It has never been more important for Boards to understand the cyber risks that their organisation faces and their own role in improving the enterprise security. Cyber security and cyber risks have become a top issue in all boardrooms. Apart from financial cost of cyber-attack, a cyber breach can damage corporate reputation, customer relations, brands and market value and perception.
It all starts with education and building awareness of the possible threats. Not all Board members can, or are expected to, be cyber security experts, however the operating environment of today’s businesses leave all organisation exposed to cyber threats. Board members need to be aware of cyber threats and should know enough to have constructive discussions with the CEO and relevant teams to be assured that cyber risk is being adequately managed.
Traditional risk registers would focus on operational and financial risks, however in the last decade the importance of including cyber risk had become inevitable. The level of preparedness of the company will have a direct impact on its response at the time of crisis. Organisations should develop, test and implement remedial plans in anticipation of an attack.
NCSC’s (National Cyber Security Centre) 10 steps to Cyber Security is a great starting point for all Board :
-Risk management – Take a risk-based approach to securing your data and systems.
-Engagement and training – Collaboratively build security that works for people in your organisation.
-Asset management – Know what data and systems you have and what business need they support.
-Architecture and configuration – Design, build, maintain and manage systems securely.
-Vulnerability management – Keep your systems protected throughout their lifecycle.
-Identity and access management – Control who and what can access your systems and data.
-Data security – Protect data where it is vulnerable.
-Logging and monitoring – Design your systems to be able to detect and investigate incidents.
-Incident management – Plan your response to cyber incidents in advance.
-Supply chain security – Collaborate with your suppliers and partners.
Boards need to continue their focus on this increasing threat, including those which can be a direct consequence of some of the critical infrastructure providers being subject to cyber-attacks causing outages and disrupting operations.
In essence Cyber security is no longer just that one line in the risk register, not is it just an “IT issue”, it is becoming central to our business strategy delivery. Boards need to have this as a standing agenda in their meetings, not just to be noted, but discussed in depth.