Cybercrime is now one of the risks every board must manage. “There hasn’t been a test case in Australia yet but the general view is that, in the future, directors who have failed to take appropriate steps to ensure that sensitive information is properly secured could be held personally liable,” says Leon Fouche, national leader, cybersecurity and partner at BDO.
This means that boards may need to ask management for a new library of information. “Directors must be able to identify the organisation’s critical digital assets – its ‘crown jewels’,” Fouche continues. “They need to know who would be interested in gaining access to these and what methods of attack they might apply. They should feel confident that the security controls in place are appropriate and if for any reason they fall short – because of old legacy systems, for example – that they at least have the ability to detect anything that goes wrong so they can quickly respond to it.”
The board must also agree with management on the organisation’s appetite for risk. “I think it is common knowledge now that you can’t set a risk appetite for no cyberattacks,” says Richard Watson MAICD, EY Oceania cyber leader. “Mature boards recognise that it is impossible to anticipate and prevent every attack. Instead they are focusing on determining what the company can tolerate and what it can’t.”
The board should also know where accountability for cyber protection lies within the organisation. “Historically the chief information officer (CIO) has been regarded as a one-stop shop for all things cyber but this isn’t realistic,” Watson continues. “A CIO can’t be held responsible for people in marketing who click on a link they shouldn’t or people in finance who transfer money in response to a fake email. Cybercrime is no longer just about technology, it’s a whole-of-business issue.”
When cybercrime is on the agenda, many directors find themselves in unfamiliar territory. “I personally believe that every board should have a ‘digital director’ to provide expertise around cyber risks,” says Tessa Court, CEO and a director at IntelligenceBank.
Michael Khoury, partner at Ferrier Hodgson, agrees. “Having at least one director with strong IT credentials will not only ensure that critical security and risk issues are understood at the board level but also that the board has help with organisational matters such as infrastructure expenditure, return on IT investment and business continuity planning.”
Even the least tech-savvy directors are taking steps to be part of the conversation. “Many are adopting our digital meeting application, BoardPad, as a way of familiarising themselves with technology and the digital environment as well as securing their own information,” says Colin Panagakis GAICD, director Asia Pacific at ICSA Boardroom Apps Limited.
A great deal at stake
A successful cyberattack can be cripplingly expensive. For example, UK telco Talk Talk estimated that last year’s breach of its customer data cost the equivalent of $120 million. They also lost more than 100,000 customers as a direct result of the attack. “The time and money needed to investigate and remediate the breach can be just the beginning,” says Court. “Other costs could include legal expenses, additional security test resources and consultants’ fees.”
Some costs may never be identified. “You might not realise that you missed out on, say, an acquisition because a competitor knew exactly what you were prepared to pay,” says Watson.
Reputational damage can also be very costly. “There is usually a negative impact on share prices immediately after the breach,” says Court. “But surprisingly, we’ve seen that, if the incident is handled well and not repeated, consumer trust can be regained and share prices are likely to recover within 12 months. Unfortunately, companies are typically slow to discover intrusions and poorly prepared for managing the communications aspects of a breach. A sound and well-tested public relations strategy is very important.”
However, protection costs money too, and while boards understand that they must budget for continuing investment in cybersecurity, it isn’t easy to settle on just how much they should spend.
“Directors are quite rightly concerned about putting a $10 fence around a $5 horse,” says Watson. “The emerging field of cyber economics could help them to calculate the potential cost of a cyberattack so that they can make a more informed decision.”
A malicious evolution
There are three common motivations for a cyber attack. “An overseas party might threaten to shut down or disable a system if a ransom isn’t paid,” says Watson. “The attack might be an act of terrorism. Or someone with a grudge against the organisation might want to exact revenge by damaging its reputation.”
Whatever their nature, attacks are increasing. “Many organised crime gangs have recognised that the risk/reward equation for cybercrime is generally much more in their favour than, say, robbing a bank or another form of extortion,” says Khoury. “To sweeten the pot, cyber criminals can ‘telecommute’ to their targets, handily avoiding local law enforcement efforts to track them down. And, even if they do get caught, cybercrimes can be difficult to prove and the punishments relatively benign.”
Risk management is complicated by the fact that the threats are continuously evolving. “We’re seeing emergent threats from many varied, independent and disparate vectors,” says Ian Irving, CEO for Australia, Northrop Grumman Corporation. “Cyber criminals, a number of state-based agencies and emerging non-state actors, such as ISIS, have all been the source of recently publicised attacks on western infrastructure and institutions. There is very real potential for these criminal elements and other entities to collaborate and launch even more devastating attacks.”
Attacks are also becoming more sophisticated. For example, the latest “phishing” emails can be very difficult to distinguish from the real thing. Their targets – often directors or executives with a significant public footprint – are also meticulously researched.
