Risk Management | Cybersecurity
Putting cybersecurity at the top of the board’s agenda Adopting good cybersecurity practice can make a considerable difference in the resilience of your organisation Was cybersecurity at the top of your priority list when the WannaCry attack hit? When a cyberattack strikes it can quickly become headline news, causing serious disruption to an organisation for days on end and costing hundreds of thousands of dollars in lost data, reputational damage, lost customers and regulatory fines.
WannaCry, one of the largest cyberattacks ever seen, hit thousands of organisations worldwide within a day, causing severe damage. A summary by the BBC points out that, in the first few hours of the attack, 61 National Health Service organisations in the UK were disrupted – something that was echoed among many other organisations across the globe. One of the many lessons companies can draw from this attack is that if cybersecurity wasn’t a board-level priority before, it should be now. No company or country, however big or small, is immune to attacks by cybercriminals. In the worst case, breaches can cause major corporate crisis that can paralyse entire corporations for days, often 114 Ethical Boardroom | Summer 2017
Toby Chinn
Head of Control Risks’ Cybersecurity practice causing severe financial damage. According to the UK National Cybersecurity Centre, the average cost of a security breach is estimated today at between £600,000 and £1.15million. Unsurprising then that The World Economic Forum has rated cybersecurity as one of the top three risks for 2017. Control Risks’ latest State of the Cybersecurity Landscape report found that while most companies now have notional board oversight in matters of cybersecurity, around half of these companies’ key IT and business decision-makers think their boards have no proper grasp of the issues. Obviously, one of the main challenges board-level executives face in regards to dealing with cybersecurity is the technical complexity of the tools and strategies used. But as with every other kind of corporate risk, business directors don’t need to fully immerse themselves in technology in order to play an effective role in cyber risk oversight. An understanding at board level of the threats that an organisation faces is a first and vital step in the right direction. Without full board-level support, IT-departments, who are often in charge of dealing with cyber risks, find
themselves under-resourced, isolated from the rest of the business and without sufficient budget to manage these risks effectively. In interviewing large organisations of more than 2,000 employees across 20 countries, a number of key issues consistently presented themselves as key management issues concerning cybersecurity. In particular these concerned the approach to cyber risk management as well as the issue of third-party cyber risk.
Effective risk management is crucial to reduce damage
According to Control Risks’ survey, adopting a risk-based approach to cybersecurity is something companies are really struggling with. Worryingly, more than a third of organisations interviewed have not conducted a risk assessment at all within the past year. And even though the other 68 per cent of respondents have performed a risk assessment in the past year, 45 per cent of respondents cited it as their primary challenge. Furthermore, while the report found that the majority of organisations said the C-suite was most accountable for cybersecurity management and decision-making (77 per cent), almost half of these companies said they do not believe their organisation’s board-level executives take cybersecurity as seriously as they should. Reflecting this, around a third (31 www.ethicalboardroom.com
