Bringing cyber security to the boardroom
In the past year, headlines of the ‘WannaCry’ ransomware attack in many countries brought cyber risks back into the spotlight. This global incident underscored, once again, the fact that cybercriminals have emerged from being a fringe to becoming an ever-present threat for both the corporate and the government sector
Ransomware is exactly what it sounds like: Malware used by cyber attackers who demand a ransom to restore the data or service it threatens. Some ransomware is capable of encrypting 100,000 files in under 2 minutes. When the WannaCry incident began, it spread quickly to 230,000 systems in over 150 countries. Typically, malware tends to rapidly spread to individuals and businesses, making it one of the major threats in today’s IT world. Ransomware attacks are a reality, and they are happening more and more often and affecting all organizations: The FBI estimates 4,000 ransom attacks per day. “Locky” was the most deployed ransomware in 2016. It is distributed using spam emails containing an invoice. If the file is opened, the reader is asked to enable macros, which then leads to encryption of the file and closure of the system. A bitcoin ransom amount is then demanded to decrypt the data. Locky was responsible for more than US$500 million in losses in 2016. These attacks can have a devastating impact on businesses. EY research indicates that only 42% of companies are able to recover their data fully from their backup systems. The actual ransom money paid is only a small portion of the total costs companies have to incur to overcome the damage that is done. The other costs that have to be factored include the response team, stabilization and restoration efforts, and enhancements to the cybersecurity framework to prevent future attacks.
Cyber preparedness: The next step for boards Cybersecurity breaches are a growing problem for businesses around the world. A recent World Economic Forum report estimates that during 2017 to 2021, global cybersecurity spending will grow toward US$1 trillion, while at the same time the cost of cybercrimes will increase to US$6 trillion. According to EY’s Global Information Security Survey (GISS) 2016-2017, 87% of board members and C-level executives lack confidence in their organization’s level of cybersecurity. Cyber security can no longer be viewed as an IT-only issue. While the CIO continues to play a crucial role in anticipating, identifying and managing cyber risk, the CFO and the board need to lead the discussion and embed an enterprise-wide risk appetite. Clearly, with growing incidences of cyber breaches, businesses in India need to scale up their focus on cyber risks. Indian organizations are reluctant to invest in their cybersecurity architecture, despite 35% of those surveyed in GISS 2016-17, India Report, admitting to having had a significant cyber breach. Further, 32% of the organizations surveyed do not have an agreed-upon communication strategy in the event of a significant cyber-attack taking place, while only 38% are likely to communicate with their customers in the event of an attack affecting customer information. These findings clearly point to a need for businesses in India to take a more engaged view of their preparedness for cyber security, as the pitfalls of not doing so can be devastating. As per the GISS 2016-17 India Report, 26% of Indian organizations incurred financial damage of up to US$100,000 in the past year. The preparedness levels of business as in India leaves enormous scope for taking substantial steps in this regard — for example, 55% organizations do not have, or have only an informal, threat intelligence program. It is an area where the tone at the top, set by boards, can help bring about a transformative change in how threats emerging from an escalating cyber risk environment are addressed.
What boards need to keep in mind?
Determine your risk appetite: Cyber risk cannot be completely mitigated. The reality is that every business will face cyber-attacks at some point, so it is important to establish a cyber risk appetite as part of the organization’s overall risk management framework. What is your tolerance to cyber risk and how is that embedded across the organization? As initiatives progress around cloud, digitization and mobility, businesses need to ensure that an appropriate level of security is in place that aligns with the risk tolerance levels endorsed by the board.
Focus on protecting your critical assets: A better return on investment can be achieved by allocating capital to key areas of risk rather than taking a blanket approach across the entire organization. For this reason, boards should ensure investments are focused on the critical assets of the organization. Critical assets may include M&A data, customer data, intellectual property, financial data or sensitive company information that may sway share price. Once identified, priority should be given to heavily protecting these assets.
Insist on receiving clear communication: Boards need to clearly understand the issues so that they know how much investment is needed and what initiatives should be prioritized. Information should be relayed in a clear business context. Lead and lag indicators as well as contextual information about the industry can assist boards in providing a clear picture of the current and future risks. In particular, lead indicators focusing on governance and metrics can help identify how well issues are being managed today and provide valuable insight into the potential future-state risks.
Develop an enterprise-wide response to threats: Response to cyber-attacks should no longer be the responsibility of only the IT department. Businesses need to consider coordinating a response that involves all areas of the business, including media relations, investor and government relations, legal, operations, business, executive’s risk and any material third parties. Modeling around scenarios should be tested and reported to the board, providing information on how well prepared the business is to respond to various types of cyber threats.
Focus on education and awareness: Cyber security is a shared responsibility. Cyber-attacks enabled by human error are a significant contributor to the overall risk which organizations face today, and this is something that cannot be addressed using technology alone. It is important that the entire organization and relevant third parties are aware of the cyber risks they may be exposed to in their everyday work life, and educated on how they should respond to these perceived risks.
Be clear about who owns cyber within your organization: While cyber is an enterprise-wide responsibility, it is essential to have a clear owner for cyber risk within the business. In many organizations, CFOs are increasingly becoming responsible for the overall cyber risk management strategy. This makes sense as CFOs may be best positioned to ensure key issues around metrics and reporting are reviewed in the overall business context.
Evaluate cyber insurance: Companies are increasingly investing in cyber insurance. While cyber insurance can be a valuable investment to protect against the impact of cyber incidents, it is essential for boards and the wider business to understand what is and is not covered. Businesses also need to ensure they have the evidence required to support claims that insurance providers are likely to require.
Do not discourage the use of new technology: Cyber risk should not be a reason to reject the deployment of new technologies. A better response is to learn how to deploy technologies securely, embed a culture around “security by design” and introduce clear business guidelines for their use.