Multi-level attacks are also becoming more common. “These include at least one ‘noisy’ attack, such as website denial of service, which aims to distract IT management while a more surreptitious and dangerous attack is underway,” says Khoury. “And backups of critical data are no help if highly sensitive and confidential material has been deliberately ex-filtrated in order to hold you to ransom. Organisations could find themselves caught between doing a deal with criminals and facing the consequences of defying their demands.”
At the same time, organisations are more vulnerable because they have more to lose. “Most companies now have all of their intellectual property (IP) digitised and the wealth of the company is typically tied up in that IP,” says Irving.
There are also more possible targets for an attack. “Company information is widely dispersed across the cloud and external suppliers and the ‘Internet of Things’ is also enabling more devices to be connected,” says Panagakis. “This has tremendous potential for increasing efficiency but it also opens up many new exposures.”
Some of these connected devices are fundamental to an organisation’s everyday activities. “The attack on the Ukrainian power grid in January has helped to focus attention on the risks associated with operational technology, such as building management systems in real estate or driverless trains in a mining context,” says Watson. “A lot of these systems were built many years ago without the internet in mind and may well have insufficient security. This is something the board needs to know about.”
The threat inside
Some boards find it hard to believe that the biggest threat to security lies with insiders. “These are not necessarily malicious insiders who deliberately obtain and disclose information,” says Watson. “Most cyber incidents are a result of ignorance or lack of care and attention. Even attacks that start outside the organisation often depend on an insider doing something like clicking on a link or disclosing information that can be used in a phishing-type attack.”
Even something as simple as a weak password can open the door to an attack. “If you try the password ‘password’ against every user there’s a good chance you will eventually get into the system,” says Watson. “There’s also a good chance that, once you are in, you will have free run of the organisation. Many companies overlook the importance of properly configured identity management but, when people are only allowed to see what they need to see, it’s much harder for hackers to gain access to more than a handful of files.”
Everyone in an organisation who interacts with electronic systems and the internet is a potential point of vulnerability – but individuals can also play an important role in protecting information.
“The board should be satisfied that everyone from the top down understands this and that employees are trained to handle data correctly,” says Panagakis.
Testing staff as well as systems should be intrinsic to the way the company operates. “It is very important for directors to understand that cybersecurity is a behavioural requirement of the whole organisation,” says Irving.
“A little while ago we realised that we needed to improve our overall awareness of cyber issues with our staff. As a large organisation we had the luxury of being able to establish our own cyber academy where we can work with everyone from the chairman to cyber professionals. We have rolled the academy out in North America and we are now bringing it to Australia. We will also offer this as part of our service to our customers because we really believe that knowledge and training are the foundations of a cyber secure organisation.”
Boards must keep track of the protections and responses that are evolving along with the threats. “We’re seeing more widespread use of encryption,” says Panagakis. “A massive amount of metadata is now being collected and stored and companies need to protect that. If criminals manage to access encrypted data, it’s very unlikely that they will be able to decrypt it, so it will be of no use to them.”
The field of security analytics is also starting to attract more attention. “This takes the analytics approaches that have been used for years in marketing and business intelligence and applies them to the challenges of maintaining security.
“A new set of technology defences is becoming available that can baseline the normal performance of a computer network and then flag any exceptions that could be indicative of a threat. For example, if a computer that is normally used for payroll within Australia suddenly starts emailing information to China the system will pick that up and bring it to your attention,” says Watson.
There are also systems that can capture, monitor and audit electronic information that travels within an organisation. “These can lockdown access to critical documents and create a useful audit trail regarding that access,” says Khoury.
“However, there’s a danger that they could also cripple many business processes. Modern organisations rely on flexibility and the quick movement of electronic data so directors could struggle to achieve the right balance between data freedom and data security.”
Cyber insurance is another relatively new weapon in the risk management arsenal. “There has been a great deal of activity in the insurance industry in the last six to 12 months but I think it will be another year or two before cyber insurance becomes a mainstream product,” says Fouche. “There is still a lot of discussion around what can and cannot be insured.”
In the meantime, good brokers are working with their clients to help them understand their cybersecurity risks and select a policy with appropriate cover. Some brokers are also differentiating themselves by undertaking more in-depth cyber risk assessments for their clients and remediation activities to reduce their risk exposures.
“An insurer or underwriter who can see that a company is taking proactive steps to improve their security risk posture may be prepared to consider a lower premium,” says Fouche.
It is vital to check the details of the cover as these can vary widely from insurer to insurer. “We recently did a cyber risk review for an organisation were the senior people were comfortable with the $5 million cyber insurance policy they bought through their broker,” says Fouche.
“When we looked at it closely we found that it specifically excluded ‘any failure or outage in services not under the direct operational control of the Insured’. As this organisation has all of its IT outsourced to a third-party provider, the policy was useless.”
