Skip to content

20 March, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • woke silicon valley bank

      News round-up: this week in governance

      GOP declares SVB ‘woke’; banks slow to sustainability; fund managers accused of dodging voting risks;...

    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • ESG resilience requires leaders to manage without certainty

      Boards lack the understanding needed to face environmental and social challenges, according to LBS professor.

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • data decision

      How to boost decision making

      Innovative digital tools can help boards to deliver against strategic objectives, but it is the...

    • remote working

      Navigating the new world of work

      Firms need to focus on building an inclusive environment and a culture of trust to...

    • digital transformation

      Digital transformation: Get the basics right

      Board involvement at the get-go will boost the chances of a successful digital transformation for...

  • Comment
      • View all
    • uncertainty in 2023

      Being a CEO in 2023: how to navigate uncertainty

      Agility, planning in the shorter term and bravery will all stand chief executives in good...

    • A week of business moving to the centre of human rights

      A week of events signals the initiatives underway to have companies play a central role...

    • audit reform IIA Why we need audit reform right now

      There is an "urgent need" for reform to the audit landscape as well as internal...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

    • Group of investors/shareholders in glass building Climate issues likely to figure prominently at next year’s AGMs

      A recent webinar heard that say-on-climate voting is expected to rise, while ESG remains a...

  • Careers
      • View all
      • Selection
      • Board Moves
    • female ceo Less than a third of FTSE 100 executives are women

      In Europe as a whole, only 7.7% of top companies’ chief executives are female, gender...

    • board size Performance declines as boards grow in size

      Researchers found that investment dropped by 2-3 percentage points as companies passed from 12 to...

    • Silicon Valley governance Silicon Valley improves its governance

      Big technology companies are stealing a march over other top corporates when it comes to...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Gender diversity barometer

      Barometer of Gender Diversity in Governing Bodies in Europe

      The 2023 Barometer of Gender Diversity in Governing Bodies in Europe looks at the 16...

    • geopolitical risk airmic

      Navigating geopolitical risk

      Today, the future feels less secure, and optimism is more restrained. Taking decisions in an...

    • Edelman Trust Barometer 2023

      2023 Edelman Trust Barometer

      The report is the result of the Edelman Trust Institute's research, which sampled more than...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Cyber threats: how the board can prepare & mitigate risk

by James McAlister

Cyber attacks on the IT infrastructure of major firms are hitting the headlines. The risk can be mitigated, but boards need to stay informed.

Cybercrime, data protection, GDPR, cybersecurity

Cybercrime. Photo: European Parliament – Audiovisual Unit

In January 2016, Michael Vatis, director of the FBI’s National Infrastructure Protection Center, said: “Companies should be thinking about the legal and managerial decisions that the CEO, the COO and the board will need to make in the event of a cyber-incident.”

Every board member, no matter where they operate in the world, should be aware of the catastrophic impact a cyber-attack could have to their company.

The Business Continuity Institute’s Cyber Resilience Report 2016 states that “…cyber-attacks offer the most significant business risk to organisations”. The report highlights the top-five causes of digital disruptions as being social engineering, malware, spear-phishing attacks, denial of service and out-of-date software.

Symantec, the security software manufacturer, provides some stark statistics in its April 2016 Internet Security Threat Report. It states that zero-day vulnerabilities, such as holes in software that are unknown to the vendor, have increased by 125%; more than half a billion personal records were either stolen or lost in 2015; spear-phishing campaigns rose by 55%; major security issues were discovered in three-quarters of popular websites studied; and ransomware attacks increased by 35%.

Add to this the predictions for the future regarding the increase in attacks on mobile phones from corrupt apps, hacked keyless entry systems in vehicles, vulnerabilities in work products with embedded devices such as webcams and internet phones, and weaknesses in industrial control systems.

Digital strategy

So, armed with the knowledge that digital technology—our saviour—could actually be our downfall, what can you as a board member do about it?

