Cybersecurity/ IT Risk Management is (or should be) on the agenda of boards. Information Technology is ranked by many as a top 10 risk, but does your board treat it accordingly?
Working on and with Boards of Directors, I understand that the agenda is pretty full on, despite Zoom decreasing the actual meeting times. Since the start of Covid pandemic, many issues have required more attention and matters of urgency are always arising.
IT Risk Management is an issue for the whole organisation, from a single sole trader to a large multinational. Security is costly, there is no question to that, but the board and organisation have to balance between security prevention/detection and the cost of recovery. Management and Boards need to decide how to manage the tensions between usability, security, and cost, and that is very much where we need the board challenging and testing processes.
Regulated industries rank Information Technology Risk’s / Cybersecurity in higher risk categories e.g. banks, financial, transportation (Airlines) and public sector organisations than non regulated. Many organisations, in general do not however consider themselves targets to cyber risks, but every one is a potential target. Retailers and manufacturing companies have become aware of the vulnerabilities that IT brings to an organisation, yes it is a beneficial aid but IT has weaknesses. Companies now realise how vulnerable they are in the digital environment where most of their business and employee interactions are conducted, particularly when many are working from home and away from the centralised protection a head office function can provide.
Board of directors and the management team need to engage in a critical conversation on IT. The board’s responsibility is to make sure that the executive team is prepared, has a plan, a plan has been real world tested and is preparing the whole organisation for the eventuality of an incident.
The question is not whether the attack is going to happen and how to prevent it. The real questions are when it comes –
- Is the organisation prepared to detect it?
- Is it prepared to stop it?
- Can it mitigate the effects and get back to normal operations as quickly as possible?
What should a board do when an incident happens?
This is where the real world tests pay dividends. In sport, many players spend time practicing against others, testing their skills and reactions to events. Similar to business, scenario testing is critical – Plan – Act – Test – Do – Repeat in incident management scenario testing.
Organisations that have tested their Business Continuity Plans/ Disaster Recovery, Incident Management, Security Policies have a better fighting chance to recover quickly, with less impact and keep going than those that just do paper exercises.
From a board director perspective – how do I best understand how well my organisation is prepared for an IT incident – a Cyber Attack?
From my perspective, I would inspect your Business Impact Assessment. This is a document contained within your Business Continuity Plan that identifies the critical areas of a business, maximum downtime permitted and $$ / €€ cost (per hour / day) to a business, we ultimately look at the bottom line as a clear indication of preparedness. For an impact assessment, consider;
- What process or functions within an organisation is at most risk?
- Document these in terms of criticality – in hours on downtime impact
- What is the maximum time that you can be without these functions
- What is the cost to the business (from your P&L) for a function to be down for the period(s) identified.
Many companies turn to what is called a maturity-based approach, using outside benchmarks to assess their controls’ relative level of maturity. While that is better than not managing cybersecurity at all, sometimes it leads to the wrong incentive to simply invest in more controls.
Questions to ask the management team from a board perspective
- Which assets or parts of the organisation the cybersecurity team and the leadership team focus their attention on.
- Has the management team identified what is critical and needs to be protected.
- Have they identified employee groups that are particularly vulnerable, such as field service agents or customer service representatives?
- Do they know how many people have privileged user rights?
- When was the last penetration test carried out? What did it reveal?
- What recommendations have been taken forward?
For the Board
Boards need to identify the capabilities internally self and where the knowledge gaps are
- Does your board have a person(s) with practical IT Knowledge?
Communication is essential. There needs to be a single version of the truth, so everybody both within and beyond the organisation understands how the incident is being handled. The board has a crucial role there in supporting the executive team. Typically in our processes, the CEO is the linchpin for all activities, with practical/hands on duties allocated to knowledgeable team members.
Boards need to ask the right questions around how those are duties are to be performed, risks being mitigated and communication protocols between all parties.
Incident response will go badly if it is just left to the CEO for smaller organisations, or IT Manager/CIO and the IT function. They have a critical role in resolving the incident, but the consequences go beyond the immediate damage. There will be reputational, legal, and operational issues. Senior management / Board of Directors need to come together in a unified approach to the incident. Let those who know the technical aspects do their job, but support them in whatever they require to mitigate the issue and keep the organisation functioning.
