The Secure Board
eBook - ePub

The Secure Board

How To Be Confident That Your Organisation Is Cyber Safe

  1. 132 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Secure Board

How To Be Confident That Your Organisation Is Cyber Safe

About this book

With the collective global spend on cyber security projected to reach $433bn by 2030, the impact of cyber risk - be it reputational, financial or regulatory - must now be front of mind for all Directors. Written for current and aspiring Board members, The Secure Board provides the insights you need to ask the right questions, to give you the confidence your organisation is cyber-safe. Designed to be read either in its entirety or as a reference for a specific cyber security topic on your upcoming board agenda, The Secure Board sets aside the jargon in a practical, informative guide for Directors. "I recommend The Secure Board as essential reading for all leaders. It will equip you with the knowledge and foresight to protect your information and your people." - David Thodey AO, Chair of CSIRO "[This book] will challenge you to stop, to reflect and then re-set some of your governance thinking. Anna and Claire, you have made a great contribution to the development of all Directors who choose to pick up this book." - Ken Lay AO APM FAICD, Lieutenant-Governor of Victoria Claire Pales is a best-selling author, a podcast host and Director of The Security Collective, a consulting company committed to growing and coaching information security professionals, CIOs and Boards, and helping businesses to establish exceptional information security practices. She has 17 years of experience in the security industry and leading award-winning cyber strategies throughout Australia and Asia. Anna Leibel is the founder of 110% Consulting, a Non Executive Director and senior executive across the financial services, management consulting, telecommunications and technology industries. With more than two decades in leading customer, business and digital change, she is a sought after advisor to Boards and Chief Executives on transformation, data, cyber, leadership and culture.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The Secure Board by Anna Leibel,Claire Pales in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
ELEMENT 1
CYBER IS A BUSINESS RISK, NOT AN IT PROBLEM
‘Trust is the currency of the 21st Century: The collaborative economy has turned trust into a commercial currency and triggered a new way of doing business driven by the reputation not only of brands but also consumers.’12
Rachel Botsman
A cyber attack on a business has universal implications. Every person working in and with the business contributes to protecting the company from a cyber incident. Incidents such as ransomware attacks are estimated to have cost US businesses more than $7.5 billion in 2019. During the pandemic of 2020, reports suggest that ransomware attacks grew a further 72%.13 When you hear of a cyber incident, you never solely hear of how the technology was destroyed, or that, simply, systems were ‘down’. The impact of an attack or incident on a business is, and must be, considered a serious threat of financial loss, business disruption, exposure of critical business information, and compromise to the reputation and brand, including consumer, employer, and supply chain. The impact of an attack can take down a whole organisation. And yet, when it comes to implementing controls and taking action towards cyber risk, the finger is often pointed at IT teams and CIOs, despite cyber being a business risk, not an IT problem.
It’s a common theme throughout this book that the first step in addressing cyber risk is to understand it. As a director, you can and must educate yourself on cyber. This enables conversations at the board level about cyber risk and begins to normalise having a cyber risk conversation outside of the CIO’s board paper. If we only look at cyber as an IT problem, then our peer directors, stakeholders, and employee community will continue to believe it only warrants an IT response.
‘Cyber security researchers have identified a total of at least 57 different ways in which cyber-attacks can have a negative impact on individuals, businesses and even nations, ranging from threats to life, causing depression, regulatory fines or disrupting daily activities.’14
As a board member you play an important role in establishing and asserting the accountability of cyber risk through a broad understanding of the business functions surrounding cyber, the questions you ask, and to whom those questions are directed. The CEO’s role is to provide clarity to the board, regulators, and employees on accountabilities and connect the dots on how these important functions work together to keep the business safe and be prepared in the event of an incident. The list below, which is by no means exhaustive, discusses those functions that sit outside the cyber remit and, in some cases, outside IT altogether, but play a role in the prevention, detection, and management of cyber security:
• Privacy – Privacy comprises the regulation, policies, and processes used to govern the collection and handling of personal data, such as credit information and medical and government records. The privacy officer is often a lawyer within your business, and all correspondence with the Privacy Commissioner or the Office of the Information Commissioner is handled by the privacy officer and legal team.
• Financial Crime – Financial crime is a relatively new business function to prepare for and manage economically motivated crime, including fraud, electronic crime, money laundering, terrorist financing, bribery and corruption, and insider dealing. These crimes take place with or without technology. Certainly, technology these days is often used as the channel through which these crimes are carried out. However, financial crime can be just as easily carried out in person, digitally, or as paper based.
