Boardroom conversations about cyber security are essential to managing and mitigating cyber risk within any highly regulated, not for profit organisation. In this article, GovernWith’s Wes Ward examines why board directors should be educated on the risks of cyber crime and director liability and asks what cyber questions should be raised at board meetings?
Changing technological landscape
With the ever-changing landscape of technology, it brings with it a lot of new language to the table, which makes it seem complicated and one of those technically detailed conversations. It doesn’t have to be. The frequency we are hearing terms such as cyber and cyber-security reported in the news is growing – even as recently as last week with the NSW Education department being hit by a cyber-attack.
Cyber crime across Australia
The Australian Institute of Criminology has released a report putting the total economic cost of cyber-crime across Australia at $3.5 billion in 2019, including $1.9 billion lost by individual victims.
With the depth and breadth of technology needed to run and work within an organisation increasing and the ongoing maintenance of the technology that this entails, the risk the IT infrastructure poses to the organisation is also escalating.
Board directors must get educated on the risks
As a Board director, you’re empowered to question the risks of any aspect of an organisation and with that comes the need to educate yourself to understand those risks and your organisation's preparedness to respond to those risks.
It’s also worth noting that the Australian Federal Government is working on new cyber-security standards that include corporate governance, first floated in the 2020 Cyber Security Strategy, which may hold directors personally responsible for cyber-attacks.
Cyber is an equivalent level of risk
Addressing cyber and IT infrastructure risk should be no different to addressing finance or stakeholder engagement risk for example.
It’s important that Board directors identify these risks as organisational risks and not just an IT problem, as taking this approach will encourage your peers, stakeholders and employees to take the same approach.
In our research into cyber-security, Techradar recently reported that up to 99 per cent of cyber-attacks require human interaction to execute. This is why it is so important to bring all levels of the organisation along on the cyber and IT infrastructure conversation.
How do you have the conversation?
The CEO is a lynchpin in the conversation, bringing information to the board and acting as a leader for the organisation's attitude to this topic. A great place to start is to have a strategic plan for cyber and IT Infrastructure for the organisation in place and that plan should be a regular part of the Board’s agenda and papers.
What questions should be raised at a board meeting?
The Australian Cyber Security Centre has published a prioritised list of mitigation strategies to assist organisations in protecting their systems, called the Essential Eight.
A great question off the back of those strategies is “how do we stack up?”
It doesn’t have to be that detailed though, as suggested in the book The Secure Board,
Great cyber security questions to ask at board meetings
- Do we know who has access to our critical information assets and how is this monitored and managed?
- What happens in the event a key supplier is compromised?
- In our security team, how many people are focussed on the security of technology, and how many are focussed on the behaviours of our people?
- Are we doing everything we can for our customers to protect their data that we hold?
Start a cyber risk conversation
The most important thing though, is that the cyber and IT infrastructure conversation at the Board room level starts straight away before an incident occurs.
Acceptance of these risks as organisational risks needs to be guided from the top, to then filter down through the whole organisation.
This article takes inspiration from Anna and Claire’s book, The Secure Board, which is a fantastic starting point for assuring your board is addressing and understanding the cyber risk in your organisation. This article was written by GovernWith’s Wes Ward and was first published on GovernWith’s website HERE.
What are the big issues for boards?
WOB's new four-part webinar series takes a look at the big issue for boards; cyber vulnerability, evolving regulatory practices, the security and privacy implications of generative AI, workplace culture and talent acquisition. Series starts 15 June.
>> REGISTER now