What if we don’t change at all … and something magical just happens?
(image source: slideshare)
Cyber environment threat
In a 2014 Ponemon Institute study done in cooperation with Small Business Online, it was shown that 60% of businesses who experience a cyberattack go out of business within 6 months of the incident. The real cost of cybercrime was estimated at $1b in 2013 and $17b in 2016.
The actors can be State actors, hacktivists or cyber criminals.
You don’t need to be a large organisation to be hit by an attack. The recent waves of malware like WannaCry that hit hospitals in the UK and organisations in 140 countries were executed by scanning the Internet for unpatched computers.
In 2015, a small Australian satellite company, Newsat, was so comprehensively hacked that it had to shut down after being notified by the ASD. And this is because research costs are far higher than a state funded hacking program. Unfortunately, cyberattacks and defences are still seen in the Small to Medium Enterprise space as an IT issue.
Directors need to understand that one of their most important duties is the duty of care, skill and diligence, whether they are governed by the Common Law, Association Acts from various states or the Corporations Act.
The regulatory environment is reacting to the increased intensity and consequences of cyber attacks and new laws have come into play with higher penalties and harsher conditions.
I refer in particular to the Privacy Act, that changed in March 2014, with penalties for corporations of up to $1.7m and $340K for individuals and the most recent Mandatory Data Breach Notification Bill that was passed in February 2017. Organisations, large and small, that are under the Privacy Act must comply and implement measures before February 2018, when its penalties and requirements will be enforced.
At the board level, in most of the Australian Boardrooms, the conversation is non-existent or difficult. In December 2016, we ran a survey together with Steve Bowman from Conscious Governance on 16,000 directors and officers. We received 145 responses to our 3 questions. Many of these organisations were from the healthcare space.
The results showed the immediate need to take action and educate directors about the consequences of the threats, about their duties and how to best take action. And at board level, this means creating a Cyber Strategy.
The analysis of the anonymised responses demonstrated the significant gap in the knowledge, governance and cyber security measures required to protect these organisations.
Q1: What has your experience of cyber security been like at the Board level?
Responses could be sorted in three categories:
· No idea (87%) even though 3 of them had already suffered breaches or ransomware attacks
· Some discussion or had heard about it 8%
· Stated they talk about it or consider this in the risk register 4%
One of the respondents had been attacked a few times and after the last attack, the organisation needed 6 months to recover. Unfortunately, none of them stated they are well informed and they have a cyber security strategy in place.
Q2: What do you believe is your greatest risk related to cyber security?
Over 12% of the respondents candidly admitted they did not know or understand.
Around 30% referred to loss of reputation and branding , 40% to loss of sensitive information, with some specifying Privacy breaches, and 40% mentioned the operational and financial loss, even going out of business.
Q3: What are your top two questions about cyber security that the Board needs to continually consider? Again, 12% of the respondents gave no answer or admitted they don’t know. 20% referred to risk management, with 20% talking about policies. Directors also thought of bringing an expert on the board (a “Cyber Director”). Around 25% felt that the responsibility lies with the IT department and they must do something to defend the organisation.
What should directors do at board level?
· Directors must undertake cyber governance assessments and understand the legal implications of cyber attacks
· Directors must understand and manage cyber security as an enterprise risk and elevate it as it can have a devastating impact within a short span of time
· If they don’t have a director with cyber expertise, they must either try to acquire one or bring in experts to help them
· They must create a cyber strategy and task the management to create a framework that stems from it
· They must set expectations for management to implement cyber risk management across the entire organisation and allocate resources to create the framework
A few of the main questions directors should ask:
· Where does our data reside?
· Do we have a 3rd party HR policy?
· Do we have a contractual clause for breaches via a 3rd party?
· What is our security framework (which includes Cyber Strategy, Regulators and regulatory compliance, standards, plans, audits and risk management)?
· What are our top 5 risks? (BYOD, cloud, outsourcing/3rd parties, DR & BCP, Backups, FW, Access, IDS, IPS, Antivirus)?
· Corporation education at all levels in the organisation?
· Crisis management in a cyber security breach scenario?
· Data breach response plan?
· Whom do we notify?
· What are the short, medium and long term actions?
Where to start and how?
Involve management, understand the regulatory obligations, understand the current cyber posture – and this does not mean another penetration test -classify assets, calculate the risk exposure and how much to invest in protecting the organisation, decide mitigation strategies and look at all areas – HR, IT, Partners, Contractors, Facilities; management to create plans; board to monitor and manage extreme risks and oversee plans.
We recommend that if you are on a board or in a senior position you should start the cyber conversation with your board or your colleagues immediately. Start by educating yourself and undertaking a course that gives you a structure for what you need to do.
ABG runs a Cybersecurity course for Directors and Officers where the directors learn about the threat environment, their regulatory duties, what directors can and should do, the specific questions directors should ask. During the course participants will create their own Cybersecurity strategy that they can take and implement further at board and senior management levels.
ABG also offers a Cybersecurity Governance Assessment, which can help organisations implement a cybersecurity framework and will help them become prepared for attacks.
As the FBI director Robert Mueller put it: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
But it matters how prepared you are for an attack and how you will come out at the other end. Please see advisoryboardsgroup.com for details or contact firstname.lastname@example.org