A good place to start is ensuring that the company has an up-to-date cyber-security policy. Many organisations still believe that responsibility for cyber-security sits firmly with the IT department. Board members need to realise that to be effective, the policy aim and objectives must reach into every department, employee and supplier.

Therefore, the policy must bring about a cyber-security cultural change where everyone feels that they are crucial in protecting the organisation and, in turn, their livelihoods. The policy must also provide direction on budgeting, awareness programmes, horizon-scanning for new cyber threats and, naturally, technical solutions.

Board members need to be aware that due diligence must be carried out on the supply chain, to ensure that third-party contractors have equal or greater cyber-security measures in place.

Next should be an effective cyber-incident response plan, which should address the following:

  • What is our definition of a cyber-incident?
  • What must the organisation protect?
  • How will we address technical and end-point protection?
  • What will the composition and responsibilities of the incident team members be?
  • Who has the ultimate responsibility for a cyber-incident?
  • What will our incident management framework look like (detection, containment, mitigation, recovery, closure and follow-up)?
  • Who are interested parties, and how will we communicate with them during and after an incident?
  • When should we inform regulators and/or the police?

Outsourcing of non-mission-critical services such as IT, payroll, accounting and financial services, which typically involve the transfer of sensitive data, is now standard company practice. But while the burden of the task can be handed over to the third party, the responsibility and accountability for a cyber-security incident cannot.

Board members need to be aware that due diligence must be carried out on the supply chain, to ensure that third-party contractors have equal or greater cyber-security measures in place. These actions should not just involve software solutions but how the suppliers would deal with an incident, how they would initially notify you, keep you updated and also how they would continue to provide you with the outsourced service during the incident.

Expert incident advice

Obtaining expert incident advice is another area often overlooked by organisations. There are three primary areas the organisation should focus on procuring prior to the incident taking place. First, legal advisors can provide counsel on issues such as data protection legislation, and for potential civil litigation for failing to take reasonable security precautions when storing customer information.

Second, digital forensics/data-breach-response expertise is vital during and after a cyber-incident. Very few companies have the luxury of employing personnel with the technological expertise to understand and remediate today’s cyber-attacks. Engaging an independent investigator ensures integrity of response and creates a defensible record if challenged later by interested parties.

I cannot stress enough the importance of securing prompt crisis communications assistance via an experienced PR firm.

And finally, I cannot stress enough the importance of securing prompt crisis communications assistance via an experienced PR firm. They will provide communication strategies to mitigate damage to brand, reputation, interested party confidence and share price.

Employees are an organisation’s biggest asset and also the greatest risk for cyber-resilience. Good education from strategic to operational-level personnel, including temporary workers and suppliers, is key to ensuring the company does not suffer the “insider threat”, whether through incompetence, malice or criminality. Basic common-sense awareness training that instils good security habits is really all that is needed.

Cyber-security specialist Kaspersky Lab provides guidance for staff and suggests regular updates on current cyber threats, the importance of every staff member’s role in cyber-defence, the dangers of social media, what an attack might look like and how to raise the alarm.

Cyber-insurance

Cyber-insurance can assist in easing the financial pain of an attack. Items that can be covered by insurance include recovery costs in case of data loss, potential loss of turnover, additional costs associated with the detection and resolution of incidents, and incident communication costs. It is worth remembering that there are two critical areas that cannot be insured against: loss of customers and reputation, so prevention is always better than cure.

A cyber-incident may never happen to your company but the first time you experience one should be a practice-run. Preparing your incident teams for an attack via “exercising” is a realistic, low-risk and cost-effective way of ensuring your organisation knows what to do when it is your turn to be attacked. Exercising can be at any or all levels of response.

The FBI’s Michael Vatis believes that “…in the very near future, cyber-security exercises are going to be absolutely expected of all companies by regulators”.

For example, the C-suite focusing on crisis decision-making and communications; tactical-level work on implementing the incident management framework of detection, containment, mitigation and recovery; and operational personnel providing hands-on technical solutions.

