Over the last few years the topic of cyber security has gone mainstream. It’s now being actively discussed in boardrooms. The years 2012-2014 will go down in history as a period when many major corporations were breached, with the Sony Pictures hack becoming a landmark moment—nation-state actors got involved and executive orders authorising political sanctions were issued.
On another front, insider threat and the leakage of information from privileged users is now a discussion point in the wake of Edward Snowden's 2013 revelations. US spying on the EU could put the Safe Harbor agreement in jeopardy with huge implications for companies like Google, Facebook and Twitter, who use Safe Harbor to process EU citizen data in the U.S.
What further information Snowden could release in the next few years is also anyone’s guess, but it does demonstrate that the threat to an organisations’ short-term revenue, long-term stability, viability and shareholder confidence—not to mention its corporate social responsibility index–has cyber security woven through it.
It is a fundamental requirement that boards and senior executives understand the risk posture of their organisation and are aware of corresponding cyber threat vectors. They need to have a clear cut strategy for detecting, preventing and responding to cyber events in a manner similar to political, legal, economic and financial risks.
Given the awareness of cyber issues and rapidly enhancing legislation, board obligations for cyber are to recognize the risk, proactively understand the current state of cyber preparedness and ensure an effective plan is in place for rapid response when the event transpires.
Is your board cyber-ready?
Board and or executive management should consider the following five-point plan to ascertain if they ready or not:
1. Board expertise: Do board members have expertise in technology and do they understand how the rapidly evolving ecosystems of cloud, cyber, data protection, internet of things and privacy overlap with the board’s role in corporate governance and risk management?
2. Environmental knowledge: Is there an adequate understanding of the organisation’s technology environment? In the case of a cyber-event, is there clear understanding about whether the systems targeted are managed internally, externally or sourced from the cloud? Can the threat be responded to rapidly? Can management implement the required risk management protocols to reduce the mean time to exposure?
3. Understanding the business: Essentially, boards or their sub-committees are required to undertake key oversight activities related to cyber-risks across critical business process and systems. They should understand the budgets allocated to cyber-security programs and understand key responsibilities across the enterprise for security and privacy data. They should also understand the potential exposure of known blind spots with limited or no detection against cyber-attacks.
4. Response readiness: A cyber threat management framework needs to be documented and regularly tested against the “Cyber Kill Chain Approach”, a phase-based model used to describe the stages of a cyber-attack, which in turn helps construct response plans ready for when the organisation is attacked.
Service management agreements should be in place with external third party suppliers for technology and subject matter expertise that can be tapped into and mobilised in the event of an attack.
5. Media management: The board should understand how your organisation responds and communicates following a cyber-attack or breach where systems have been compromised and data stolen will have material impact on its reputation.
The cyber threat management framework requires a unique communication plan in the event of an attack. The communication plan should consider the speed of notification to impacted parties, how it outlines known damage, and provision of information on actions planned and underway. It should explain why a full disclosure of the event may impede response progress; but that any information that provides maximum benefit to impacted parties will be shared.
Above all, the board should ensure a cross-functional multi-disciplinary communications team exists as part of its response strategy which provides adequate coverage across IT, security, legal, law enforcement, HR and other functions.
Cyber threats, when compared to other traditional threats, are unique in that the speed at which the organisation is required to respond gives a very limited window to either fail or succeed. Preparation is key.
This article is brought to you by Enex TestLab, content directors for CSO Australia.