Given its strategic, operational, financial and compliance implications, cyber security is now firmly a boardroom agenda. Regulators across the world are demanding better security oversight from directors, who are finding themselves as targets of class-action lawsuits and penalties after major breaches. The following questions can serve as a good starting point for directors wanting to play a more active role in cyber governance and to fulfil their fiduciary duties:
What is our cybersecurity strategy?
Most organisations do not have a documented cybersecurity strategy. As such, security efforts and investments focus on network protection and spot fixes. A clear strategy, on the other hand,articulates the organisation’s risk appetite along with the identification of the data assets and processes which “must” be secured. These “crown-jewels” for instance, could be clinical-trials data for a pharmaceutical company, a securities-trading algorithm for a brokerage firm, or customer portal for an e-commerce company.
Strategic business decisions should take into account cybersecurity considerations. For instance, should the information and operational systems of an acquired company be integrated with the parent company, or be “compartmentalised” to minimise vulnerabilities? Should employees be allowed to conduct business transactions from their personal mobile devices to increase productivity? How tightly should a company’s systems be integrated with those of its value-chain? Such decisions have a direct implication on an organisation’s cyber strategy.
Is our cybersecurity keeping pace with our digital transformation?
As organisations embark on a digital transformation journey, they are also enhancing their cyberattack surface. For instance, over 500,000 internet-connected pacemakers were recalled in the US after discovering that hackers could take control of their pace or run down their batteries.
In order to manage such digital risks, leading organisations are adopting a DevSecOps approach, which involves the remediation of security vulnerabilities from the design stage of the application development lifecycle itself.
How proactive are our cyber defences?
A large multinational bank was under attack for over nine months. The bank’s security operations centre was unable to detect the breach. To address the issue, the bank used deception technology – deploying decoy engagement servers to impersonate and mimic the bank’s vulnerable setup. Within minutes, a zero-day malware was spotted hitting the decoys. This enabled the bank to identify the sources, methods and intent of the attackers and secure itself accordingly.
Organizations need to be proactive in such threat-hunting. Coupled with timely and actionable intelligence, this can help organizations strengthen their cyber defense, especially when the attack vectors are not known by their existing security solutions.
How robust is our incidence response plan?
A practical cybersecurity strategy acknowledges that some attacks will breach the company’s defence. While most organisations have a crisis-response plan, few demonstrate implementation-readiness. EY, for instance, conducted a cyber-attack simulation exercise with 79 leading CEOs. The executives were asked how they would react when informed that their customer data had been compromised. The responses ranged from contacting the chief operating officer to the legal counsel to the corporate communications officer. When asked how they would respond to situations involving ransom demands, most executives did not have a concrete plan. Leading companies regularly conduct cyber war games to test the effectiveness of their crisis-response plans and are clear about how they will respond to different types of incidents.
Does our organization have the right resources, processes and culture to drive cyber resilience?
It is critical to appoint and enable – with adequate budgets and resources – a seasoned executive who can be held responsible for the company’s cybersecurity. This individual should regularly update the board on emerging threats and update organisational controls accordingly.
Since the majority of breaches involve malicious or negligent insiders, including employees and business partners, it is critical that users’ access to data is limited to assigned privileges. In this regard, implementing cybersecurity awareness programmes to educate employees of their responsibilities, along with the consequences of noncompliance, are critical.
As corporate directors review their companies’ cyber risks, they would do well to adopt a “zero-trust” approach by constructively challenging their management’s assurances around cybersecurity preparedness. Indeed, boards that ask the right questions can perhaps serve as the most critical line of defence in enhancing an organisation’s cyber resilience.
The author is EY’s global risk transformation leader and heads the firm’s risk practice in India