This month’s highlights from our Governance Leadership Centre where we showcase research from around the world.
Recent research has revealed a sizeable gap between board and management perceptions of cyber-security risk.
The findings from the Ponemon Institute, an independent research body in the US, revealed that while 79 per cent of board members believed they had effective cyber-security governance practices, only 18 per cent of IT security research professionals agreed and less than half of the IT security professionals considered their boards were adequately informed about the security threats facing their organisations.
This research supports the views of Nathaniel Forbes, an expert in organisational resilience, business continuity and emergency and crisis management, who discussed how Australian directors could change their boardroom practices to better manage digital risk at the Australian Institute of Company Directors’ conference in Kuala Lumpur in May.
“Think like a hacker, for just a moment. Cyber risk is no longer theft of information; it is the weaponisation of information,” Forbes said.
“Any security expert will tell you that the biggest cyber-security risk is management complacency about the threat; and getting management’s attention is a board responsibility,” he added.
Forbes uses the acronym CIA (confidentiality, integrity and availability) to describe how directors can consider and manage digital risk.
“Digital risk always involves breaches to some combination of CIA,” Forbes said. “The best way [to think about digital security] is to think about the impact on the company if the CIA of your ‘digital crown jewels’ is compromised.”
Several high-profile data breaches of customer information have highlighted the significant risks of poor cyber-security governance. Forbes pointed to the 2013 data breach of the Target Corporation, which involved the theft of approximately 100 million customer records and is estimated to have resulted in costs of more than $200 million.
Verizon’s 2015 Data Breach Investigations report also highlighted that high profile individuals within companies are increasingly being targeted by hackers for their access to privileged information.
Australia has been more forward-thinking than the US in enacting national data security standards. In a Parliamentary Joint Committee, the Federal Government stated that it is committed to introducing a mandatory data notification breach scheme by the end of 2015. The government also recently released its first unclassified Cyber Security Threat Report, which provides empirical data on cyber-security incidents and provides advice on how organisations can defend against their “cyber adversaries”.
Protecting your CIA
“Determining what level of digital security is appropriate for information is not a technical decision, it is a governance decision,” Forbes argued.
He also suggests that boards might consider having a digital risk management sub-committee as part of a board’s risk management committee.
“Cyber-security is not just an IT responsibility, all [parts of the company] have to work together,” says Forbes.
“Who sets policy about the use of thumb drives, cellphones or cameras? Management, not the IT department. And who oversees management? The board of directors.”
Already a member?
Login to view this content