Cyber Security Risk Management Strategy For Board Members
It’s not just an issue for the IT Department. It is vital that board members are fully aware that cyber security is no longer an issue for IT departments alone. It is a company-wide consideration and the board needs to give it their full attention during meetings. This should be reflected in the Organisation’s Security Governance where there should be sufficient representation of business stakeholders, not just IT and Security people.
Risk Management Strategy
Board members should ensure that a Risk Management Strategy is in place and that the Risk Management Strategy clearly defines their security risk appetite in several defined areas. Based on my consulting experience a well-articulated and comprehensive risk appetite statement is rare find, and yet it is critical in underpinning the project and for determining the rigour (and by implication cost) in the flow down of requirements in every other security related policy and process.
Cyber Attacks Should Be Prioritised Like Other Crime
If a business is burgled or an employee is assaulted, these would become urgent matters for any board. Cyber-attacks need to be regarded with the same seriousness and importance as traditional forms of crime. According to the Office for National Statistics, almost a third of all crimes in the UK during 2016-2017 related to cyber-crime.
Equally important are the policies and process guidance that set out the roles and responsibilities, categorisation, and the measures that detail what to do if a cyber breach takes place. The action plan should be clear, precise and easy to enforce if a threat is detected.
You Can Only Mitigate Risks, Not Remove Them
Even with the most robust security risk assessment and management policies in place, it is essential that the board is made aware that cyber security is like any other risk situation, whether this be operational or financial, for example. As with other risk factors in business, no matter how prepared you are, you cannot remove all risks entirely. However, being prepared is the best way to minimise the risks from occurring and limiting any damage caused.
Adopt a ‘When’ Not ‘If’ Mindset
Cyber-crime is a complex topic, so it is easy to push it to one side or assume that it won’t happen to your business. Yet, the reality paints a very worrying picture. The Government revealed that in 2016, almost half of all UK businesses suffered from a cyber breach, and the number of attacks is set to rise. Sweeping the issue under the carpet is no longer an option. Board members need to broach this issue with a ‘when’ it happens mindset, rather than ‘if’ it happens. By expecting it to happen, you become more prepared and will know what to do if you come under attack. Crucially, the board should not assume that cyber-attacks only happen to big businesses. Although you will only hear about famous brands suffering cyber-attacks in the media, the reality is that businesses of every shape and size are vulnerable to attack, even small ones.
Focus on Damage Limitation
It is surprising to note that there is, on average, a time lag of 200 days between a security breach and its discovery. On top of this, there is a further 60 days from discovery to mitigation. Hackers can do a whole lot of damage during this time, which can prove costly to a business in terms of finances and its reputation. Staying on top of the latest cyber trends, having an up-to-date policy in place and making sure that your security systems are robust can help to reduce the time lag between a breach and its mitigation. In turn, this can limit any damage caused to your business.
Being Secure is Good for Your Business
Importantly, board members should recognise that having the Information Security Management System (ISMS) Integrated into the Companies Quality Management is good for business. It not only instils confidence in customers in knowing that their sensitive or personal details are being kept secure, but it also means you are complying with relevant legislation and will make you a more attractive trading partner in an increasingly integrated world. With cyber adding value to business, business growth & cyber security go hand in hand. By investing in security, firms can expand without suffering the huge financial losses that a security breach often brings. In some cases, businesses that fail to prioritise reducing the risk of cyber-crime can end up collapsing in such an event. Moreover, good security improves confidence to move into new markets, which may allow you to diversify your operations.
Staff Training is Key
It is not just board members and IT personnel who need to be fully conversant with the latest cyber threats to businesses. Staff should be included in knowledge sharing, too, especially those who use company systems and software, or have access to business or customer data. Staff training regarding cyber threats is important because around three out of every four attacks involve employees unwittingly compromising business systems, even if you have protection in place. One of the most common threats is in the form of phishing emails, where recipients are duped into believing the sender is genuine, such as a known client or customer. This can result in staff opening malicious links, downloading virus-bearing documents or even handing over passwords that give hackers access to your data.
Segregation of Duties
Segregation of Duties is already well-known in Government as well as financial accounting systems. Companies of all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, and so on. Segregation of Duties, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls. Robust Segregation of Duty controls are designed to ensure that individuals don’t have conflicting responsibilities or are not responsible for reporting on themselves or their superior.
There is an easy test for Segregation of Duties. First, ask if any one person can alter or destroy your financial data without being detected. Second, ask if any one person can steal or exfiltrate sensitive information. Third, ask if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. The answers to all these questions should be “no.” If the answer to any of them is “yes,” then you need to rethink the organisation chart to align with proper Segregation of Duties. Now a new regulatory mandate, the EU’s General Data Protection Regulation (GDPR), requires Board members to take a hard look at how its corporate organisation charts support the new regulation and possibly re-think how required Segregation of Duties will ensure GDPR compliance and pass audit.
Staff Awareness of BYOD Risks
Make sure staff are aware of these risks and keep them updated to reflect the ever-changing data security landscape. Be especially mindful if you operate a BYOD policy, allowing staff to bring their own devices to work. Smartphones, tablets or laptops used by all staff should be completely protected by your firm’s security protocols to ensure that hackers do not manage to access any easy loopholes. Although this topic might seem detailed and onerous for busy board members, cyber-crime is becoming more widespread and is now nothing short of mission-critical. A well-managed, up-to-date risk management and action plan will reduce the likelihood of breaches, and the fallout that needs to be dealt with, should an attack occur.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.