Nathaniel Forbes, outlines the ways boards and directors can manage digital risk and cyber security in the “age of digital warfare”.
Company Directors Conference (Kuala Lumpur), (video 1), May 2015
Company Directors Conference (Kuala Lumpur), (video 2), May 2015
Nathaniel Forbes is an expert in organisational resilience, business continuity, and emergency and crisis management, and has worked with multinational companies across Russia, North America, Europe and Asia.
He gave a speech at the AICD’s 2015 Company Directors Conference in Kuala Lumpur on digital risk and cyber security, discussing the need for directors to manage the risk of digital information being compromised in what he terms “the age of digital warfare”. Two brief videos extracted from his speech can be viewed below.
Mr Forbes discussed a digital security breach dubbed “the hack of the century”, in which American and Israeli clandestine forces allegedly used a computer virus called Stuxnet to sabotage a uranium processing plant in Natanz, Iran. The Stuxnet virus was used to infect industrial control system software that operated the centrifuges which enriched uranium into nuclear fuel, causing these to malfunction and shut down. The virus was only 1MB in size, yet was used to infect more than 38,000 computers.
“Think like a hacker, for just a moment”, says Nathaniel Forbes. “Cyber risk is no longer theft of information; it is the weaponisation of information”. “Perhaps you imagine that your company will never be subject to this kind of attack. That would be terribly wrong”, says Mr Forbes. “Any security expert will tell you that the biggest cybersecurity risk is management complacency about the threat; and getting management’s attention is a board responsibility.”
Mr Forbes uses the acronym “CIA” (which stands for Confidentiality, Integrity and Availability) as useful shorthand for how directors can consider and manage digital risk.
“Digital risk always involves breaches to some combination of Confidentiality, Integrity or Availability of information”, says Mr Forbes. “Information is revealed when it shouldn’t [be], it’s changed when it shouldn’t [be] or it’s not there when it should be. The way to think about digital security is to ask yourself, ‘what is the impact if the Confidentiality, Integrity or Availability of your data is compromised?’’”
Mr Forbes considers that the first step for directors is to reach an understanding with management about the key information that must be protected, what he refers to as a company’s ‘digital crown jewels’, a term he derives from the US National Association of Corporate Directors’ publication titled “Cyber-Risk Oversight”.
“Determining what level of digital security is appropriate for information is not a technical decision…it is a governance decision”…“You will never guess all the possible ways that perpetrators will attack you. Instead, a director can think about what information you…have that someone would want to compromise and why. And the best way to do that is to think about the impact on the company if the Confidentiality, Integrity or Availability of your digital crown jewels is compromised.”
Mr Forbes goes on to say that in order to be effective, policy and technology need to be integrated in layers, with different departments working together on digital security. “Each one adds a layer of protection”, suggests Mr Forbes. “Getting them to cooperate is a matter of corporate governance”.
“If your company’s cyber risk strategy depends on responding after a breach by fixing a fault in the software or the network, you’re doing it wrong. The IT department will never find all the flaws. The flaw is not in the software or the network, it’s in people. Training and awareness are essential for every individual in the organisation, starting at the top.”
Cybersecurity governance and the proposed mandatory data breach notification scheme
Mr Forbes’ views are supported by recent research on cybersecurity governance from the Ponemon Institute in the US, an independent research body that conducts research on privacy, data protection and information security policy.
The Ponemon Institute surveyed 245 board members and 409 information technology security professionals from a variety of industries. The research revealed that while 79% of board members believed they had effective cybersecurity governance practices, only 18% of IT security professionals agreed, and less than half (43%) of the IT security professionals considered their boards were adequately informed about the security threats facing their organisations. These statistics demonstrate a sizeable gap between board and employee/management perceptions of cybersecurity risk.
Several high profile data breaches of customer information have highlighted the significant risks of poor cybersecurity governance. In his speech, Mr Forbes points to the 2013 data breach of the Target Corporation, which involved the theft of approximately 100 million customer records. This single breach is estimated to have cost more than $200 million. Target has recently settled with Visa for $67 million, MasterCard for $20 million and created a $10 million consumer fund for affected consumers, following several class actions.
Australia has been more forward thinking that the US in enacting national data security standards. The Federal Government in a Parliamentary Joint Committee stated that it is committed to introducing a mandatory data notification breach scheme by the end of 2015.
Trust, safety and confidence online is good for everyone”, says Nigel Phair, Director of the Centre for Internet Safety at the University of Canberra. “For the mandatory data breach notification scheme to be meaningful, it has to be actionable. The legislation needs to detail what companies should do to notify a person of a data breach, as well as what advice or recommendations they should provide to persons affected by a data breach. The Office of the Australian Information Commissioner will also need additional resources to be able to take action where a company has failed to meet these thresholds.”
The Government has also recently released its first unclassified Cyber Security Threat Report. The report provides empirical data on cyber security incidents, details the range of cyber adversaries targeting Australian networks, and also provides advice on how organisations can defend against these activities.
How should Australian boards and directors protect the Confidentiality, Integrity and Availability of their digital information?
During the Conference, the AICD asked Mr Forbes about how boards can change their boardroom practices to better manage digital risk.
In Mr Forbes’ view, for example, board minutes “can absolutely be sent electronically but not over the public network, not without encryption and not without a strong password”.
Mr Forbes also suggests that, as part of a board’s risk management committee, boards might also consider having a digital risk management sub-committee.
Verizon’s 2015 Data Breach Investigations Report, which looked at 61 countries and almost 80,000 security incidents, has highlighted that companies, as well as high profile individuals, are increasingly being targeted by hackers for their access to privileged information. Targeted individuals include chief financial officers, heads of human resources, and company directors.
“Cybersecurity is not just an IT responsibility…. all [parts of the company] have to work together”, says Mr Forbes. “Who sets policy about the use of thumb drives, cell phones or cameras? Management, not the IT department. And who oversees management? You do, the board of directors”.
Already a member?
Login to view this content