3 Important questions your board will ask about cyber security

Why the sudden focus on cyber security?

Given the recent attacks on companies, Boards across the country have become even more sensitive to cyber security and the actions their companies are taking to respond to the increased threats. And if they’re not, they should be.

There are several factors for the increased attention in the subject. The sheer volume of attacks is one factor, there were 1,057 data breaches reported to the Australian commissioner this year, which was a 16% increase from last. In addition, Microsoft has also raised a few eyebrows when they reported 8 trillion threat signals are generated globally every day. Ending up on the front page of the paper is also a nightmarish prospect, with almost weekly media reports of huge data breaches at home and around the world.

However, the biggest factor in Australia is that Directors now face personal liability for failing to implement appropriate cyber resilience in their organisation. Personal liability is one way of getting people to pay attention to something and that means Boards now have a much more sophisticated overview of the topic.

With all the above in mind, as a CIO, CSO or Head of IT, your Board of Directors is going to be asking a lot more questions about cyber security practices, so we’ve broken it into three keys questions you need to prepare for with some recommendations and insight from our team on how to take next steps.

1. Are we protected and how do we know?

This is the most asked two-part question is every board room. No matter what industry you’re in or how big your company is, you’re going to be asked this question. The first part is simple, it’s a yes or no answer, we’re hoping your answer is yes. The how do we know part is where it gets quite complex.

So, how do you know you’re protected? There are a number of ways to find out, but you need to know there is no silver bullet.

A good place to start is by doing an exercise called Red Team – Blue Team. That’s where the Red Team actively try to find vulnerabilities in your systems to hack into your environment and steal data, while the Blue Team watches those attacks to learn about your potential weaknesses and how to fix them.

A big factor with a Red Team – Blue Team exercise is trust. You need to find people that you fully trust with your sensitive data before handing them the keys to your house. It’s a point-in-time exercise which will give you a good overview of how protected you are, then the work starts.

To reiterate, that ‘how do you know’ question is very complex. You also really need to consider things like board oversight, cyber risk management, supply chain risk, policies and procedures, awareness and training, IT best practices, incident management, patching, business continuity plans, and more.

2. What is our most sensitive data?

The most sophisticated hackers are extremely well-researched. They will spend weeks and months analysing industries and companies figuring out what the most valuable information is potentially available and then they will go after it.

Let’s take e-commerce as an example, a successful e-commerce platform might store the credit card information of thousands of customers. Obviously, the credit card information is what a hacker would target in that case. The e-commerce then needs to act according and use techniques to make that credit card information more secure. They can separate the credit card from the account in two different databases, use hashing to encrypt the data, store the credit card digits in different places, etc.

That’s e-commerce, but you have to start thinking of the industry you are in and your risk profile. A good exercise is to make a list of your data sets going from high priority to low priority and then come up with a strategy around protecting the crown jewel data. Don’t treat it as a one size fits all, you need to prioritise.

3. Have we had a breach and what is our ability to respond?

The cyber security industry has a saying “there are two types of companies in this world – those that have been hacked and those that don’t know they have been hacked”.

If you are in the latter category, then alarm bells should be ringing throughout your board room and your entire organisation. The likelihood of a business experiencing a data breach was 29.6% in 2019. And it’s a rate that is growing fast, with organisations nearly one-third more likely to experience a breach over a two-year period than they were in 2014. Either you have been hacked, or you have been hacked and you don’t know about it which means your cyber security practices are not good enough.

The more common way this question goes is that the Chief Security Officer or CIO will say, ‘yes, we’ve had a breach, but it’s under control’ and the Board will then use this as a jumping-off point to ask more pointed questions around the breach and how you reacted.

They will want to know the exact steps you go through to contain it, to remove it, to reduce the impact, they will want to know how you can ensure that type of breach doesn’t happen again, what’s the policy on paying for ransomware, etc.

All of these things become part of the policy process that you have to go through at a senior management level and increasingly at Board level.