Cybersecurity is a business risk, not an IT problem

Cybersecurity is a business risk, not an IT problem

A cyber attack on a business is about more than technology. The impact of an attack or incident on a business poses a serious threat of financial loss, business disruption, exposure of critical business information, and compromise to the reputation and brand that can impact customers, employers and the entire supply chain.

An attack can take down a whole organisation and even put lives at risk. And yet, when it comes to implementing controls and taking action toward cyber risk, the finger is often pointed at IT teams and CIOs, despite cyber being a business risk, not an IT problem.

Globally, cybercrime increased by 600 percent in 2020 according to the United Nations, largely due to COVID-19 changing work practices and rocketing phishing attacks. In 2021, cyber is expected to be a $6 trillion business, more profitable than the illicit drug trade.

With an unprecedented acceleration in significant cyber attacks and IT failures in Australia, some with spectacular consequences for business and governments, it is now abundantly clear that cybersecurity is a responsibility and liability for board directors, not just an IT problem.

The board's role is to manage cybersecurity risks

Cyber literacy is essential for all Australian board directors so they have the ability to evaluate cyber attacks and threats. Directors need to be armed with enough information to feel confident that they can apply their knowledge to achieve their fiduciary responsibilities. Being educated about cyber means better understanding the context of the cyber board papers, being able to think ahead to consider possible future consequences (a key requirement of directors), being able to make an informed decision regarding a potential cyber investment, and knowing when to put your money in and when to take it out of a project.

Boards of directors require a diverse set of skills that go beyond the traditional views of finances, risk and compliance. All directors in Australia must now assume responsibility for cyber, and not rely on a few cyber-savvy directors to ask all the questions and endorse all the 'asks' coming from the chief information security officer (CISO), much the same as a regulator would never rely on a handful of board members to consider the accuracy of quarterly financials.

The board's role when it comes to cyber is no different to their role in managing any other risk. They must monitor the performance and compliance and ensure the organisation is detecting, assessing and mitigating risks using appropriate controls. The functions of the board in setting the long-term strategy, resource allocation, and risk appetite are all key to the successful management of any enterprise risk.

Cyber must be managed within the context of a reasonable risk appetite. This appetite, often set by boards, must be endorsed by directors who are well informed of threats and the risk context within which the organisation operates. Cyber is central to both the prosperity and resilience of the organisation.

How boards can gain confidence their organisation is cyber safe

If you are a board member and haven't met your CISO (or equivalent), now is a great time to discover who is managing cyber risk, day to day. They also have a role to understand you, your peers on the board, and the role you play in achieving a cyber-safe organisation. The trust and commitment to each other's priorities is vital to managing risk for your organisation.

The presence of a cyber strategy and the seeking of board endorsement is a lead indicator that the organisation has a focus on uplifting the security controls and meeting their legal obligations. The organisation needs to have a strategic road map and plans in place to adequately protect information assets and IT systems, regardless of where and how new threats emerge.

Globally and in Australia, regulators are beginning to use their powers to mandate that boards take responsibility for cyber. This mandate must translate into a board-empowered CEO who can balance the requirements of the CISO and the regulator with the commercial operations and strategic delivery of the organisation's goals.

Boards need to consider when they last received cyber training and if cyber is mentioned in the CEO's board updates, including progress relating to education and awareness for employees. In addition if cyber has been factored into the business strategy and annual report and if the board, or audit and risk committee are proactively focussed on emerging risks.

While cyber attacks may infiltrate a business through electronic means, their cause and ultimate impact often lie far beyond their technical origins.  There are financial, privacy, regulatory, governance, operational, and reputational impacts from cyber attacks and the board and directors are accountable.

Claire Pales and Anna Leibel are the authors of The Secure Board, recently released to help board directors to gain the confidence that their organisation is cyber safe.

Never miss a news update, subscribe here. Follow us on LinkedIn, Instagram and Twitter.

Business News Australia

Enjoyed this article?

Don't miss out on the knowledge and insights to be gained from our daily news and features.

Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.

Support independent journalism and stay informed with stories that matter to you.

Subscribe now and get 50% off your first year!

Four time-saving tips for automating your investment portfolio
Partner Content
In today's fast-paced investment landscape, time is a valuable commodity. Fortunately, w...

Related Stories

DroneShield shares shot down despite record revenue and $1.1 billion pipeline

DroneShield shares shot down despite record revenue and $1.1 billion pipeline

DroneShield (ASX: DRO) shares lost more than 20 per cent of their v...

DG Institute to pay out almost $20m for misleading students, Grubisa banned from managing companies

DG Institute to pay out almost $20m for misleading students, Grubisa banned from managing companies

A Sydney real estate and wealth education provider has been ordered...

Better Beer investor Mighty Craft appoints voluntary administrators

Better Beer investor Mighty Craft appoints voluntary administrators

Another one bites the dust for Australia's heavily tax-burdened...

Valuations hit $5.8 billion for Australian crowdfunded startups

Valuations hit $5.8 billion for Australian crowdfunded startups

The latest crowd-sourced funding (CSF) report released by market le...