With October marking Cybersecurity Awareness Month, it's an ideal time for NEDs to deepen their understanding of how to approach risk management with a comprehensive consideration of cyber concerns. This introduction to the topic from the NED Handbook gives the knowledge base for boards to proactively address this evolving - and still too often overlooked - element of the risk landscape.
The Institute of Risk Management defines cyber risk as 'any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems'. Ranging from data breaches to disruptive ransomware attacks and cyber crime, this activity can pose catastrophic consequences for businesses of any size, and must be factored into an organisation's risk appetite.
Whilst we're all acutely aware from media reports, if not personal experiences, about threats to data security from cyber crime, it's important to properly account for the multitude of ways in the which cyber threats can affect organisations today, including;
- Threats to confidentiality; Cyber criminals may succeed in stealing confidential or commercially-sensitive data, which they can sell (on the ‘dark web’) to anyone who is willing to pay for it. Stolen data is often personal data relating to a company’s customers or employees, including bank account details.
- Threats to data integrity; Hackers may gain entry to a system and data file and make unauthorised changes to the data. They may also ‘infect’ a system with malware, which can destroy or corrupt files and programs.
- Threats to data availability; Hackers may succeed in putting an entire IT system out of action in a denial of access attack.
- Ransomware attacks; cyber criminals may gain access to a victim’s IT system by technical means and encrypt the data so that the victim loses access to its own system. The criminals then demand payment of a ransom to release control of the system back to the victim.
Social Engineering and Methods of Breaching Cybersecurity
Cyber attacks can be engineered through a vast range of means, which can make it hard for boards to combat the unpredictable nature of threats.
A common objective is to install malicious software (malware) into the victim's IT system, such as a virus, worm or Trojan, often designed with the purpose of gaining access to confidential data in the user’s IT files, or to take control of the user’s IT system altogether.
In particular, many cyber breaches exploit tactics like social engineering - a non-technical method used by hackers to gain entry to a victim's IT system, relying heavily on human interaction and typically involving ticking people into breaching standard security practices.
The success of social engineering depends on the ability of the attacker to persuade an authorised system user to open email attachments infected with malware or persuade them to divulge confidential information.
Social engineering often relies on the natural helpfulness of people or attempts to exploit perceived personality weaknesses of the user.
Tactics like this underscore the importance of comprehensive training to build a cyber-resilient culture.
Cyber security and Risk Management
With incidents of cyber crime increasing rapidly, boards must ensure that their company has appropriate cyber security arrangements in place for mitigating risks, including:
- Network security; protecting a computer network from attackers, for example, by means of firewalls.
- Application security; concerned with the security of information used by computer applications, and protection against hacking of programs and data files. Data protection routines (anti-virus software) can be written into application software.
- Information security; protecting the integrity and privacy of data, both in storage and in transit. To some extent, data security can be achieved by encrypting data.
Directors should review the adequacy of cyber security measures as part of their regular reviews of the overall effectiveness of the risk management system.
Key Reports and Resources from the Handbook
A cyber risk governance report, published in 2017 by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA), made the point that dealing with cyber risk is not simply a matter of IT management, stating that ‘beyond the IT domain, cyber security is a matter of corporate governance.’
The report recommended that companies should establish a Cyber Risk Governance Group ‘whose mission is to determine cyber risk exposures in financial terms and design possible mitigation plans’.
It also recommended that this group should report directly to the (board) risk committee.
In 2019 the National Cyber Security Centre (NCSC), part of the UK government’s GCHQ, launched its Cyber Security Toolkit for Boards.
The introduction to the Toolkit notes that boards are pivotal in improving the cyber security of their organisations and the Toolkit has been created to encourage essential discussions about cyber security to take place between the board and their technical experts.
Board members do not need to be technical experts themselves, but they need to know enough about cyber security to be able to have a fluent conversation with the company experts (both internal and external support) and understand the right questions to ask.
The ‘Cyber Security Toolkit for Boards’ therefore provides not only a general introduction to cybersecurity, but also individual sections for important aspects of cybersecurity, including:
- explaining what it is, and why it's important;
- recommending what individual board members should be doing;
- recommending what the board should be ensuring their organisation is doing;
- and providing questions and answers which board members can use to start crucial discussions with cyber security experts.
Learn More
For more information on areas of risk management like this, be sure to read our Non-Executive Directors' Handbook (NEDA Premium membership required) using the link here.