Why cyber security must rise on the Board and executive agenda
Cyber security is more a more pressing challenge than ever: with greater digitization on the horizon, nonprofits as well as corporates need to increase their capabilities in this area – and quickly. There are very few who know their network, environment, or organization well enough to secure it from outside threats.
The need for Boardroom leadership and oversight of cyber security has also increased sharply. This is especially true given an increased complexity in identifying, managing and responding to cyber attacks in a globally connected economy – when information and vulnerabilities change so frequently, reports should reach the Board in a timely manner.
What's more, defending against a cyber attack is infinitely more complex and expensive than carrying out an attack or intrusion. Organizations must confront this asymettry by identifying critical assets and prioritizing their defense.
Even with such a great challenge knocking at the door, many Boardrooms are still not proactive on this issue and reflect an inadequate level of preparedness. Cyber security must rise on the executive agenda if we have a chance of keeping valuable assets from prying eyes.
Beyond ‘Hope and Prayer’: The reality of cyber risk in the Internet-Age
In a report produced by Symantec, an IT and security company, 430 million new and unique pieces of malware were discovered in 2015. By itself, this is unremarkable; but understanding this malware contributed to the loss or theft of over 500 million personal records should give you pause.
A similar report by Telstra, a telecommunications company, found that ransomware was the number one type of malware downloaded in the Asia Pacific region, with 60 percent of Australian organizations stating that they experienced at least one ransomware incident in the last 12 months.
Of the organizations who experienced a ransomware incident, 57 percent were said to have paid the ransom.
This rising tide of global malware has been accelerated by cloud, mobile and applications-based computing, e-payment systems and the increased interconnection of technology devices.
Other notable statistics from the Symantec report:
Cyber risk can be thought of as any risk resulting in financial loss, disruption or damage to the reputation of an organisation from a failure of its information technology systems. The Institute of Risk Management
The responsibility for cyber security governance falls on all industries and sectors. In our own research at Conscious Governance, a sharp dip our survey data suggests that many nonprofits are not adequately prepared to face this reality.
This gap in preparation was again evidenced in a 2016 report by IT security company Sophos, which surveyed IT decision makers across multiple industries and countries. It found respondents in the healthcare sector were the most underprepared with the lowest rates of data encryption when compared to other sectors. Poor data encryption, amongst other variables, makes critical information an easier target for hackers.
High-value information in the healthcare sector – medical records, donor information, client financial records, confidential emails etc. – and weak data protection processes proved to be tempting combination for outside attackers.
Rates of sector data encryption. Graphic via Sophos
However the barrage of attacks seen in the healthcare sector — technology company IBM went so far as to crown 2015 “the year of the healthcare breach” — could happen to any data-rich sector or organization which hasn’t addressed cyber protection and does not invest in a culture of security awareness.
Despite vast difference in resources when compared with corporates, not-for-profits should be taking measures to ensure data security is a priority. In the event of a data breach, the reputational damage, and the ability to raise funds in the future, alone could create an existential risk.
In Australia, it has been estimated that 59 percent of organizations have detected a business-interrupting security breach during an average month, more than twice as often when compared to results as recent as two years ago.
Cyber Priority vs Preparedness: The yawning gap
The expectation of cyber security oversight and leadership in the Boardroom has never been more pressing, but there is still a mind shift that needs to occur before the issue renders itself in full focus.
A survey of over 5000 directors conducted by a Harvard Business Review offers a glimpse at the mental barriers that still exist when addressing cyber security.
Only 38 percent of directors reported having a high level of concern about cyber security risks, and an even smaller proportion said they were prepared to handle these risks.
Despite mounting pressure, many boards lack the processes and the expertise they need to detect, evaluate, and mitigate cyber threats.
Starting the conversation: cyber security in the Boardroom
Nonprofits, as well as corporates, have a responsibility to demonstrate they are upholding their fiduciary duty to protect information, privacy and data integrity.
With no ‘silver-bullet’ approach to call upon, Boards are required to take an enterprise-wide approach to the identification, detection, response and recovery of a cyber-attack.
In recent years, one thing has become abundantly clear: cyber security is no longer an IT issue and is more than just a risk management priority.
Meeting this challenge requires dynamic coordination from all organizational departments (finance, accounts, human resources, IT, procurement as well as strategic oversight from the Board), culture and awareness programs and a dedicated chain of management.
With traditional defenses being outstripped by the pace and complexity of cyber attacks, data security and privacy must become a top priority in the Boardroom.
Security awareness should also enter the conversation at the management level and greater training given to staff members to enable them to detect and manage incoming threats. Knowing an attack can just as easily come from across the world or across the hall should encourage a holistic approach to cyber security.
In facing this new cyber threat, the new refrain from the Board should be loud and clear: ‘When are we going to be attacked and how will we respond?’