We break down some of the key considerations for boards and executives to ensure organisations are fit to adequately prepare for, respond to and recover from cyberattacks.
It has been said that there are two types of organisations in this world: those that have been hacked, and those that don’t know they’ve been hacked.
The Government estimates that cybercrime costs Australians anywhere between $1 billion and $17 billion each year – and there is little to suggest that the volume of cyberattacks will decrease. In fact, it’s quite the opposite.
Government and business alike have renewed their focus on the issue. Earlier this year, the Federal Government announced its Cyber Security Strategy and a $230 million commitment to ‘advancing and protecting Australian interests online’.
Tech giant IBM has announced plans to open a new National Cyber Security Centre (NCSC) in Canberra, appointing former head of the Australian High Tech Crime Centre Kevin Zucatto to lead a team of cybersecurity specialists to connect Australia with an international network of over 12 security operations centres.
And in April this year, the Australian Institute of Company Directors announced its partnership with the CSIRO’s innovation group Data61 to commit to lift the digital and cyber literacy of boards and directors across Australia.
As part of this commitment, we are holding a series of events for executives and directors on cybersecurity. In June 2016, a group of business owners and organisational leaders came together in NSW to discuss, ‘Is your organisation cyber resilient?’
Dr Katherine Woodthorpe FAICD led a panel of industry experts, including ASIC’s Oliver Harvey, Arno Brok, CEO of the Australian Information Security Association (AISA), and Alex Woerndle, non-executive director of AISA and cyberattack victim turned “cyberattack evangelist”.
The panellists provided their insights on some of the key things that boards and senior executives should consider to ensure they are prepared for when – not if – a cyberattack occurs.
To keep up with rapid changes in our digital environment boards should ensure that governance processes and cyber policies and procedures are reviewed regularly.
“Don’t just rely on the IT person”
Cyber security is not just the IT department’s problem.
Collaboration and alignment of the board, executive, and the IT department on overall risk management strategy is the key to success. It is important to communicate what the critical data assets are for the most appropriate protocols to be put in place.
Brush up on your cyber literacy
Just as boards are expected to have a certain level of financial literacy, boards should direct their efforts to becoming more technologically literate.
Boards are encouraged to educate themselves on the threats and challenges of cybersecurity, seek external advice, and to consider adding IT expertise to its permanent skills mix.
If you’re on the board, ask the right questions
It is imperative that directors are confident enough to ask questions of their management teams and to challenge the information they are being presented in board meetings.
Read ASIC’s 2016 Cyber Resilience Assessment Report: ASX Group and Chi-X Australia Pty Ltd for a set of questions for board members to consider when evaluating cyber resilience within their organisations.
Protect your “crown jewels”
Every organisation should catalogue the data it possesses and the critical assets, or “crown jewels” should get preferential treatment. It’s important that boards and senior management define this data, take time to discover more about its environment and interdependencies, establish baselines and assess any security gaps, secure the data and develop a risk mediation plan, and monitor and measure its security and related governance processes.
Do you have a fire drill?
Chances are your organisation has practiced an emergency evacuation procedure in the past six to 12 months. The same should be said for a business continuity plan in the case of a cyberattack – big or small.
Being 100 per cent secure is next to impossible, so it is important to have a clear plan in place should your data assets become compromised. Be sure to consider the following:
- emergency response options
- management of internal and external resources, including staff
- how management and the board receive situation updates
- crisis communications
- relevant regulatory touchpoints
- consequences of extended outages.
Want to find out more? Read the Company Director magazine for more insights from industry leaders on the threat of cybercrime and the duties owed by board directors.
Already a member?
Login to view this content