Cyber security has become a critical business continuity issue. There truly are only two types of companies: those that know they have been hacked, and those that do not. The operational, financial and reputational costs of breaches are rising as well. In some cases, CEO’s and board members have been forced to resign. Many boards, however, are just waking up to this risk. The following questions can provide a framework for corporate directors as they fulfil their fiduciary responsibilities.
Which assets “must” be protected?
It is critical to risk-rank data assets to identify which ones can make or break an organisation. For instance, the clinical trials data of a pharmaceutical company, call data records of a telecom enterprise and patient care records of a hospital would fall in the high-risk category. How can such crown jewels be protected? The mainstream approach is to identify potential threat-actors and vulnerabilities, implement controls, and finally, thwart attacks by leveraging analytics-enabled threat-monitoring tools.
Which vulnerabilities should we be most worried about?
While it is true that organised criminals are increasingly devising new techniques, most attacks — including those at the largest corporations — are relatively unsophisticated. They succeed because organisations do not take key precautions such as encrypting critical data, implementing timely patches, monitoring access controls, segmenting the network, scheduling data backups and implementing strong password management practices.
How robust is our incidence response?
Most companies do not have a comprehensive crisis-response strategy. For instance, an EY-led cyber attack simulation exercise with 79 leading CEO’s revealed that many were unsure about how to handle ransom demands from cyber criminals. The most proactive companies conduct periodic “war-games” with the board and top management to ensure that their crisis-response plans are exhaustive and robust.
Cyber vulnerability is at an all-time high. The proliferation of internet-connected devices — many with poor security — along with the explosive growth of data, automation and outsourcing are creating exponentially higher risks. Boards that are informed, engaged and ask the right questions are perhaps the most critical line of defence in strengthening an organisation’s cyber security posture.