Boards need to step up on cyber security
Boards are rising to the challenges of cyber risk, but still have a way to go when it comes to being prepared and resilient against security threats.
That’s one of the findings of the ASX 100 Cyber Health Check, released in April, to gauge for the first time how ASX 100 boards view and manage their exposure to the rapidly evolving cyber world.
The Health Check reveals that more than two-thirds of directors (68 per cent) consider cyber risks extremely important and 92 per cent of ASX 100 companies include cyber risk in their corporate risk registers, thus allowing these risks to be defined and discussed within the broader organisation.
Worryingly, almost two-thirds of ASX 100 directors say the level of attempted malicious cyber activity against their companies has gone up over the past year, and 80 per cent expect cyber risks to grow in the short-term.
The Health Check also found that the ASX 100 were serious about addressing cyber risks as a whole-of-business concern as opposed to the sole purview of the IT department. Indeed, three-quarters of the companies have implemented ongoing staff training programs in cyber awareness, with the majority of the remainder planning to do so in the next year.
But the Health Check reveals that there’s still more work to be done. For example, almost a third of companies haven’t yet evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them. A similar amount have only a limited understanding of the extent of information shared with third parties, even at board level.
Similarly, Nausicaa Delfas, executive director at the UK’s FCA, told a Financial Information Security Network meeting in Luton, in April that many organisations believed they were getting the basics right when it came to dealing with cyber risks, but the reality was often not the case.
She said the 2016 Verizon Data Breach Investigations Report provided an excellent sanity check after analysing 2,260 data breaches and 64,199 security incidents from 61 countries. It found that 10 vulnerabilities accounted for 85 per cent of successful breaches.
‘The vast majority of vulnerabilities used in these attacks were well known and had fixes available at the time of attack,’ said Delfas. ‘Furthermore, some of these attacks used vulnerabilities for which a fix had been available for over a decade.’
Delfas said the FCA’s work in the financial sector had shown that companies continued to struggle to get the basics right.
‘Schemes such as Cyber Essentials or the 10 Steps to Cyber Security articulate what is considered by UK Government, and the UK Financial Authorities, as the basics of “good cyber hygiene”’, she said.
Delfas also believed non-executive directors (NEDs) also had a role to play in fighting cyber security. They could be used to help to share experiences from other businesses and to ask challenging questions of their board colleagues and of the senior leaders within an organisation.
‘Another development we are seeing is security being taken beyond the boardroom and becoming an investor led conversation,’ she said.
‘We are seeing the emergence of a number of institutional investors now questioning boards as to how they effectively manage this risk, which in turn is driving increased focus in the boardroom.
‘We would encourage investors to ask questions about cyber defences, to use a firm’s cyber maturity as a key indicator of resilience, and to push firms to improve in this space.
‘We have seen how cyber [security] can have an impact on a firm beyond the operational disruption caused, extending into equities pricing, and harming the balance sheet.’