Five ways to prepare a company board for a cyber breach
Five key things that boards need to do to stop their businesses leaking like sieves and potentially going to the wall
The 2015 World Economic Forum meeting at Davos discussed the top 10 global risks, with "data fraud and theft" and "cyber attack" occupying the last two positions. In the separate list of top 10 risks ranked by impact, critical information infrastructure breakdown was in seventh position.
Of all the risks on both lists, only these three technological risks could be said to be affected and managed by corporate boardroom decisions.
Therefore, these three global risks are also the top risks faced by boards. This is a sobering thought, because most boards have little historical regard for IT, and even less for cyber security. Global western economies are fighting their way out of recession and finding the lack of skills investment over the past 10 years has left them with little of the capability they need to address the threat of cyber attackers.
So how do boards wake up and pay attention to a situation where the digital revolution is not just a handy enhancement to their business, but instead their business lifeblood. There are few, if any, businesses that can operate without IT now – and that is not just operate ineffectively, but operate at all.
There are five key things boards need to do to stop their businesses leaking like sieves and potentially going to the wall.
1. Get board buy-in
Find someone on the board who understands, appreciates and can explain to the others what the organisation's critical digital assets are. If it is important that board members understand and value critical physical assets, then why not digital assets? If data is not considered to be tangible, then either re-define what "tangible" means for your organisation or respect the fact that intangible can have immense value to you.
2. Test business continuity
You have, or should have, crisis management and/or business continuity plans. If you do not recall if you have a crisis management plan, or you have a plan that is regularly tested but generally you do not turn up to the exercises because other business imperatives take precedence, make sure this year is different. Test the plans on a cyber breach scenario. Make it realistic and learn from it. If it does not work first time, make corrections and test it again.
3. Manage supplier access
Look up and down your supply chain. What digital information is shared with whom? Who do you trust to remotely connect to your systems? With every supplier wanting to provide remote support for cost reduction and efficiency reasons, are you aware of all such "service" attempts? Many recent cyber breaches take full advantage of the fact that organisations, either knowingly or ignorantly, allow their suppliers significant remote access to their networks. And if suppliers are happy to extend a helping hand if a breach means you need to investigate their systems, then better to crystallise this offer by requiring them to do so in your contracts with them.
4. Check email policy
Take a long, hard look at what your employees are doing with email and webmail. From senior executives to IT administrators, to payment clerks, to just about anyone – staff and contractors – all are being played like fiddles by social engineering hackers and fraudsters who know they can take as long as they need to garner trust and use it to steal your organisation's data and money. Counter this with a fresh look at email analysis and, more importantly, a review of procedures, reminding yourself to embrace the principle of dual control.
5. Consider cyber insurance
If you have not already done so, give some serious thought to acquiring cyber insurance. Organisations, likely including yours, have massively underspent on cyber security in recent years. On average, only 0.33% of revenue is spent to protect the business equivalent of the Crown Jewels! So while you catch up with improved investment, you need something to plug that “worst-case” data breach cost hole. Cyber insurance cover is a good addition to a healthy IT security policy and it will give you the financial cover your balance sheet will find hard to bear.