• Data Governance – The governance of data includes the classification of business data and information by criticality. It is the processes, policies, and governance put in place to manage the use and quality of business data and information. Data governance must have a strategy that fits your organisation’s maturity, and progresses as you do.
• Crisis Management – Crisis management and planning prepare for the business impact due to a natural or man-made disaster, and takes in facilities, customers, staff, and, most importantly, safety. Crisis management and planning should never be solely managed by IT.
• Business Continuity Plan (BCP) – BCP is the planning and management needed to return to essential business services following an unplanned event. Like crisis management, BCP includes facilities management and customer and staff safety, and is focussed on resilience and restoration.
• Disaster Recovery (DR) – DR is the planning and management needed to return to normal business operations following an IT failure. While DR may be needed as part of addressing a cyber attack, more often than not it is invoked due to an operational IT failure.
The above business functions all play a role in the protection, prevention, and response to a cyber attack. The board must have a level of comfort that these functions are working together with the aligned strategies and plans needed in the face of an incident.
Many incidents are as a result of employees reacting to an attack – usually via email, voicemail, or SMS – which allows a hacker access to your systems. As your employees have approved system access, along with a high level of trust, this access opens the doors for an adversary, making them appear legitimate to your systems and monitoring. Forrester’s 2018 research estimates that 80% of data breaches have a connection to ‘compromised privileged credentials’, such as usernames and passwords.15 With one quarter of compromised data traced back to insider incidents,16 the criticality of employee education and awareness in cyber security is clear. The timely management of modifying or revoking system access when an employee changes roles or leaves the organisation is a critical step in cyber security protections. For peace of mind, and for the organisation to identify gaps to remediate, assessing maturity and compliance in the area of employee system access is a valuable audit activity.
As part of our research, CIOs and CISOs shared that, from time to time, the board, including the CEO, have not understood when something – for example, an incident or audit finding – isn’t due to cyber; rather, it is an organisational risk (people, rather than systems).
We can learn from organisations that have had their data accessed by a malicious third party through an employee reacting to a phishing attack to further demonstrate why everyone within the business plays a critical role in avoiding attacks:
Sydney hedge fund Levitas Capital suffered a cyber incident in September 2020 when one of the founders opened a fake invitation to a Zoom meeting. The hacker created $8.7M worth of fake invoices. Fortunately, only $800,000 was lost through the attack, and the remaining funds to pay the fake invoices were stopped before the money cleared. According to government figures, this attack was one of almost 2,000 of its type in only five months. The fund was forced to close when their biggest client withdrew its funds, following the incident.
Australian National University’s 2018 attack led to confidential information about student administration, financial management, and human resources being stolen. Access to the sensitive information was gained in early 2018 through phishing emails attempting to gain login credentials (username and password) of an employee. The sophistication of the phishing attack meant that the employee only had to open and view the email, as opposed to more common phishing attacks where a link needs to be clicked or an attachment opened.
In 2017 a ransomware called ‘WannaCry’ was delivered worldwide via email. It encouraged the email recipient to open an attachment which then released malware (a virus). Malware disrupts, damages, or gains unauthorised access to systems and information. WannaCry infected 250,000 machines in more than 150 countries. As a result, the National Health Service (NHS) in the UK had to cancel thousands of appointments and operations, and employees had to revert to using pen and paper, as the attack had impacted key business systems.
What often follows incidents such as these is a desire for the business to never find themselves in the same position again. Ever. However, this goal of prevention isn’t always achieved, unless businesses change their collective mindset. What we also know is that an all-of-company approach to cyber security can and does make a difference to the board’s understanding. In the pages that follow, we explore cyber across the enterprise, the role that culture plays in keeping organisations cyber safe, and the impact to customer trust if organisations don’t have a ‘joined up’ cyber narrative.
Cyber and the enterprise
In 2019 it was expected that companies would spend more than $2 trillion on digital transformation, with 70% of organisations having a digital transformation strategy in place or building one.17 With most businesses digitally enabled today, protecting company information and assets is essential for business growth and productivity, to prioritise customer experience and the company brand, attract and retain talented employees, and foster an effective relationship with regulators. While the development of the business strategy is an opportunity for the board, CEO, and management to demonstrate consideration, prioritisation, and commitment to these important areas, the business strategy also informs the cyber security strategy, associated investment, and the cyber risk appetite. (See element 2 for more information on setting risk appetite.)
