Why should board members be concerned about cybersecurity?
A cybersecurity breach can be extremely disruptive and expensive, potentially resulting in significant downtime and lost productivity, permanent loss or public exposure of confidential information, reputational damage and direct financial loss. The potential impact of a security breach could be devastating or potentially fatal to any organisation. That’s why cybersecurity should have oversight at the highest level.
A robust cybersecurity strategy will also call on resources from across the organisation, including finance, human resources, IT, and operations. To gather this appropriate support and commitment from across the organisation requires a suitably senior authority to champion the cause.
Here are the 5 cybersecurity questions board members need to ask.
#1. What measures are in place to protect the organisation from cyberattack?
Although board members don’t need to have a deep technical knowledge of the organisation’s cybersecurity defences, some understanding of the systems that are in place is important. Equally critical is an understanding of how these systems are resourced and managed on an ongoing basis, as well as how the board will be kept informed.
Cybersecurity is not a “once-and-done” proposition; it’s one that must be actively managed. Are your security measures current and always evolving to keep up with new and more sophisticated threats? Are they being audited regularly to identify gaps and ensure compliance with established standards? Are your systems proactively tested, such as with mock attack scenarios and penetration testing?
#2. How do board members know if a cybersecurity breach has occurred?
In the event of a successful cybersecurity attack against your organisation, a rapid response is critically important to limit the extent of the attack and minimise the potential impact. The longer a successful attack is allowed to remain in place, the further it may spread and the more complex and expensive it may become to resolve.
As a board member you should satisfy yourself that any security breach will be rapidly identified and responded to. Ask:
- How does the company monitor for cyberattacks and breaches?
- Are staff appropriately trained to identify and respond to attacks quickly?
- How do staff report any suspicious activity?
#3. How do we respond in the event of a cybersecurity breach?
Instead of considering how your organisation will respond if a breach occurs, think instead in terms of responding when a breach occurs. Assume that a breach will occur and plan accordingly by having an incident response plan in place.
At a basic level, a cybersecurity incident response plan should include:
- Formation of an emergency cybersecurity incident response team to manage the incident response.
- Definitions of what a cybersecurity incident is (and isn’t).
- An incident response management flowchart to help employees understand the steps to be followed during a cyberattack.
- Cybersecurity incident response communication templates to help with timely companywide communications for the more severe security breaches.
- An emergency contact list and communications plan to keep internal and external stakeholders informed and coordinated.
#4. Are response plans in place and tested?
When you’re thinking about how the organisation will respond in the event of a security breach, there are three plans of critical importance. Satisfy yourself that all three plans are in place, and are reviewed and tested on a regular basis.
Backup plan
In many cases, when recovering from a security breach the organisation may need to recover lost or damaged data from backup. The backup plan should detail how the organisation backs up important data, and how often? What is included in the backups? How often are the backups tested? How secure are the backups if a security breach occurs?
Disaster recovery plan
A disaster recovery plan details how the organisation will recover from a disaster, such as a security incident. Disaster recovery will often rely on the backup plan, but will also consider how the backups are to be used, what order systems are to be recovered in, how long recovery efforts may take, and what additional resources may be required, such as new data centre equipment or cloud tenants.
Business continuity plan
A security breach may result in significant disruption to business operations, with key systems rendered useless. A business continuity plan should address how the business may keep operating (even at reduced capacity) while the security incident is addressed and business systems recovered to an operational state.
#5. Will we be covered by cyber-insurance?
Cyber insurance can help not only with the immediate response to an incident, but also with immediate and longer-term recovery efforts. Ensure you understand the scope and limitations of cyber insurance policies, that sufficient coverage is in place, and satisfy yourself that all policy obligations are being met by your organisation to ensure any claims are not denied. Cyber insurance may cover:
- Loss of revenue due to interrupted business
- Hiring negotiators
- Paying a ransom
- Recovering or replacing your data
- Legal claims
- Investigation by a government regulator
- Copyright infringement
- Misuse of intellectual property online
- Crisis management and monitoring