How Can Boardrooms Effectively Manage Cyber Risk?

 

 

Within the financial director’s remit is a responsibility to alert the board on the financial impact of a potential breach, while also ensuring that a budget is allocated for preventing and containing incidents.  As most financially focused attacks directly threaten the company balance sheet, it is vital that CFOs are aware of those strategies which make their organisations resilient to cyber-attack.

 

To give you some perspective on just how prominent cybercrime has become, a 2018 University of Surrey study conservatively estimated that cybercrime carried out on platforms such as Amazon, Facebook and Instagram generated $1.5 trillion for cyber criminals, equivalent to the GDP of Russia.

 

The scale of the problem means that cybercrime is fast becoming a top priority in the boardroom, with the CFO a central part of this. Increasingly, we are seeing boardrooms begin to request a list of non-technical strategies they can use to fight back. 

They want to adopt strategies that are fit for the modern technological age, that they can readily understand and control, rather than just guidance targeted at seasoned tech gurus.

 

 

Yet many financial directors have a responsibility to know that their organisations are adequately protected from a potential attack. To be able to manage budgets effectively they must become well-versed in those foundational strategies which can be used to drive down their business exposure to cybercrime.

 

Analogous to a military hierarchy, whilst a General may need an appreciation of the challenges in the positioning and use of artillery, they may not be best serving the effort if they spend most of their time on the front line when there is a bigger picture to manage.

 

It is essential then that cybersecurity experts begin to adopt a language that is easily understood by all, rather than focusing on technical jargon which is baffling to many. Devising cyber risk management strategies that are easily understood and led by the boardroom will become ever more important in the current digital age. Understanding what has gone before and what does and doesn’t work will help CFOs and other board members to address current and future cyber risk.

 

For years, we have collected key observational data from hundreds of cyber incidents to which we have responded. We have spent time analysing incidents to distil the strategies every organisation needs to adopt to avoid cyber risk.

We call these strategies the Cyber|Seven.

 

 

CFOs and their boardroom peers are increasingly realising that effective cyber risk management is not just about technology. Other protections including staff skills, awareness and cyber insurance are also essential considerations.

To enable Boards to ‘self-assess’ their organisations effective implementation of the Cyber|Seven strategies we have built a simple, secure online tool which is free and anonymous at the point of use. Importantly, the questions are designed to be answered by board-level executives. 

 

They are focused on key strategies, so the problems of referral, delegation and feedback that many tactical and operational level assessment systems have do not apply to Cyber|Seven.

 

 

The key strategies forming the foundations for effective cyber risk management are:

 

Effective cyber risk management needs Ownership: Boards must appoint a “Cyber Champion” who is responsible for oversight of cyber risk management (budget, staffing, SLAs, security protection, cyber incidents, cyber insurance).

Boards must be aware of their intangible (data/info) assets and ideally sort them into broad categories and criticality. The CFO is central to this.

Is your IT budget big enough? Most IT departments are notoriously under-funded by boards. Information is the lifeblood of pretty much all modern organisations and information technology needs adequate funding to ensure resilience.

Because many payments systems are now online and almost all cybercrime is simply cyber-enabled fraud, payment controls such as segregation are more important than ever.

The ratio of IT staff to end users: Too many organisations are massively understaffed leading to stressed IT teams who make silly mistakes and leave organisations vulnerable to cyber-attack. IT staff and cyber security staffing is a key risk management strategy.

Most organisations considerably under-invest in on-going training for IT staff; in standard IT, let alone cyber security. They need to support staff and make skills acquisition a prerequisite for career growth and/or good job performance. 

Furthermore, all staff need to be given awareness training to enable them to spot cyber incidents and scams.

The older the technology the longer hackers have had to find vulnerabilities in it. Staying current means keeping the organisation ahead of the attackers. Boards do not need to know the details but do need a strategy which rejects suppliers who do not support the latest technologies.

 

 

 

For more Cyber-Security Training and Information please contact Cyber Security Intelligence:

 

Financial Director:       Image: Nick Youngson

 

 

British Government Says Company Directors Must Become Cyber Aware: