Skip to content
Journal

Managing cybersecurity governance

  • Cybercriminals are increasingly finding ways to manipulate human trust in order to bypass the security protocols they can’t overcome via technical means alone.
  • While board members set the tone for the rest of the organisation, cybersecurity training should extend to employees.
  • An understanding that it’s impossible to stop all incidents will enable an organisation to shift its focus from planning for failure to learning from and reacting to failure.

Boards and management need to keep a razor-sharp eye on cybersecurity as cybercriminals become increasingly sophisticated and find new ways to scam organisations.

For organisations, the risks are not just costly. Cyber attacks in 2017 also resulted in the loss of intellectual property, dented share prices and customer confidence, increased the threat of litigation as well as caused businesses public embarrassment in 2017, according to the Telstra Security Report 2018

Worryingly, established security threats, such as ransomware, are still growing quickly. US cybersecurity company Carbon Black put the growth rate of underground ransomware economy at 2,500 per cent in 2017.

As Telstra notes in its security report, this type of threat is supported by the growth of underground markets operating on the dark webs with the ubiquity of cryptocurrencies, such as bitcoin, allowing buyers and sellers to transact almost anonymously.

Furthermore, new threats keep appearing on the horizon. There’s been a rise in attacks aimed at destroying infrastructure and in crypto-jacking, which is using someone’s computer without their knowledge to mine cryptocurrency.

Of great concern as well, is how business email compromise (BEC) and other cyber tactics, such as targeted phishing emails, are increasingly being combined with social engineering as cybercriminals seek ways to manipulate human trust in order to bypass the security protocols they can’t overcome via technical means alone.

In one example of BEC, cybercriminals posed as the CEO and chief operating officer (COO) of a large business, the Australian Cyber Security Centre reported. They sent a fake email, purporting to be from the CEO who was travelling at the time, requesting that the financial controller make a substantial payment. The same financial controller received a second email, which was allegedly from the COO, containing a false email trail approving the CEO’s request for payment.

Not realising the request was a scam, the business made two payments to the cybercriminals’ bank overseas accounts, together totalling around US$500,000.

According to a 2017 study by Ponemon and IBM, the average total cost of a data breach to Australian organisations is $2.51 million. This study also confirms how attacks can go undetected for long periods of time, finding that the average time to identify a data breach globally is 191 days and 66 days to contain it.

Given these developments — and the fact that Australian organisations now have to notify the Australian Information Commissioner and affected individuals when they experience a data breach — cybersecurity should be on every governance professional’s agenda.

That said, research commissioned by Nasdaq and Tanium in 2016 identified an ‘accountability gap’ or a dissonance between many organisations’ awareness and readiness for cybersecurity challenges, and where they ought to be.

Given the many findings of our research and our experiences at Nasdaq, here are some tips to help your organisation close that gap.

Foster awareness and knowledge

Cyber awareness begins with the board, and there are several steps directors can take to enhance their understanding of cyber risks.

Directors should coordinate with in-house or external teams to facilitate detailed briefings on cybersecurity as well as regular presentations to update the board on new vulnerabilities and solutions.

A board should also establish a standard set of metrics and a scorecard for easy month-over-month and year-over-year benchmarking so that the directors can assess the organisation’s progress in mitigating cyber risks.

While board members set the tone for the rest of the organisation, cybersecurity training should extend to employees. Staffers should not only be regularly trained on cybersecurity but also tested on the effectiveness of this training — for example, to see whether they click on fraudulent links that appear in emails and how they report suspicious emails to management.

Directors and management are essential in creating a culture where it’s safe for staff to question any emails or payment requests that look suspicious. Staffers should be encouraged not to rely strictly on email and to actively verify emails or changes in payment details by picking up the phone or walking into a manager’s office, no matter how senior he or she is.

Furthermore, it is imperative that boards work collaboratively with governments, non-government organisations and industry bodies to understand the latest security risks to the industry and ways to mitigate the threats.

Fortify your defences

While boards aim to be vigilant and ready for a cyber attack, directors must recognise that it’s impossible to stop all incidents. This understanding will enable an organisation to shift its focus from planning for failure to learning from and reacting to failure.

It’s essential that a company’s IT team complete a thorough cyber risk assessment of the organisation, and then communicates the most critical risks to the board, including how long it took to detect a security issue and the best way to respond to it and successfully patch the vulnerability.

This assessment should be followed by an internal or third-party review — and a subsequent report to the board — on how effective a company’s current cybersecurity tools are in mitigating risks and identifying the gaps.

It’s essential to have an effective response and business continuity plans in place in the event of a cyber attack. Telstra’s research indicates that businesses that have actively-tested incidence response plans are in the best position to reduce the time between when a breach happens and its subsequent remediation.

It is imperative that board members learn how to ask the right questions on cybersecurity, in the same way they do for financial concerns.

There are a few proactive steps the board and management can employ to increase the online security for employees and the organisation. Strict corporate password policies with frequent password changes and the inability to reuse previous passwords are fast becoming the norm, as is implementing multi-factor authentication for specific corporate email and corporate network access. A company’s IT experts also need to review the updated Australian Government Information Security Manual (ISM), a source of cybersecurity advice to businesses.

Directors should consider using a board portal to protect boardroom data. A board portal, like Nasdaq Boardvantage, endeavours to protect confidential documents, automates the dissemination of sensitive material, purges records centrally, and provides a sharing mechanism which enables users to exchange comments and messages in a protected manner.

By investing in real-time analytics capabilities and artificial intelligence to help identify the so-called ‘unknown unknowns,’ an organisation’s cyber defence posture improves. As Telstra notes in its report, some threats are increasingly difficult to detect through conventional means, so new technologies may assist in locating the malicious security breaches.

Most importantly, it is imperative that board members learn how to ask the right questions on cybersecurity, in the same way they do for financial concerns. Based on our research with Tanium, here are some questions the board may find useful:

  • What is the company’s level of cyber risk and what sources and types of sensitive data inform this assessment?
  • Has the company created a baseline cyber risk assessment, and is there an ongoing process to map improvement over time?
  • Is there a cyber breach response plan or crisis management plan?
  • What information will be shared with the board regarding cyber risk — is there a regular process to review status with the CIO at a board committee level?
  • Should we appoint a lead director within the audit committee, formally expand the charter of the audit committee to include cyber risk, or is our cyber risk deemed high enough to create a separate, standing cyber risk committee?
  • What is the cost of cyber risk management in comparison to the cost of a data breach—have we looked at breaches in our industry to understand what the all-in costs of a breach are?
  • Should the company consider a cybersecurity insurance policy or other new classes of security technology to mitigate risk and costs?

Finally, remember that cybercriminals are only getting better at what they do. Cybersecurity is not a set-and-forget issue; it has to be continuously reviewed and always on the board’s agenda.

Guy Gilead can be contacted on (03) 9666 1001 or 0402 923 853 or by email at guy.gilead@nasdaq.com.

Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only.

Leadership: Whose job is this anyway?

Next article