Its team work and practice. This is about practice, lessons learned and repeat until you are competent and the ensure all the steps are written down. When people are not used to working together, establishing trust during a crisis is extremely difficult. Finger-pointing starts, and people fight each other instead of the enemy attacking them from outside.
Crime as a Service
There is a change of business model amongst the hackers doing these attacks. You can buy Cybercrime as a service, either do it yourself or hire others to perform this function. With most functions of the internet, vulnerabilities in systems are easily shared amongst criminal groups. The more experienced groups benefit financially by exchanging their experience for a cut of the profits from the Ransomware or selling of stolen data.
Ransomware is the means by which your infrastructure (computers) or data are locked and the company is required to pay a ransom to gain access to these again.
The second down side, is that YOUR data may be stolen while the Ransomware is active and even paying the monies, this data is a secondary source of profits when it is sold on to others.
The third down side, that ransomware thieves may target you again, if you do not fix the means on how they originally go into the system or purge their control of the system.
The initial attack may be only the first wave of your problems.
Ransomware can not only affect the availability of your systems but also result in the release of sensitive data.
Cloud Internet Services
The shift to the cloud poses a whole new set of risks. The cloud is a great opportunity for all organisations, in particular to move away from legacy equipment, but security still remains with the organisation.
The infrastructure and security resources of the large-scale cloud providers are much more secure than what most companies can implement in their own systems and platforms, however it is naive to believe that the cloud service provider will take care of all your security needs. On the contrary: the current raft of massive increase in breaches of cloud-hosted applications for lack of proper configuration. Your IT department needs to acquire a new set of engineering skills to manage cloud environments.
There is a massive acceleration in digitisation as companies have moved their operations to the cloud and granted remote access to employees. The recent Covid year has seen many knee jerk reactions to cybersecurity and now is the time to reflect and review those cybersecurity implications.
On the other hand, those who have spent the past couple of years preparing—identifying their critical assets and processes, testing the procedures with employees, putting in place emergency plans and fallback scenarios—are seeing those investments pay off.
It’s very important that the board understands that however secure cloud service providers may be, the company still holds a great deal of the risk. There has been very large-scale breaches as a result of people simply not understanding how the cloud works, its configuration, security settings and data management.
IT Risk Management
IT Risk Management is not just for the CEO, it is for all, CEO, Management Team, Staff, Board and all stakeholders of an organisation. We all make up the team.
- There needs to be awareness of the risks. A sense of urgency that these risks occur, and existential threat to the organisation.
- Identification of the critical assets and process. This starts with the Asset Register and Governance. What procedures in place in case of an incident?
It is important during this phase to balance the controls and red tape you put in place so it does not stifle internal innovation, which can give cybersecurity efforts a poor reputation. That’s why these initiatives should be led by people with a business mindset, not just a control or technology mindset.
Building Capabilities. All the staff should ask about your supply chain security features, what does the next team in your chain do to manage their IT Risks.
Many of the recent IT Breaches comes in from 3rd party, trusted vendors (Solar Winds) was only the most recent example, but the list is long at this stage.
When cybersecurity becomes a joint capability, the whole organisation becomes more cyber resilient.
We live in an environment of scarce resources, and the executive team needs to balance the investments in IT with investments in all other parts of the business. There is no single solution for cybersecurity. It needs to encompass a range of measures, and the most effective measures tackle the basics that make companies vulnerable around security updates, authentication, and how you access and configure the systems to simple human observation and attention to their job function, they are the gatekeepers to your business and the best in the business, they know their jobs better than anybody else.
IT Risk Management / cybersecurity is not rocket science. It is somebody understanding and reviewing your processes, systems, assets, and data. Many boards or management teams are not IT Literate, but do they rely purely on one person or an outsourced IT Managed Service provider to oversee their IT Risks?
The board has to ensure that the management team are looking at both the worst-case and best-case scenarios and are prepared to make some compromises to ensure a secure IT infrastructure both in house and in the cloud, where ever their data resides. The internet is inherently unsafe, it was built on an open technology, and we have to mitigate that by taking a series of measures for IT and the organisation in general.