step for a Board with relatively low knowledge of cyber-risk is to understand the risks that are present in its industry and how these could affect their business. From there, the next step is to identify what systems and information the organisation couldn’t afford to lose.
Know what needs protection
When it comes to cyber-risk, not all systems and information are business critical to your organisation from a business interruption perspective. Boards looking to build better resilience against cyber-risks must obtain a good understanding of what the business’ critical digital assets are, that is, the systems and information so central to the business that you can't afford for them to be lost or disrupted through a cyberattack.
From there, it’s important to assess the security measures in place to protect these digital assets and what the impact will be if these are compromised.
BDO USA’s 2015 Board Survey found that only one third (34 per cent) of respondents have completed documentation and assessments of their business critical digital assets and developed solutions to protect them.
It’s important this assessment is done on a regular basis, as it identifies changes in the risk landscape and highlights an organisation’s current cyber risk posture. If this exceeds its risk appetite, then further resources should be invested into cyber security efforts to reduce the cyber risk posture for these assets.
Be prepared to respond
As the number and sophistication of cyber-attacks increase, so will the likelihood that your organisation will be exposed to a cyber incident. It’s important that organisations have a Cyber Incident Response Plan in place so they can respond to, and recover from, these incidents. Alarmingly, BDO USA’s 2015 Board Survey found that less than half of respondents (45 per cent) have a cyber breach/incident response plan in place.
It’s also important that this Cyber Incident Response Plan is regularly tested and validated, as doing so will ensure business leaders are prepared for a cyber-attack. The Board needs to be included in this process as this will improve the directors’ general awareness of cyber-risks and what their role is in responding and recovering from a cyber-attack.
Insuring against cyber risk
It might not always be possible for you to avoid or mitigate cyber risks by implementing strong security mechanisms to protect your digital assets. For this reason, some organisations decide to accept or transfer their cyber risks by taking out cyber insurance. If your organisation decides this is the best course of action, a thorough assessment of the cover options available, their inclusions and exclusions, and cost/value benefit should be carefully analysed.
Creating a cyber-resilient board of directors
Beyond these specific steps, the core goal for all organisations must be to become more cyber-resilient. This involves integrating the aforementioned risk assessment activities into the Board's activity in exactly the same way as it would manage more ‘traditional’ risk, such as OH&S and reputational risk.
The Board has an important role to play in setting the tone for the organisation as a whole. Ultimately, everyone in the organisation has a role to play in upholding the security of the organisation, but the Board must lead the way so every level of the business is aware of the cyber risks they face and how to effectively respond and recover from a cyber incident.
As with every aspect of risk management, responsibility for cyber-risk stops with the Board. Those Boards that are proactive on this front and focus on building that cyber-resilience will be far better placed to navigate this new threat landscape.
To help you learn more about enhancing the cyber resilience of your organisation we’ve created two valuable resources. Our Cyber Security Checklist sheds light on the key factors to consider in lowering your organisation’s cyber-risk profile, and our eBook – Setting the tone from the top: The role of the Board in cyber security – provides guidance on the steps you can take to get your Board on the path to engaging a cyber-savvy mindset.