As a company board member, you know that your duty and responsibility is to oversee the activities and performance of your organisation as well as ensuring compliance to legal and statutory instruments. You’re probably also very well versed in reviewing operating plans, going over financials, and overseeing corporate strategic, and in some cases operational, risk management strategies.
Why then do most board members view discussing the threat of cyber-attacks by criminals as such a black art and why do many of them shy away from asking the right questions?
The disclosure of major corporate security breaches is now becoming almost a weekly, if not daily, event. The scale of breaches is also growing and the adage ‘not if but when’ would seem to apply to most organisations and boards.
In a recent article by Lucia Milica and Dr. Keri Pearlson in the Harvard Business Review the authors suggest that almost half of the 600 board members they surveyed believe they are unprepared to cope with a targeted cyber-attack, but 76% believe they have made adequate investments in cyber protection. So, what seems to be the underlying problem?
The challenge for board members is to try to make sense of the current threat landscape, how a successful attack would affect their business, and are they prepared to respond and recover. The challenge is further complicated by the growing number of esoteric names being given to hacker groups and the language used by security professionals to describe the various groups. Names such as Cl0p, Lockbit, Lazarus, Fancy Bear, Sandworm, and Wicked Panda proliferate. And a range of additional designators such as Storm—0558, TA505, and a variety of APT numbers associated with hacking groups in China, Iran and North Korea compound the problem faced by cyber security specialists in translating technical jargon into business language that board members can understand.
In my experience, the difficulty in communication between ‘cyber securocrats’ and board members often results in the latter leaving discussion and oversight of the response to cyber security risks to either the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO), IT Security Manager, or, in some cases, the IT managed services provider.
The latest high-profile security incident involving Microsoft has been attributed to a China-based hacker group called Storm-0558, who acquired a private encryption key that apparently enabled the hackers to gain access to mail applications in government and private sector organisations in the USA and Europe. In another recent successful attack, hackers believed to be linked to the Cl0p ransomware group, have exploited flaws in the MOVEit managed file transfer service, which is used in many organisations to securely transfer sensitive files between supply chain partners.
In many board meetings that I have attended, board members have focused on the investment in technologies needed to counter the threats the organisation faces. Investment in protection seems still to be getting the lion’s share of budgets. We know that no matter how much money is spent on technologies or programs to stop cyber-attacks being successful, organisations cannot be completely protected. That is not to say organisations should stop investing to protect assets but limiting discussion at board-level to protection is short-sighted and equal discussion needs to be focused on business resilience.
In the USA, the Security Exchange Commission (SEC) has proposed more explicit recommendations for cyber security risk management and governance at board level. For larger companies, this includes adding explicit cyber security expertise on the board. For smaller companies, this might not be possible, but boards and board members need to move up the learning curve on cyber security and the risks a cyber security breach poses to their company. Board members will then be able to have meaningful discussions with their cyber security specialists on cyber risks and the organisation’s cyber readiness, preparedness, and resilience in the event of a breach.
What are the basic steps boards should take
- Boards should start with board education to improve literacy on cyber security risks. They need to understand their risk appetite, the correlation between cost and risk trade-offs, and what the company can afford to lose should they be breached.
- Additionally, board members should establish a cyber security framework that is well understood by each board member. One of the most widely accepted frameworks is the USA NIST framework and it provides a good scoreboard capability against which the organisation’s cyber security maturity can be measured and reviewed.
- It is also critically important that boards have a cyber security response protocol in place so they can respond quickly and effectively to a cyber-attack or breach.
Cyber-related risk is one of the top concerns at board level and one all company directors and board members should be mindful of. Bill McCluggage is presenting our upcoming IoD Cyber Course titled, ‘Navigating Cyber Security Risk for Directors’ starting on Tuesday, 12th September.