Cybersecurity is a complex issue that demands the attention of every business. It’s no longer a matter of whether there will be a cyber breach, it’s when it will occur if it hasn’t already.
The unfortunate truth is that companies need to assume that their organisation’s information network either has been, or soon will be, compromised despite their best efforts.
Symantec’s most recent Internet Security Threat Report found that over half a billion personal records were stolen or lost in 2015, mostly as a result of attacks. Within Australia, the average number of ransomware attacks per day grew 141 percent and Australia is one of the top five countries globally that is inundated by targeted attacks.
But is cybersecurity an issue for the board? Isn’t it just something that needs to be controlled by management? I believe it has become a critical issue for directors and executives.
The key is how quick and effective the response is and in that respect, the board has a vital role in ensuring management has created an organisation that is equipped to deal with cyber threats and attacks.
“When financial losses, intellectual property theft, reputational damage, fraud and legal exposure are all at risk, it’s necessary for information security to get the full attention of company executives,” an Australian Deloitte report, Directors’ Cut Board Effectiveness Edition 5 2015, says.
And while 73 per cent of the directors surveyed for the report said they were aware of the risks associated with doing more business digitally, “37 per cent were neutral on the question of how well cyber risks were being managed”.
Just as attacks are increasing in speed, there is a growing number of methods being used, including: stealing or corrupting data, stealing information such as credit card details, sabotage and espionage.
Further, the threat to Australian and Pacific organisations and companies is every bit as serious as to those in Europe, America and Asia. If an organisation is connected to the internet, it is vulnerable.
The incidents that make the news are just the tip of the iceberg. Most organisations are unwilling to admit publicly that they have been the target of attacks for fear of damaging their reputation and opening up legal problems.
To meet the challenges of an increasingly complex environment, organisations need to invest in the best defences. Compromise is expensive and can lead to financial losses, reputational damage, loss or damage to IP, and disruption to the business.
A cyber attack can also lead to regulatory action and increased insurance costs. All of this adds up to a board-level concern.
It is essential that organisations conduct comprehensive risk assessments to identify and manage jurisdictional, governance, privacy, technical and security risks. Some of the things directors should consider are:
- where your data is housed (onshore versus offshore), and whether it is subject to lawful access by a foreign government, or jurisdictional laws. Some foreign-owned cloud service providers (CSPs) acknowledge that they are obliged to disclose customer data in response to official requests and may be unable to notify customers beforehand
- whether information is stored in multiple disparate locations, allowing more people access and increasing the chances of an attack or disruptions
- whether the multi-tenancy nature of cloud computing (i.e. where providers host multiple customers on the same computer servers), increases the likelihood of unauthorised access or network compromise
- whether a CSP now controls security measures that were previously done in-house
- whether you have access to qualified security experts that can monitor and analyse advanced security threats to help minimise the business impact of cyber attacks
- whether you have the ability to respond to security incidents and whether you can shrink the time between incident detection and resolution, to help reduce the probability and severity of future incidents.
A global Deloitte report, Directors’ Alert 2016, estimates that more than 245 million data records are stolen by cyber hackers every day around the world – or 16 records per second.
That should show management and boards how fast cyber attackers are moving and how much more sophisticated and harder to investigate and contain they are becoming while company defences struggle to keep up.
It should also be obvious that directors may want to review their oversight of cyber security, bearing in mind potential attackers may already be inside the organisation’s network. Boards also may need to regularly challenge and critically review their organisations’ cyber crisis management capabilities.
For example, boards may want to give their board-level cyber risk committees the power to allocate resources or create a board position to oversee senior management to ensure there is a focus on cyber security. Directors might also want to establish mechanisms for accountability that are controlled by their own independent cyber security experts.
With the threat of cyber attacks growing and technology permeating all aspects of life, I don’t think you can be a responsible board member and not be concerned about cybersecurity. Instead, directors need to inform themselves about their organisation’s cyber strategy, what information is shared to third parties, and the security of their networks – both for the company’s protection and their own.
Ian McAdam is Symantec managing director for the Pacific region