As hackers become increasingly well organised and sophisticated, boards must understand the potential for a cyber attack is a when, not an if, scenario.
Distribute.IT was a once-prosperous Australian IT business that hosted websites for 30,000 clients.
The business was growing at about 4 per cent a month in 2011 when it was targeted by a hacker, who attacked and deleted the websites Distribute.IT was hosting.
Three weeks of frantic effort to retrieve the data and fix the problem was not enough. The business quickly shed customers and then shut.
A 25-year-old unemployed truck driver and self-taught hacker from Cowra was eventually jailed for the attacks. But that was little consolation for the owners of Distribute.IT, who lost the business they had spent eight years building.
This is an example of the risks in the digital-enabled, cyber economy. In contrast, other companies are ready to seize the opportunities that the new economy has to offer.
Sports apparel brand Nike has been growing its profits by transforming from a shoemaker to an e-commerce retailer. It has also tapped into the growing market for electronic fitness and exercise products and connects its users via social media.
Both examples show how crucial it is that directors are cyber and digitally aware.
Cyber security: every board’s imperative
Professional services firm Deloitte has devised 10 questions that are designed to help organisations identify their strengths, weaknesses and paths to improvement when it comes to cyber security:
- Does the board and c-suite demonstrate due diligence, ownership and effective management of cyber risk?
- Do you have the right leader and organisational talent?
- Have you established an appropriate cyber risk escalation framework that includes your risk appetite and reporting thresholds?
- Are you focused on, and investing in, the right things?
- How do your cyber-security program and capabilities align to industry standards and peer organisations?
- Do you have an organisation-wide cyber-focused mindset and cyber-conscious culture?
- What has management done to protect the organisation from third-party cyber risks?
- Can you rapidly contain damages and mobilise diverse response resources should a cyber incident occur?
- How do you evaluate the effectiveness of your organisation's cyber security program?
- Are you helping to protect your industry, the nation and the world against cyber risks by taking an holistic approach to knowledge and information sharing?
Cases like Distribute.IT are extreme examples, but they illustrate how damaging cyber attacks can be and pose the question of whether Australia’s company directors are prepared for them.
According to Susan McLean, director, Cyber Safety Solutions, few directors genuinely understand the risks cyber threats pose to their businesses.
“The big multinational corporations are starting to get their heads around this. But there is still a perception among directors that it won’t happen to their companies,” says McLean. She says there is a tendency for many directors to assume their companies operate in low risk industries, so a hack won’t happen to them.
“But every company has valuable information; hackers don’t just want access to customer credit card data or money, they want more than that,” McLean says.
She argues some hackers set out to destroy a business and it’s difficult to respond appropriately to this if the organisation isn’t already prepared. So all boards must plan for an attack and recognise cyber security isn’t just an IT issue, it’s a business-wide challenge.
Greg Spencer, principal consulting partner from IT consulting firm Beyond Technology, says the cyber threats facing Australian businesses have materially changed over the last 24 months.
“Whereas organisations have traditionally taken solace from the understanding that they are not a target, the emergence of the hacker industry has taken this distinction away,” he says. “All organisations are susceptible to ransom attacks, and more and more seemingly harmless mid-tier firms are the focus of deliberate and targeted electronic intrusions seeking to either gain financially from their information or undertake data kidnap and ransoms.”
Often hackers are not necessarily seeking information about their immediate target, but about one of their clients. For instance, hackers might target a commercial law firm to access information about the M&A intentions of one of its corporate clients.
Spencer says many boards are unaware the cyber threat has increased so dramatically recently and fail to understand that all commercial organisations are not only susceptible, but likely targets.
“As a general rule, boards can assume that it is not possible to be adequately protected. [But] they should prepare for the event to make sure that it does not become business-ending.”
Board members need to ensure they have an appropriate cyber-incident response plan that is understood by the business and directors. It should cover all important scenarios and be rehearsed and tested.
“It must be maintained on a regular basis to take into account the changing threat matrix and changes to technology and business requirements,” says Spencer.
“The real thing for the board is a change of approach. An organisation taking the stance of ‘let’s prepare for the event’ is not one hoping that they are lucky or fooling themselves that they are not a target. They are truly considering the consequences and what could go wrong.”
Spencer says boards are increasingly aware of their knowledge gap, and the need and their responsibility to be properly informed. But he says there is little point in directors doing tech courses because technology changes too quickly. They should also be wary of relying on an 'IT expert' board member.
“There is a real danger in boards relying on one board member who is labelled the ‘techie’. This often leads to poor governance as other board members defer any technology decision to them and don’t apply normal and appropriate scrutiny,” Spencer says.
