1. They understand risk areas and know what needs to be protected
According to the 2016 BDO/AusCERT Cyber Security Survey, only 52 per cent of organisations are performing regular assessments, indicating a low maturity across the board for a risk-based approach to cyber security.
Cyber-savvy organisations and their boards differ by having a good understanding of global cyber security trends, the emerging threats and vulnerabilities in their industry and sector, and how these may impact their organisation.
These organisations also know what needs protection: the systems and information so critical to the organisation that it would cause serious reputational, operational and financial disruption and loss if breached.
Leon Fouche, BDO Australia’s National Leader on Cyber Security recommends that boards follow Telstra’s “five- knowns of security” model when wanting to identify what is truly critical to their business. “Know the value of your data and assets, where the data is located, who has access to that information, who is responsible for protecting it and how well it is protected.”
2. They are prepared to respond with a well-tested incident response plan
Less than half of organisations surveyed by BDO and AusCERT indicated that their organisations had a cyber incident response plan, and far fewer revealed that they had dedicated staff and resources to investigate and respond to incidents.
The most prepared organisations have a tried-and-tested incident response plan that extends beyond the technical response required to detect, deter and resolve security incident. An effective plan will also include communication and messaging tailored for a range of stakeholders and must also include the organisation’s staff as a critical component of the plan’s success.
This plan should be regularly tested and validated, and should include involvement from the board and management.
“It is important for organisations and boards not just to [test the cyber incident response plan] as a once off activity,” Fouche explains. “They should perform regular tests through cyber simulations to ensure that there is involvement across the organisation so that everyone knows what to do or who to contact when experiencing a cyber event.”
3. They have investigated cyber insurance options
Organisations are starting to invest in cyber insurance as a risk transfer mechanism as part of their overall risk management strategy.
BDO and AusCERT found that only 27.8 per cent of organisations in Australia and New Zealand have cyber insurance in place and 9.4 per cent believe they do not need it and self-insure.
While the Australian cyber insurance market is relatively immature, boards are encouraged to consider the type and cover of cyber insurance that fits their business. This begins with first identifying your organisation’s cyber risks and gaps, determining the value of your data and information systems and the impact a breach will have on your organisation.
This will identify your organisation’s cyber risk exposure. The next step is then to determine if your current insurance policies are providing adequate cover for this exposure, and if not, investigate purchasing tailored cyber insurance policies to meet your specific cyber risk exposure.
“It is important that cyber insurance as a policy is not looked at in isolation,” Fouche says. “The board needs to look at all of their insurance policies and cover, including looking at existing policies such as liability and business interruption to assess whether their policy portfolio provides the required cover to manage their cyber exposure.”
4. They have buy-in from the board
The board’s input is critical to building a cyber-secure organisation. The board should have a strong understanding of threats, oversight over the organisation’s assets and cyber incident response capabilities, and should ensure whole-of-organisation awareness and education is a priority. Most importantly, it should approach cyber risk in the same way that it would manage more traditional risks.
Worryingly, only 50 per cent of organisations surveyed by BDO and AusCERT said that they have established regular cybersecurity risk reporting to their boards and executives.
Directors have a responsibility to ensure the safety of the organisation, appropriate investment in securing its critical assets and protecting its people.
“Cyber risk stops with the board,” says Fouche.
Leon Fouche is BDO Australia’s National Leader on Cyber Security and has more than 20 years’ experience as a cyber security and technology risk specialist.
The 2017 BDO and AusCERT Cyber Security Survey is now open. By taking part you will gain direct access to the survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Please click here to participate in the 15 minute survey.
Read the results of BDO and AusCERT’s 2016 Cyber Security Survey here.
Read BDO’s Setting the tone from the top: The role of the board in cyber security here.