The increased and continued threat of cyber attacks means it is more important than ever that boards ensure their organisation adequately stores and captures information.
Eighteen months ago, Greg Spencer MAICD, principal partner at Beyond Technology Consulting, was helping clients to prevent a cyber attack. Today he is also advising them to plan for when a cyber attack occurs.
“Cyber risk has exploded across the board and, as a result, our advice to boards has changed very significantly,” he says. “We estimate that non-reported attacks have risen by over 350 per cent in that short period of time.”
Many companies also have more at stake. “The extent to which organisations are online or connected to the internet to deliver their services is continuing to increase,” says David Thompson, senior managing director of forensic technology and investigations at FTI Consulting. “It has become a core business service channel with critical corporate systems and services now being provided online.”
And criminals are casting their nets further afield. “Directors of, for example, a mid-sized retail or not-for-profit organisation may think there’s no reason for them to be targeted,” says Spencer. “But today’s new hackers are looking for any organisation which holds sensitive information or has the ability to pay a ransom.”
In October, UK internet service provider TalkTalk suffered a “significant and sustained” cyber attack on its website which led to the theft of large amounts of customer data, including personal details, bank account numbers and sort codes. On the day the incident was announced the value of its shares fell by 10.7 per cent.
“A figure like that should make directors sit up and take notice,” says Thomas King, general manager of AusCERT, an independent not-for-profit organisation that is part of the University of Queensland. “Examples like this highlight the need to take cyber security seriously.”
Traditional security systems and processes are no match for emerging threats. “They’re a bit like locks on doors – they can deter an opportunist but they won’t keep someone out if they are determined to get in,” says Spencer. “For example, anti-virus software used to be about 90 per cent effective but, now hackers are tailoring malware to specific organisations and even individuals, the figure is closer to 30 per cent. And a locked door is no protection against someone who is already within the organisation.”
Some internal breaches of security are inadvertent. “For example, employees could overlook a minor difference in the address of an email that appears to come from the chief financial officer instructing them to release funds to a particular bank account,” says Peter Jones, partner at global law firm DLA Piper.
They may also be deliberate. “Boards have always recognised that there’s an internal risk of fraud, theft or misuse of resources,” says Thompson. “The online environment is no different in that both internal and external parties could be involved in exploiting or misusing an organisation’s systems.”
Colin Panagakis GAICD, business development manager at ICSA Boardroom Apps, believes that effective information governance has its roots in the culture of the organisation.
“Everyone in a company plays an important role in protecting information,” he says. “The board should be satisfied that everyone from the top down understands this and that employees are being trained to handle data correctly.”
A broad canvas
For the board, cyber attacks are just one aspect of a much broader governance challenge. “Information governance touches every area of the business,” says Jones. “It’s not just a technology issue, a compliance issue or an HR issue, it is all of those and more.”
From a technical point of view, directors need to know what kinds of data the company holds, where this is held and the legal and regulatory requirements in different jurisdictions.
“They also need to be sure that any third parties are taking appropriate steps to safeguard their data,” says Panagakis. “That means doing thorough due diligence before entering into any agreements and then monitoring the third-party’s systems continuously.”
The board must judge whether the IT and corporate strategies are aligned – but appointing a director with specialist IT skills to help navigate the technicalities could be counter-productive.
“We have found that the other directors are inclined to defer to a specialist, which means they don’t ask the difficult questions,” says Spencer. “And a specialist may also avoid asking difficult questions because they have their own reputation to think about. Technology is such a fast-moving sector that their experience could quickly become out of date.”
The board must also walk the fine line between protecting information and exploiting its commercial value. “Security is always going to be a compromise,” says Spencer. “The most effective way to protect information is to lock it away, but it is only of value when you can use it.”
Success lies in bridging the gap between two very different worlds. “The board must be able to understand the technical aspects of protection, but it’s just as important for those charged with protecting the information to understand what is critical to the business,” says Thompson.
Spencer still comes across IT teams who believe their job is to protect an organisation from itself by limiting what people do. “But contemporary information technology is all about facilitation – understanding what the business needs and helping to find the best way to achieve that,” he says.
Many companies are appointing a chief information security officer (CISO) to ensure that all aspects of information governance are aligned. “It’s a trend we’re seeing in larger organisations around the world,” says Thompson.
A dedicated CISO can also be invaluable in a crisis. “When something goes wrong, someone with a technical background might need to make very big calls, such as telling the chief executive officer what to do,” says Spencer.
“We often define our practices so that, in the case of a defined security event, the CISO’s level of authority is escalated significantly so that they can make appropriate decisions. It’s a bit like a terrorist response, where someone in law enforcement on the ground is able to make operational calls far exceeding their normal levels of accountability.”
But not every organisation can afford to employ a dedicated CISO or information security manager. And those that can afford the investment could still find themselves short of resources in a crisis.
“If a cyber incident is complex and serious, it could take a team of experts working 24/7 a week to manage it,” says King. “One of the services AusCert offers is the Flying Squad – emergency response specialists who can provide on-site help when and where it’s needed. We work with companies of all sizes, both public and private, when they find they’re short of the skills and experience they need to manage a breach of security.”
Right-sizing a response
Directors who sit on the boards of traditional “honeypot” targets for cyber criminals such as finance and energy companies, or of large organisations that hold significant amounts of data or digital information, are acutely aware of the need for appropriate governance. Others are less sure about the precise nature of the threat, what is required or how to make best use of limited resources.
“I think the Cyber resilience: Health check report released by ASIC is a very helpful guideline,” says Jones. “Rather than taking a threatening ‘shock and awe’ approach, it encourages boards to develop a framework that takes into account the size of the organisation, the market in which it operates, the nature of the information it handles and what it does with that information.
“It also suggests that organisations consider the National Institute of Standards and Technology framework that has come out of the US. This is deliberately very general and high level so that it can fit into existing risk-management processes and allow people to right-size their protection to their risk appetite and their environment.”
An effective incident response plan is critical for every business, whatever its size.
“It can help the organisation to minimise the impact of a cyber event and subsequent harm to itself, its shareholders and other stakeholders,” says King. “An effective plan sets out what will happen if you do have a cyber incident in the same way that business continuity and crisis-management plans help you to prepare for other kinds of threats.
“In developing the plan, factors such as risk-appetite, markets, customers and shareholders should all be taken into account. Then, once the plan is in place, it should be rehearsed at least once a year.”
Thompson agrees that a serious potential pitfall is the inclination to “set and forget”. “Information governance should be seen as a continual process of refining and improving the organisation’s security position and finding ways to detect potential or actual breaches as early as possible in order to minimise their impact,” he says.
Top questions to ask the management team
Colin Panagakis: What types of data does the company hold? Where is it kept? Is it encrypted? Are robust access controls in place?
Thomas King: Do we have an appropriate incident response plan in place and, if so, is it regularly updated and tested?
David Thompson: Are we up to date with the emerging technology trends, threats and risks that are likely to impact the organisation? Should we be seeking external expert advice?
Peter Jones: Do we have sufficient resources internally or through external service providers to gauge the evolving cyber-risk environment and do what is necessary to address avoidance, mitigation and recovery?
Greg Spencer: Do we have feedback mechanisms to monitor the information governance framework and practices such as independent external review and audit?
Already a member?
Login to view this content