In 2005 I conducted a thesis study on security risk management in corporate governance and surveyed sixty ASX200 listed companies. The study determined there was a significant lack of security risk awareness at board level within Australian public companies and less than 30 percent had a security related policy in contrast to safety, environment and financial risk.
A decade on, we have far more powerful and cheaper cyber networks, mobile devices and connected things. The global security threat environment for business has clearly worsened and cyber security has evolved to beyond simply an IT issue but a “business problem of the highest level” (Sharf, CEO Visa Inc). With this in mind, Palo Alto Networks has produced a ‘must read’ for any Company Director and C-suite officer.
In its 2015 Data Breach Report, Verizon found that 60 percent of the nearly 80,000 security incidents reviewed, including more than 2,000 confirmed data breaches, cyber attackers were able to compromise an organisation within minutes. Alarmingly, only about one third of the compromises were discovered within days of their occurrence (Brewer, Fmr CIO, US Department of Energy). The current average discovery takes 205 days (Ashar Aziz, FireEye, October 2015).
As attacks continue, they are also likely to increase in sophistication and profitability and is “simple for hackers to assemble very accurate profiles of individuals and their positions in companies and launch socially engineered attacks or campaigns. These attacks can be hard to spot in the absence of proper training for individuals, and difficult to control in the absence of good practices and procedures regardless of how good the technology is that is deployed to protect an organisation.” (McLaughlin, CEO, Palo Alto Networks)
A survey on behalf of KPMG found that of 130 global institutional investors, with $3 trillion under management, affirmed that cyber events may affect investor confidence in the board and demand for the affected company’s shares. Investors opined less than half of boards of the companies they currently invest in have adequate skills to manage rising cyber threats. It was also found 43 percent of board members have ‘unacceptable skills and knowledge to manage innovation and risk in a digital world.’ 86 percent of investors want to see increases in time boards spend on addressing cyber risk.” Boards would be wise to raise their game by disclosing more detail of their board oversight efforts and engaging with investors when cyber incidents occur, or they may run the risk of a loss of investor confidence. (McGurn, ISS Special Counsel)
For additional verification of this issue, according to a PWC report, Deciding on Data, in 2013 Australia missed out on $48 billion of potential data-driven productivity improvements, particularly within government, health and agriculture. Yet a thriving innovation ecosystem has the potential to increase Australia’s productivity and raise GDP by $37 billion in 2024. (Kumar, WA Director, Issue 54, Australian Institute of Company Directors)
World Economic Forum research showed 90 percent of executives feel they only have nascent and developing capabilities to combat cyber threats. Still very few organisations have developed ways to assess their cyber risk exposure and to quantify them. The aggregate impact of cybercrime on the global economy can amount to $3 trillion in terms of slowdown in digitisation and growth and result in the slower adoption of innovation. Even the annual cost of economic espionage reaches $445 billion. As an example, Target’s breach cost the company more than $140 million, a large portion of which went to cover litigation costs. Aon research shows that more than 80 percent of breaches cost the companies less than $1 million. (Kvochko & Kerimi, World Economic Forum)
Although a silver bullet to achieve cyber resilience doesn’t exist, organisations need to consider comprehensive frameworks for quantifying and mitigating risk factors, including cyber risks. For organisations the focus will shift from the attacker to assets and how to secure them in a distributed digital ecosystem, where everything is vulnerable. (Kvochko & Kerimi, World Economic Forum)
The attacker’s business plans are expansive with extremely generous profit margins. Multiple reports suggest cybercrime is in the hundreds of billions of dollars. They can use identical attack methods against multiple targets and their ‘market’ is accessible to them worldwide. Meanwhile, cyber defence tends to be almost a generation behind as anticipating the method and point of attack is extremely difficult. Moreover, law enforcement is almost non-existent with less than 2 percent of cyber criminals prosecuted. Traditional government methods to fight criminal activity have not matured to address the threat and may be inappropriate to meet the dynamic nature of this uniquely twenty-first century problem.
Notwithstanding also that consumers tend to prefer utility and function over security, which is a disincentive for companies to enhance new devices with added security, which often slows or limits utility. Corporate boards are faced with the conundrum of needing to use technology to grow and maintain their enterprises without risking the corporate Crown Jewels or hard won public faith in the bargain. (Clinton, CEO Internet Security Alliance)
Directors are well advised to proactively fulfil their risk oversight functions by driving senior management toward a well-developed and resilient Cybersecurity program (Kim & Dunne). Corporate spending on Cybersecurity has doubled over the past few years and totals more than US$100 billion a year. In contrast, the total US Government spending on Cybersecurity is generally estimated to be near US$16 billion. Despite the spotlight on Cybersecurity one recent survey found nearly half of directors had not discussed the company’s crisis response plan in the event of a breach or other considerations around insurance, engaging experts, risk disclosures, national standards and compliance frameworks. (Clinton, ISA)
To help accelerate toward the same level of stability and comfort had with financial and other risk issues, a board level Cybersecurity blueprint may include six key areas:
- Inclusive board level discussion and empowering all directors to be accountable for Cybersecurity;
- Proactive cyber risk management should incorporate Cybersecurity into early stage business decisions;
- Differentiate assets for varying levels of security and Cybersecurity;
- Investment in human defences will ensure the organisation’s cybersecurity investment goes beyond technical to include awareness, education and training programs for employees.
- Limit exposure through business partners; and
- Incident response policies and procedures to mitigate risk should a breach occur. (Cox)
One of the most important defences against cyber-attack is an informed, vigilant employee population. Employees and executives are often targeted with carefully crafted emails designed to be relevant to the employer’s personal or work life. In reality these emails are loaded with malicious code. One click by a less careful individual can deploy a cyber weapon into the company’s network and execute various actions that shut down critical business functions or steal information and accounts. The bottom line is that human behaviour is equally important as security technologies in defending against cyber threats. Boards should know if employee awareness and training programs are in place and how effective they are. It also helps to build a culture of security awareness. (Cote)
Under executive leadership it is very important that there is continued improvement in processes used to manage the security of organisations. People must be continually trained on how to identify cyber-attacks for people to take appropriate steps to take in the event of an attack.” (McLaughlin, CEO, Palo Alto Networks)
In the wake of a breach, a victim’s security will also come under scrutiny, and a contractual counterpart may argue that the security was inadequate under the contract. It is difficult to define such terms adequately and still provide flexibility in the face of changing threats. (Woods, Banno, Graves)
This book is a compilation of contributions from subject matter experts and business leaders and details all relevant critical issues, considerations and best practice solutions for what is indeed, a twenty-first century problem. Companies must be in front of the game wherever possible and cyber security is one such critical element and a business enabler. The subject matter is broad but this book will steer you in the right direction for cyber threats, cyber insurance, understanding cyber espionage and theft of trade secrets, combatting the insider threat and importantly, the needs for corporate structures, legal and regulatory considerations and incident response, risk management and workforce development.
