28 June 2018 by Andrew Beckett, Paul Jackson and Jason Smolanoff
Director engagement is essential to effective cyber security
Cyber security is often an aspect of business operations in which board members find it challenging to stay actively involved and to give meaningful direction to the organisation. This is sometimes due to, or is at least frequently attributed to, the inherently complex nature of modern IT systems (and the equally complex security mechanisms placed around them) being beyond the technical understanding of many board members.
But, as has been emphasised in previous Kroll Global Fraud & Risk Reports, it is more often the human element that leads to cyber crime, fraud and data breaches. This is certainly an area where board members and senior business leaders can and should be playing a truly important role.
It appears from Kroll’s latest Global Fraud & Risk Report survey that organisations are also coming to this realisation: 22% of respondents will be expanding their current use of board engagement to mitigate cyber risk, and nearly half (40%) are planning to launch new initiatives in the next 12 months to engage their boards.
Leading from the top matters. Employees are all too often referred to as the weakest link when in fact they should be regarded as the first line of defence. Direct involvement and example-setting by leadership should never be underestimated in shaping this mindset.
“Direct involvement and example-setting by leadership should never be underestimated ”
Trends also show data losses are more often due to existing business processes that are exploited rather than direct attacks on the technology. Spotting gaps that ingenious attackers may utilise requires business acumen and people skills in addition to technical knowledge.
So how can boards become more effectively involved in cyber security risk mitigation efforts? Taking steps to become directly involved in thoroughly reviewing cyber security policies and procedures will go a long way towards demonstrating the importance the board assigns to the subject.
But this is only half the story: if led from the top, testing and validating the effectiveness of these policies can be vital in protecting the cyber security health of an organisation. The following seven discussion points form an effective starting point for boards working on establishing an active role in cyber security risk-mitigation efforts:
Do you understand your existing cyber security policies and procedures? If not, there is a need for these policies and procedures to be rewritten in concise and clear language. These documents are only effective if they are immediately understandable and workable.
Boards must be asking the right questions, and consequently getting the right answers, about cyber security position. If the IT and/or cyber security leadership cannot properly and fully articulate the strategy for delivering information security, such that it can be fully understood at a board level, questions need to be asked as to whether the right person is representing the organisation in these matters.
Boards have a duty to their shareholders and other stakeholders to ask detailed and probing questions relating to the organisation’s ability to protect its critical data assets.
In drawing up the policies and procedures, have you involved all the business heads? Cyber security should not be considered as a silo. This is an organisation-wide issue that needs input from leadership across the board, particularly when considering the gaps in business processes that may lead to cyber fraud and business disruption.
Incident response plans need to be tested. No matter how clear and well written the policies and procedures may be, if they are never tested under realistic circumstances, there is no way to determine whether they will work or not.
Cyber crisis table-top exercises (involving leadership) can be the most effective means of identifying, and subsequently remedying, potentially disastrous gaps that would manifest in a real incident.
Any test should involve not just your IT/security team and the points of contact for the executive team and the board, but all those whose expertise you will rely on in the event of an incident – such as legal, investor relations, HR, external technical experts, external counsel and the crisis communications teams, to name but a few.
The effectiveness of cyber security spending should be measured. Boards are often asked to approve large sums for cyber security solutions and hires, but what metrics do they have to measure whether these funds have been well spent? Has consideration been given to engaging independent external specialists to test the cyber security defences in the same way a real hacker would, without the prior knowledge of the cyber security team? Testing under real-life scenarios is the only way to effectively know if your security is working.
In addition to testing, having your cyber security plans, projects, organisation and budgets reviewed by an independent third party should be considered. Companies like Kroll can review an organisation’s current state against the threats we see globally targeting others working in a specific market and geography, discuss whether plans are likely to detect and address the threats, and how resource allocation compares with similar organisations.
Boards need to lead by example. Enhanced cyber security often leads to restrictions and tighter controls on device access and usage. When properly explained, it should be realised these are for the benefit of organisational security as a whole.
If boards and executives accept these measures and adopt enhanced security controls, rather than requesting exemptions for convenience, this sends a message that security starts at the top and must be adhered to by everyone.
Personalised messages in support of cyber security education programmes can also go a long way to promoting organisation-wide awareness and responsibility.
Consideration should be given to enlisting expert advisors. At the very least, regular board briefings by appropriate and credible cyber security experts are a must.
Many boards nowadays are going one step further to engage this expertise in the form of non-executive board members.
Like any other risk boards are recognising the steep cost that data losses and cyber attacks are exacting in terms of both shareholder and brand value, not to mention operational and litigation costs associated with remediation.
By addressing cyber risk in the same way they do other critical organisational risks – for example, by managing the human factor and enlisting specialist support for legal and technical aspects – boards can play a vital role in safeguarding information assets in ways that meet wide-ranging regulatory and stakeholder expectations.