Time for directors to take stock of cyber issues

The Institute of Director’s recent Directors Sentiment Survey revealed some troubling data on how cyber security is still not a prevalent issue for many boards.

The survey indicated a slight backwards trend, with just over half of directors (54%, down from 60% in 2021) reporting that their board regularly discusses cyber risks and are confident their organisation has the capacity to respond to a cyberattack.

The report noted, “There is an ‘it won’t happen to us’ sentiment evident from the survey. Only 46% (down from 51% in 2021) are regularly discussing the organisation’s privacy practices and risks.” Hamish Beaton, General Manager of Advisory at Aura Information Security says this is concerning, but not altogether surprising.

“I can empathise with directors – there’s been a multitude of competing risk issues that have no doubt dominated boardroom conversations over the past two years or so. However, cyber security isn’t something that can be overlooked – we only have to look at the rise in malicious activity and high-impact cyberattacks in recent times to see what serious threats await New Zealand organisations.” 

Beaton says now is a great time for directors to take stock and put cyber and digital risk back on the agenda, pointing out that a lot of business continuity measures deployed during the pandemic have resulted in organisations’ cyber security measures being less effective than they once were.

“I’d really urge directors to look closely at where their organisations have landed after two years of pandemic-forced business transformation. Any digital or operational changes are likely to have impacted your cyber risk profile, so the first thing you should be doing is reassessing as a board whether you have a clear understanding of where your risks lie. For example, you might have a corporate firewall, but if a large proportion of your team now work remotely, this might not be as effective as it once was.

“The board should seek assurance that senior management have line of sight to what the new architecture of the organisation looks like. From there, you have a starting point to recalibrate defence layers to ensure your business is well secured from cyber-attacks and other digital risks.”

People are also a key factor in effective cyber security. Beaton notes that given the large number of shifts in the labour market, many organisations may have new employees that aren’t well versed in good cyber security hygiene.

New directors, along with new employees, should be kept aware of what cyber threats look like, and how to manage these – such as phishing and scam emails.

Beaton recommends boards ask their organisations some key questions to help effectively govern on cyber security.

“Ask your executives – what are the organisation’s biggest continuity risks with your IT systems? What are your ‘crown jewels’ when it comes to valuable data sets and mission critical systems? Are there good asset management processes in place?

“As a director, you don’t need to review it at a ‘0s and 1s’ level, but you should work with your CISO and CIO to understand what your threat surface or risk picture looks like.

“I’d also advise directors not to view cyber security as a silo – with so much business conducted online these days, there’s a blending of risks. Rather than having discussions about cyber security in isolation, consider how cyber security issues feature in other risk areas of your business.  

“For example, maintaining supply chains has become a key risk consideration over the past couple of years.  While on the surface this might appear a procurement issue, there is a cyber security component to be considered.  This goes for IT supply chains too - you should develop an understanding of the potential risks to your organisation if your IT providers were affected by a cyberattack.”