One of the critical influencers of cyber security having a strategic presence is the CEO. The CEO is instrumental in understanding and advocating for cyber security awareness and shared accountability across the organisation and fostering a cyber security culture. Consumers are signalling a lower tolerance for cyber incidents involving their data, with 40% blaming the CEO personally for lapses in cyber security. Gartner predicts that by 2024, 75% of CEOs will be held personally accountable for cyber incidents that lead to injury or other physical damage.18
Cyber security must be at the top of the CEO agenda, not only in terms of a level of understanding of threats and controls but, most importantly, for reinforcing a cyber-aware culture through symbols. Best described by Jim Schleckser, CEO of the Inc. CEO Project, ‘Symbols are extremely powerful in that they help enable people to do things and attribute meaning to their actions even when you as the CEO aren’t in the room, so you need to manage them’.19
Cyber threats are the fourth concern to a CEO for growth prospects in 2020.20 The CEO ‘sets the bar’ and models the desired culture with a cyber-risk focus across the enterprise, with employees understanding the threats and implications. We encourage the CEO to work with a change-management practitioner to carefully consider a plan for the CEO to demonstrate a personal and company commitment to cyber security through symbols and stories. Boards may choose to demonstrate engagement and support in similar ways. A good example is a board member attending industry events and sharing any cyber-related collateral with the CEO, CIO, and CISO, and encouraging discussion of the knowledge gained through these forums.
An important symbol by the CEO is the determination of the reporting line of the CISO and how many levels the role sits below the CEO in the organisational structure. The most common reporting line for the CISO is into the CIO, with the CIO reporting to the CEO. The CISO reporting to the Chief Risk Officer or Chief Legal Counsel are alternatives. Our research with CIOs and CISOs tells us that as long as the CISO message is not filtered to the board, it shouldn’t matter who the role reports to. Reporting to the CIO (or chief technology officer) reflects the inter-connectivity with IT. Reporting into risk or legal provides independence, which could assist with risk-mitigation decisions not being overshadowed by IT constraints. Either way, we recommend that the CISO reports into a chief that sits on the executive leadership team. We do know of organisations where the CISO reports directly to the CEO, and we expect to see this trend continue.
The relationship between the CISO and the CEO is of on-going importance. The role this relationship plays is one of trust, and is key to the united front that the board should expect to see, regarding cyber. Not only is the CEO in a position of responsibility in relation to cyber security strategically but they are also responsible for the organisational culture being one that recognises and promotes a cyber-safe business environment.
The significance of a company culture of security
‘Since cyber is everywhere, cyber awareness needs to be embedded everywhere. That means that cyber must be part of everyone’s job in a very literal sense.’21
Culture is how people behave when no one is looking. And culture doesn’t just happen. Culture involves everyone being accountable for calling out poor behaviour, speaking up, and being mindful of their own behaviour. Employees and stakeholders learn appropriate behaviour by looking up, so to speak. They receive direction, even subconsciously, as to what is considered right and acceptable behaviour. The culture of the organisation not only sets the behavioural norm. It plays a critical role in achieving your strategic objectives across the enterprise. If we have a cultural approach from the board that supports taking risks to achieve financial gain, but puts the organisation at greater cyber risk, this approach will filter down through the organisation via the CEO and management as an appropriate way of doing business. The role of the board in setting the overall company culture is no different from setting a culture of cyber security from the top down.
You would never hear someone suggest that workplace safety is only the concern of engineers who work on factory floors. We know, through years of injuries, deaths, and changes in the law, that in order to protect our employees, our reputation, and our bottom line, safety must be an enterprise-wide commitment. Despite the cliché that safety and cyber go hand in hand, the similar cultural focus required to embed them really can’t be denied. Even the Australian privacy laws regarding mandatory reporting use the physical safety of the data owner as a test as to whether or not the commissioner should be alerted to a cyber incident that has exposed sensitive data.22 Just like safety, the board, CEO, and senior executive walking the walk sets the expectations for the broader business. The risk of the opposite, a bottom-up culture, is that the security team are constantly pushing for employee engagement without senior role models demonstrating behaviours and symbols for employees to see. And, just like safety, a lack of a security-focussed culture has been seen to lead to very real incidents.
In 2017, American credit reporting agency Equifax experienced a cyber attack to the tune of 143 million sensitive data records. Upon analysis, they believe that their corporate culture was partly to blame. Post-incident, they set about addressing this as a prev...

Table of contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Foreword, David Thodey AO
  6. Introduction, Ken Lay AO
  7. The authors
  8. That was then, this is now
  9. Element 1
  10. Element 2
  11. Element 3
  12. Element 4
  13. Element 5
  14. Continous learning for governing cyber risk