Help and advice
The Australian Government takes cybercrime, cyber espionage and the requirement for cyber resilience seriously.
“A number of years ago the CERT Australia institution was established to provide businesses with advice and support to help them build defences or recover from an attack,” says Irving. “The Federal Government has also recently published its Cyber Security Strategy, which outlines its priorities and approaches relative to the cyber domain, and identifies national science agency CSIRO and its research unit, Data61, as key contributors to Australia’s cyber credentials.”
Associated industry bodies and sector affiliations can be another useful resource. “Mature businesses can share their individual experiences and concerns so that, as an industry group, they can collectively improve their overall awareness and preparedness with regard to cyber threats,” Irving continues.
AusCERT, an independent not-for-profit Cyber Emergency Response Team (CERT), which is part of the University of Queensland, offers a low-cost subscription-based service. “We have been helping members to prevent, detect, respond to and mitigate cyber and internet-based attacks since 1993,” says general manager Thomas King. “We provide information and security advice to our members and act as a single point of contact for dealing with cybersecurity incidents that affect or involve them.”
AusCERT’s cyber emergency response teams can work with companies that have suffered an attack to minimise harm to them, their shareholders and other stakeholders. “Some incidents require a team to work on them night and day, sometimes for weeks,” King continues. “Most companies just don’t have those resources.”
AusCERT can also investigate the risk of further compromise. “One of our newer services, the flying squad, helps to coordinate and manage a cyber incident,” says King.
“This has been available to the membership for less than 12 months and we have already helped companies to respond to some of the most serious incidents in the country.”
Taking it seriously
EY’s latest Global Information Security Survey of c-level executives and other information security specialists uncovered some interesting facts about companies’ attitudes to cybersecurity.
Seventy-two per cent of respondents said that they present on cybersecurity to the board or audit committee at least twice a year. However, only 49 per cent considered that information security strategy was aligned with their organisation’s risk appetite and risk tolerance, and just 40 per cent said their organisation had identified its “information crown jewels” and put specific measures in place to protect them.
“We’re fortunate that the Government is on the front foot with cybersecurity but business really needs to get on the front foot as well,” says Irving. “Vigilance and investment are needed to ensure they have established an appropriate posture and that they are doing the right thing by their shareholders.”
A director’s cyber risk checklist
Leon Fouche suggests that boards ask themselves these questions.
Your cyber risk profile
- What are the biggest cyber risks in your industry?
- Who would benefit from having access to your information and systems, and how might they gain that access?
- What business information is currently in the public domain and how could this affect your risk profile?
- How much would it cost to respond to, and recover from, a serious cyber incident?
Your critical digital assets
- What are your “crown jewels” – the information and systems your business needs to keep operating – and where are these located?
- What would happen if your crown jewels were compromised?
- How effectively are your digital assets protected?
- Do you understand the risks associated with information held by your third-party suppliers?
- How well does the board understand cyber risk?
- Do you consider cyber risks during your strategic planning process?
- Do you have mechanisms in place to identify and respond to cyber incidents?
- Are you regularly reviewing and assessing changes in your cyber risk landscape?
- Do you have access to cyberthreat intelligence information or collaborate on sharing threat information?
- Do you have effective cybersecurity awareness training across all levels in your organisation?
- How regularly is your cyber incident response plan tested?
- Have you considered cyber insurance as part of your cyber risk management strategy?
How high-performing boards respond to cyber risk
Tessa Court: They are well prepared for cyber threats – bottom line. They have robust cyber risk frameworks in place, they bring in the appropriate consultants for advice, they are abreast of trends and incidents in their industry and they have an incident management and communications plan for when a data breach occurs.
Colin Panagakis: They confirm that any third parties are taking appropriate steps to safeguard their data. That means doing thorough due diligence before entering into any agreements and then continuously monitoring the third-party’s systems.
Leon Fouche: They are regularly briefed on emerging threats within their industry and understand the organisation’s vulnerabilities. They check their levels of protection and have a cyber response plan that they test on a regular basis across all suppliers.
Richard Watson: They understand that this is a whole-of-business risk and not just a technology problem. They ask management to define their current risk posture, and agree on their risk appetite and what needs to be done to uplift security through whole of business and culture.
Ian Irving: They regard cybersecurity as integral to their operations rather than an add-on or an IT issue. They understand that every single transaction needs to be done in a cyber secure manner – and they are not afraid to share information about potential attacks and intrusions so that the whole country can become stronger.
Michael Khoury: They have confidence in the capacity of the CIO and IT managers to address IT security and risk. To confirm that their confidence is not misplaced they undertake a regular external audit of IT security with board-level follow-up of any critical risk issues this identifies.