Cyber security is a significant risk that can have a material impact. Boards should proactively ask questions of management, champion education and awareness programs company-wide, and treat risk as a priority. As Cyber security issues increase and become more visible, boards may decide to take an active role in understanding the risks associated with those issues.
What are the key issues to consider?
Cyber security is among the most complex and rapidly evolving issues with which companies must contend. Reports of major breaches of proprietary information and damage to organisational IT infrastructure have become increasingly common in recent years, and developments in mobile technology, cloud computing, and social media continue to alter the IT risk landscape.
At least six US retailers in January were under a massive cyber attack, which employed the same software used in 2013 to steal credit-card data from some 40 million Target Inc. customers.
Such attacks can negatively affect market positioning if the public's confidence in the security of information and access to services is shaken. The CEO of Target subsequently resigned following the cyber attack.
What are the most common types of cyber attacks?
There are numerous categories of cyber attacks including financial fraud, information theft or misuse, activist causes, attempts to render computer systems inoperable, and efforts to disrupt the critical infrastructure of government and its vital services. The perpetrators of cyber attacks can range from individuals or small-scale operations such as insiders, suppliers, and activists, to large-scale efforts perpetrated by criminal networks and foreign governments. Common modes of attack include the introduction of malicious software such as trojans, worms, viruses, and spyware; password phishing; and denial-of-service attacks intended to crash websites.
Each type of attack presents unique challenges and requires a targeted set of prevention activities, not all of which are related to technology.
How should boards respond to cyber security issues?
International and New Zealand Boards are devoting increased attention and resources to responding to cyber security issues.
Whether or not there is a dedicated risk committee on the board, it is important to confirm that there are directors with security, IT governance, and cyber risk knowledge and skills. Given the audit committee's responsibility for risk oversight, it can be advantageous to recruit committee members with cyber security experience so that informed decisions can be made about the sufficiency of the efforts overseen.
A comprehensive cyber security plan requires the appropriate culture and tone at the top, which includes an awareness of the importance of security that extends from the C-suite to the professionals in each function, since breaches can occur at any level and in any department.
The CEO should make it clear that cyber security is a major corporate priority, and should communicate that he or she is fully on board with enforcing compliance with policies and supports efforts to strengthen infrastructure and combat threats.
As recently as five years ago, it was rare for boards of directors to be closely involved in managing cyber security risks, but rapid advancements in technology, coupled with a corresponding increase in the sophistication of cyber criminals and cyber legislation, have made it essential for the board and audit committee to be informed and proactive. New technologies continue to shape the physical and virtual borders of organisations, and organisations must frequently review and quickly adapt policies to address emerging issues.
Cyber security specialists are developing increasingly sophisticated approaches for preventing, detecting, and responding to security breaches, but no single solution can address all the evolving challenges associated with cyber threats. It remains important to apply prudent and adaptable controls to respond to changes in the threat landscape, and to have strong response and resiliency plans in place in the event of an attack.
It is more important than ever that the board and management communicate clearly and effectively on the impact of technology on the business. Many directors, however, are still learning how these sweeping IT trends intersect with their role in the boardroom.