James Nunn-Price, Asia Pacific leader of cyber at Deloitte, says while the organisations that directors represent can face cyber threats, they should also be aware they might face threats as individuals. “These might come to them at home or through their positions on different boards because they have a public profile,” he says.
These could be phishing scams to discover usernames and passwords, or to introduce malware to their own computers and potentially the organisation’s. “Someone can make a targeted attack [on a] director … because their information is in the public domain,” he says.
The cyber criminals could be targeting the director for their bank details or as a weak point into the organisation. Stealing passwords and data that is used in a wifi environment, such as a coffee shop or airport lounge, is very easy for hackers.
Deloitte runs phishing exercises with directors and senior executives at companies, for instance sending fake emails to test whether they are taken in and whether they alert the IT department.
Nunn-Price says Australian directors have become a lot more aware about cyber threats, but they need to do more.
“I do think at the moment they’re still not adequately prepared in that they do not necessarily know what they would do if a threat materialises. Who are they going to call? What precisely will they do?”
Nunn-Price says directors are still too hands-off and tend to devolve the oversight of their organisation’s cyber security strategy.
He says boards need to recognise cyber risks are not an IT problem; they are a business problem. Many activities that IT is not involved in such as dealing with customers and suppliers, or supply chains also carry cyber risk. “There are all sorts of risks outside IT in operational systems and the way organisations carry out their business that don’t involve IT,” he says.
“One of the biggest concerns we have is that boards and directors think the CIO [chief information officer] and CTO [chief technology officer] are dealing with the issue and they’re not, because it’s not in their domain.”
Deloitte has assembled a list of 10 questions directors should ask to assess their cyber risk, such as investigating whether the company has established an appropriate cyber risk escalation framework that includes its risk appetite and reporting thresholds. This should provide key risk and performance indicators, and ensure processes are in place to escalate breaches of limits and thresholds to senior management for significant or critical cyber security incidents.
Another is whether the organisation is investing in the right things. There must be clear business cases for cyber security investments, reflected in the cyber security strategy. Directors should also ask whether there is an organisation-wide cyber-focused mindset and cyber-conscious culture.
Executives need to be comfortable talking openly and honestly about cyber risk in a common vocabulary that promotes shared understanding.
Along with threats, the cyber economy also presents opportunities for businesses that embrace technologies.
“The use of cloud services, social media and online customer engagement has changed how companies operate in their marketplace, with the main opportunities to lower operational costs while significantly increasing customer engagement and building new revenue market segments,” says Terry Michael, of TLM, which advises boards on cyber security and digital strategy.
While there are opportunities, companies can also be left behind.
“Company boards that do not understand digital disruption, or have a healthy board culture towards disruption technology, mostly fail to recognise signs that could derail executing business strategy and threaten short- to medium-term revenue growth and shareholder value,” he says.
Michael says a cultural change is needed among boards. When they delve into the business’ growth strategy this should, from the outset, include the digital strategy. “A lot of them see this technology discussion as just being 'these IT people in the back room',” he says.
“Boards should ask what are the organisational realignment or department re-design organisation projects that need to occur to ensure cultural change to reinforce digital disruption and cyber security strategy is effective and efficient?”
At the same time as they introduce a digital strategy they need to be aware of the cyber risks, he says.
Colin Panagakis of paperless boardroom app BoardPad says it’s not just about new business models, it’s also about driving operational efficiencies through existing business. “If a board member is not considering how they can streamline their processes with digital or automated solutions, then the business probably won’t be around too much longer,” he says.
He says boards are now more open to proposals and ideas about digital business models. The elevation of Malcolm Turnbull to the prime ministership has also put more focus on technology and innovation.
Panagakis says directors should look to other organisations to discover how they are using technology and disrupting traditional models.
The stakes for companies are high. Panagakis points to the global rise of ride sharing apps as examples of what can happen to those industries that don’t keep up. “Ten years ago, if somebody was to say that the taxi industry would be essentially changed by an unknown upstart people would have thought you were crazy,” he says.
Director focus: IT security
- Avoid appointing one techie director as the sole board member responsible for cyber security – everyone needs to get involved.
- Assume you will be attacked and prepare for it.
- Identify potential entry points for hackers into the business’s network.
- Explore how cloud solutions could help improve security.
- Directors need to recognise they can be personally attacked as well.
- Put in place systems so the board is consistently appraised of IT security issues.
- Be hyper-conscious about security issues when using a public wifi.
Already a member?
Login to view this content