The FBI’s Michael Vatis believes that “…in the very near future, cyber-security exercises are going to be absolutely expected of all companies by regulators”.

Top management cannot bury their heads in the sand and consider cyber-security to be someone else’s problem. As Ginni Rommety, CEO of IBM New York, states: “Cybercrime is the greatest threat to every company in the world.” Incidents are inevitable, but boards can mitigate risk and damages by staying informed and ensuring that, in the event of an incident, their organisation is prepared to respond.

Cyber threats: a glossary

Social engineering
This is the art of manipulating people to reveal confidential information, which will then allow someone else to access information systems such as passwords or access to a computer. This may include “phishing” attempts, or sending thousands of fake emails purporting to come from an authoritative organisation and inviting people to click suspect links or reveal private information.

Spear Phishing
Much like phishing, but rather taking a shotgun approach. The suspect emails are highly targeted and focus on a few individuals, depending on the goal of the attack. Selection of targeted individuals will usually be preceded by research through social media channels such as LinkedIn, Twitter and Facebook. Small companies may be targeted as gateways to gain information that will enable attacks on much larger corporates.

Malware
An abbreviation of “malicious software”, the aim of these attacks is to plant a piece of software that will enable attackers to either damage or access computer systems secretly. The designation “malware” is therefore based on the intent behind the use of software rather than the type of software itself. The best advice here is to be very careful about which email attachments you open.

Denial of service
The objective here is to make a machine, network or internet service dysfunctional for its users. The is done by flooding or overloading the network or site with numbers of digital requests. A distributed denial-of-service attack sees criminals secretly co-opt multiple systems or machines to target a victim. One recent example was an attack on bookmaker William Hill, while another headline event saw internet service provider Dyn attacked from multiple servers, affecting millions of servers and affecting scores of high-profile brand names.

James McAlister is the director of Crisis Prepared, an organisational resilience consultancy and vice chair of the Business Continuity Institute. He is a former police officer with over 30 years’ experience in business continuity, civil protection, crisis and major incident management.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Battle of the boards: risk, ESG and two-tier board structures
    April 22, 2022
    Board risk meeting

    There is an inherent conflict of interest between main and executive boards, with two different time horizons and two different risk impacts.

  • Ann-marie Murphy joins The Gym Group board
    April 22, 2022
    The Gym Group logo

    Murphy joined the company in April 2018 as director of people and development, and became chief operating officer earlier this year.

  • The storm before the calm: how boards can make better decisions
    October 18, 2021
    Businessman looking at stormy sky

    Behind every apparently calm surface lies a mass of board member interests, beliefs and emotions. How these conflicts can be managed?

  • Nokia appoints three new non-executive directors to the board
    April 13, 2022
    Nokia logo on building in Espoo, Finland

    Lisa Hook, Thomas Saueressig and Kai Öistämö have been elected to the Nokia board following the company AGM last week.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

Crisis Prepared, cyber-attack, cybercrime, James McAlister, Technology, Winter 2016

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • ESG resilience requires leaders to manage without certainty
  • News round-up: this week in governance
  • Being a CEO in 2023: how to navigate uncertainty
  • Reform of NHS levy ‘harms UK competitiveness’
  • How to boost decision making
 

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

2022 AGM Season Forecast: An Eye on The Horizon

To help prepare for AGMs in 2022, Equiniti (EQ) hi...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Creativity in a Crisis: a Boardroom Map for Innovation

Creativity in a Crisis: a Boardroom Map for Innovation

In the uncertain times at the height of any crisis...
Board Directors Guide to D&O Liability Insurance - November 2020 - AIG & Board Agenda

Board Directors' Guide to D&O Liability Insurance

Directors face liability over a range of new threa...
Leadership-in-Risk-Management-Board-Report

Leadership in Risk Management: Board Report

Board Agenda, in association with Mazars and INSEA...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...

 


 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|