Time to make cybersecurity a top priority for your board
The recent Optus cyberattack is a reminder for boards that cyber security needs to be top of mind. No organisation or individual is safe from cyberattack, with ransomware attacks becoming increasingly pervasive, imminent and amplified.
The types of cyber threats are multiplying, too, increasing the urgency to strengthen, defend and secure information and sensitive data as the world becomes cloud centric. Boards need to understand that cybersecurity should no longer be left solely to the CIOs, CISOs and IT departments.
Cybersecurity needs constant attention as an organisation-wide concern that demands oversight and direction from the boardroom. These attacks are not just security issues, but reputational damage is often a serious fall-out from a cyberattack.
Risk governance models that have worked well in the past for physical and financial assets are, for the most part, proving inadequate for cyber risk. There needs to be bespoke risk management plans and resources. Failing to anticipate the potential tidal wave of new organisational vulnerabilities by the very nature of digitisation fails best practice governance.
Accordingly, governance in the age of these ransomware attacks must adapt. Every board member must be cyber literate. The considerable cost of up-skilling board members and acquiring the most up to date cyber defence systems might at first look expensive, but the financial, reputational and time cost of any cyber vulnerabilities will end up significantly more expensive.
Dr Ivano Bongiovanni, co-author of the study, argues that 'there’s a misleading perception of cyber security being a purely technical topic and directors weren’t engaged or confident talking about it,' he said.
'Considering the responsibility to oversee cyber risk management in modern organisations lies with their board of directors, an uplift of cyber skills at the board level is necessary.'
Governance Institute of Australia CEO Megan Motto recently told ABC TV’s The Drum: 'Boards need to realise that the new digital landscape is something they have to be prepared for' and that the Optus attack 'should strike fear in the hearts of all directors and senior managers - they need to have digital literacy in the same way that the Enron scandal forced company directors to wake up to financial literacy.'
Ms Motto explained that cyber risk and security must be a top priority for boards: 'Think as a board, what skills do you have around the table? Do you need an upskilling pipeline? Boards should be asking: How much of this is on our agenda and are we prioritising. It’s a critical issue for boards to be facing up to.'
With a cyberattack a case of 'not if, but when', Ms Motto described crisis management and scenario testing as essential: 'Ask, what happens if we have a major security breach?'
This is also an issue for the Federal Government and Governance Institute is hopeful that the government will soon update and expand the 2020 Australian Cyber Security Strategy to fully embrace the evolving and sophisticated cyber challenges Australia faces.
Checklist: Equipping your organisation for dealing with cyber risk
- Prioritise digital skills and cloud migration as a matter of urgency.
- Educate board members on the significant damage a ransomware attack can do to a company.
- Seriously consider significant board renewal to fill the digital skills gap.
- Greater board diversity should strengthen digital literacy as board members with who have been traditionally marginalised based on age, race and skills can create agile thinking.
- Understand the issues and your strengths. As a director, you don’t need to be a tech expert, but you do need to understand enough to ensure you are part of the conversations that matter.
- Understand your insurance in relation to cyber issues.
- Complete a cyber-risk assessment to understand the gaps and create a roadmap to close those gaps.
- This is not a one-and-done exercise. Establish regular assessment intervals, measure what matters, analyse the data and create an improvement plan.
- Take the time needed to establish the structure and expectations of cybersecurity governance.
- Approach cybersecurity from an enterprise lens.
- Understand what data needs to be protected.
- Ask yourself and your board: are the cyber-risks aligned with enterprise risk management?
- Increase organisation wide cybersecurity awareness and training
- Create a ready-to-go cyber incident response team.
- Test your cyber incident response plan.
Want to upskill your digital literacy and learn good governance procedures on data management direct from industry experts?