MUCHUI: Cyber risk should be key agenda for today’s boardrooms

The board of directors of an organisation needs to consider cyber risk as a key business risk and not an IT back office issue. Increasing hyper connectivity, technological growth including Internet of Things (IoT), artificial intelligence and remote work policies continue to introduce new cyber risks and vulnerabilities and soon cyber risks will overshadow all other risks facing the organisation.

This is the primary reason why boards need to discuss cyber risk regularly and ensure it is woven into value creation strategies of the organisation.

Cyber risk can crystallise in various forms such as an attacker cracking an admin password to gain unauthorised access to company systems. A distributed denial of service attack, where the organisations servers or network resources are flooded with internet traffic by multiple compromised computer systems or IoT devices with the aim of making them crush or slow down.

Subsequently, the attacker can extort money from the organisation in order to unlock the company’s servers or network resources. Also, a cyber-attack can be opaque, when the organisation is an unknowing victim of an advanced persistent threat (APT) – the attacker gains access to the organisations network and remains undetected, monitoring the organisations network, stealing data and intellectual property.

These are just a few forms a cyber-attack can take, unfortunately cyber-attacks are increasing in number, form, complexity and speed of attack.

The board need to consider if its own members have basic knowledge about cyber risks and security. One way board members can broaden their knowledge, is discussion with the Chief Information Security Officer (CISO) of the organisation.

Therefore, the CISO needs regular access and interaction with the board. This not only acts as a deterrent to other senior staff members who may try to intimidate the CISO to silence in the event of a cyber-attack, but also sends a message to the organisations’ staff that information security is of utmost importance.

The board needs to monitor the maturity of the organisations cyber risk programme. The board may not necessarily impose a particular standard such as NIST, COBIT, ISO27001 on the company, however, there is need to establish a security standard that has benchmark ability. This will provide consistency in reporting and can be used to assess maturity of the cyber risk programme.

The board needs to satisfy itself that there is a CEO led cyber conscious culture in the organisation that values and respects security. Furthermore, that management has documented reasonable cyber risk policies and instituted cyber risk incident response plans that are regularly tested and consistent with the organisations strategy and risk appetite.

Most importantly, boards should ensure management has resources in place in advance, to deal with cyber security attacks such as pre-engaging with third party service providers such as forensic investigators, lawyers and cyber insurance providers. In the precarious moments following a cyber-attack, there will be no time to negotiate a contract with a service provider.

Boards may need to change their thinking of cyber risk.

While it was thought that cyber attackers were idle individuals tapping away at computers trying to hack systems, attackers have evolved to large scale criminal enterprises or nation state actors dedicating time and resources to exploit and compromise organisations systems.