A cyber attack on a business is about more than technology. The impact of an attack or incident on a business poses a serious threat of financial loss, business disruption, exposure of critical business information, and compromise to the reputation and brand that can impact customers, employers and the entire supply chain.
An attack can take down a whole organisation and even put lives at risk. And yet, when it comes to implementing controls and taking action toward cyber risk, the finger is often pointed at IT teams and CIOs, despite cyber being a business risk, not an IT problem.
Globally, cybercrime increased by 600 percent in 2020 according to the United Nations, largely due to COVID-19 changing work practices and rocketing phishing attacks. In 2021, cyber is expected to be a $6 trillion business, more profitable than the illicit drug trade.
With an unprecedented acceleration in significant cyber attacks and IT failures in Australia, some with spectacular consequences for business and governments, it is now abundantly clear that cybersecurity is a responsibility and liability for board directors, not just an IT problem.
The board's role is to manage cybersecurity risks
Cyber literacy is essential for all Australian board directors so they have the ability to evaluate cyber attacks and threats. Directors need to be armed with enough information to feel confident that they can apply their knowledge to achieve their fiduciary responsibilities. Being educated about cyber means better understanding the context of the cyber board papers, being able to think ahead to consider possible future consequences (a key requirement of directors), being able to make an informed decision regarding a potential cyber investment, and knowing when to put your money in and when to take it out of a project.
Boards of directors require a diverse set of skills that go beyond the traditional views of finances, risk and compliance. All directors in Australia must now assume responsibility for cyber, and not rely on a few cyber-savvy directors to ask all the questions and endorse all the 'asks' coming from the chief information security officer (CISO), much the same as a regulator would never rely on a handful of board members to consider the accuracy of quarterly financials.
The board's role when it comes to cyber is no different to their role in managing any other risk. They must monitor the performance and compliance and ensure the organisation is detecting, assessing and mitigating risks using appropriate controls. The functions of the board in setting the long-term strategy, resource allocation, and risk appetite are all key to the successful management of any enterprise risk.
Cyber must be managed within the context of a reasonable risk appetite. This appetite, often set by boards, must be endorsed by directors who are well informed of threats and the risk context within which the organisation operates. Cyber is central to both the prosperity and resilience of the organisation.
How boards can gain confidence their organisation is cyber safe
If you are a board member and haven't met your CISO (or equivalent), now is a great time to discover who is managing cyber risk, day to day. They also have a role to understand you, your peers on the board, and the role you play in achieving a cyber-safe organisation. The trust and commitment to each other's priorities is vital to managing risk for your organisation.
The presence of a cyber strategy and the seeking of board endorsement is a lead indicator that the organisation has a focus on uplifting the security controls and meeting their legal obligations. The organisation needs to have a strategic road map and plans in place to adequately protect information assets and IT systems, regardless of where and how new threats emerge.
Globally and in Australia, regulators are beginning to use their powers to mandate that boards take responsibility for cyber. This mandate must translate into a board-empowered CEO who can balance the requirements of the CISO and the regulator with the commercial operations and strategic delivery of the organisation's goals.
Boards need to consider when they last received cyber training and if cyber is mentioned in the CEO's board updates, including progress relating to education and awareness for employees. In addition if cyber has been factored into the business strategy and annual report and if the board, or audit and risk committee are proactively focussed on emerging risks.
While cyber attacks may infiltrate a business through electronic means, their cause and ultimate impact often lie far beyond their technical origins. There are financial, privacy, regulatory, governance, operational, and reputational impacts from cyber attacks and the board and directors are accountable.
Claire Pales and Anna Leibel are the authors of The Secure Board, recently released to help board directors to gain the confidence that their organisation is cyber safe.Never miss a news update, subscribe here. Follow us on LinkedIn, Instagram and Twitter.
Business News Australia
Get our daily business news
Sign up to our free email news updates.