Cyber-security: Is your board and audit committee prepared?
"Cyber-security is not just a technology issue; it’s a business risk that requires an enterprise-wide response. Yet, only 38% of the executives who responded to our 15th annual Global Information Security Survey said they align their information security strategy to the organisation’s risk appetite and risk tolerance. Effective information security transformation requires leadership, commitment and the capacity to act – is your Board and Audit Committee prepared?"
- The cost of cyber attacks
- Managing emerging technologies – the cloud and social media
- Preparing your Board and Audit Committee
The cost of cyber attacks
Increasingly, virtualisation, mobilisation and cloud technology have created new points of entry into businesses - leaving them vulnerable to covert cyber attacks. Many organisations have already experienced a cyber attack, but not all of them know about it. Our 15th annual Global Information Security Survey reinforces this view, with executives at many organisations saying it’s a struggle to contain the threats, and nearly impossible to thwart them.
Like the technology itself, the financial consequences of a cyber attack are often not well understood. Theft of funds and intellectual property is not the only risk. There are costs associated with loss of customers and new business; as well as the expenses associated with remediation.
Data gathered by the Computer Emergency Response Team (CERT) Australia on the cost of breaches for Australian business certainly makes a case for action. In their 2012 Cyber Crime & Security Survey Report, the average cost of a reported breach was $2.13 million or approximately $138 per lost record. Importantly, these numbers make no attempt to estimate the associated reputational costs, which are typically orders of magnitude greater.
The typical uncertainty associated with evaluating apparent cyber attacks can lead to hesitation and inaction that may: damage the company’s brand and reputation; disrupt business continuity; and introduce a host of financial and legal ramifications.
The ramifications of a cyber attack can therefore ultimately affect financial performance, reduce earnings per share and affect the company’s overall market value. Consequently, it is imperative that organisations who have not already embedded an information security strategy to determine how to respond to cyber attacks at the board and/or Audit Committee level act now.
Managing emerging technologies – the cloud and social media
The global financial crisis has placed pressure on businesses to cut costs – and it is technology that helps to streamline this process. However, the same technologies that propel business forward are the ones creating new risks. For instance, organisations want to increase operational flexibility - 59% of those who responded to our survey said they have moved to the cloud or plan to do so. However, 38% of those moving to the cloud indicated that they haven’t done anything to mitigate the potential risks inherent in the cloud - such as legal, regulatory and compliance risks around data privacy.
Similarly, the use of social media to enhance a company’s brand by interacting with customers round the clock means that it can take little time or effort for the same customers to damage a company’s reputation when a cyber attack occurs. Data-security, privacy management and regulatory compliance associated with social media are all challenges arising from cyber attacks. Coupled with the increasing use of mobile technology, the potential avenues and velocity of impact associated with cyber attacks has never been greater.
Preparing your Board and Audit Committee
The organisation’s Board should set the tone for enhancing information security, and determine whether the full Board or a singular committee should have oversight responsibility.
In some cases, a Risk Committee, Executive/Operating Committee or the Audit Committee will be given the responsibility to oversee Information Security risks. In our experience, Audit Committees operating in this capacity should leverage detailed information on the company’s control processes to better understand what level of oversight is necessary and whether management has the right people and processes in place.
The Audit Committee can then establish whether action plans are aligned with the company’s level of maturity in managing security risks and determine where more attention may be required, such as sectors where risks and the potential for damages are highest.
Board and/or Audit committees should also ask questions about the state of specific security programs, and then ask for benchmarks:
- Do you believe that your information security gap (the difference between what you are doing and what you should do) is getting larger or smaller?
- How is the company doing relative to its competitors and the industry?
- What measures are in place to prevent or, more importantly, detect attacks?
- Have management decisions associated with gaps in the security program been aligned to the company’s tolerance for risk?
- How do you know that your limited resources are focused on areas and initiatives critical to information security success?
- Are you more confident or less confident than you were a year ago? How about compared to two or three years ago?