Cyber crime is making headlines around the world, with high-profile victims from a range of industries hit by ransomware attacks in recent months. Optus Business Insights has twelve questions that boards need to be asking to be prepared.
German personal-care company Beiersdorf AG announced earlier this month that the Petya attack will wipe €35 million ($52 million) off its first-half sales.
The Australian government’s Cyber Security Minister Dan Tehan told the ABC back in May that ransomware was costing the national economy about $1 billion a year. Lloyd’s of London has estimated that a malicious attack taking down a cloud service provider would result in global losses of $53 billion.
The lack of sophistication in these attacks, which exploit common vulnerabilities in computers running Microsoft Windows, is perhaps the most frightening aspect of the global carnage. There’s widespread acceptance that the worst is yet to come and business leaders are living in fear.
Spending is on the rise (but it won’t be enough)
Research firm Gartner estimates that cyber security spending topped $US80 billion last year. The trend for throwing money at the problem shows no sign of stopping. Cybersecurity Ventures has predicted global cyber security will be a trillion-dollar market between 2017 and 2021.
While investment in products and services is needed, it won’t be enough to prevent further horror stories. We need to change the culture within organisations and acknowledge that cyber security is not just the responsibility of a specialist team. Everybody has a role to play.
We need to get different functions within a business working together to develop a coordinated response. And those collaborations have to extend beyond the four walls to build group knowledge across industry, government and academia.
That’s why Optus partnered with Macquarie University to develop a Cyber Security Hub. It recently produced a short whitepaper: How Can Company Boards Build Trust When Faced By Cybersecurity Risks? This explored the cyber security risks facing companies, examined how those risks undermine trust and the actions boards can take to restore it.
We’ve used these recommendations to develop a list of 12 important cyber security questions your board should be able to answer. A really engaged board is crucial in the fight against cyberattacks. They’re risk-averse by nature so it should be easy to get their attention.
12 cybersecurity questions for your board
- Skills & Experience – Do you have sufficient skills and experience within the board of directors for a sophisticated discussion of cyber security risk in a business and legal context? How does the make-up of your board compare to rivals in this regard? Which organisations should you look to for best practice?
- Obligations Management – How does cyber security risk impact legislative, regulatory and stock exchange obligations? What policies and procedures should you have in place to mitigate these?
- Risk Assessment – Have you done a cyber security risk assessment? If not, which external experts should you appoint to do it? How much should you invest in getting this assessment done?
- Strategy Development – Do you have a cyber security strategy in place? If not, who needs to play a part in developing one? Which risks should be accepted, avoided, mitigated or insured against? How will it align with other strategies?
- Third-Party Relationships – What relationships do executives and senior management have with relevant third-parties like law enforcement, crisis response experts, regulators and technical consultants?
- Performance Goals – Is the cyber security strategy and risk response plan adequately reflected in the key performance indicators of executives, senior management and employees?
- Measuring Effectiveness – How is the effectiveness of cyber security risk response plans being measured? How do you ensure ongoing compliance? What maturity models have been developed for your industry?
- Response Testing – How is the effectiveness of cyber security risk response plans being tested? How often? This is not just a test of technical capability. How well is senior management able to handle press, investor, regulator, employee and customer challenges that flow from these breaches?
- External Scrutiny – Does your consolidated risk report include assessment of cyber security risk that would withstand scrutiny from external auditors? This will likely be crucial in dealing with any future litigation.
- Stakeholder Communication – How are measures taken to address cyber security risk communicated to customers, suppliers, stakeholders and other stakeholders to set expectations and build trust?
- Cultural Expectations – Cyber security is a journey and mistakes will be made along the way. So, does your culture promote openness and best efforts in addressing cybersecurity risks and breaches? What external tests are being carried out to help identify risks?
- Testing & Updating – How often are cybersecurity strategy and risk response plans tested and updated? How is new knowledge incorporated into subsequent versions?
There’s no time like the present
Cyber security concerns undermine trust, causing huge financial and reputational damage that’s difficult to repair. While these attacks are difficult to prepare for and defend against, there’s no excuse for being a bunny in the headlights.
Your company board must take practical steps now so that they’re able to respond effectively if and when disaster strikes. Failure to do so would be negligent and exposes your business to unnecessary risk. Nobody wants to be tomorrow’s cyber security headline.
Already a member?
Login to view this content