With the New Zealand Institute of Directors naming cyber security as one of the “five things directors can’t ignore in 2020,” you’d expect most security and IT leaders to be having ongoing robust discussions with board members around their organisation’s security posture.
Unfortunately, with COVID-19 causing irreparable damage to the economy and business, many boards are preoccupied with immediate operational matters and are losing focus on the new cyber security risks ushered in with the pandemic.
Aura Information Security General Manager, Peter Bailey, says cyber criminals didn’t use lockdown as time to take a break.
“There’s plenty of evidence that hackers have been most active since the onset of COVID-19, exploiting our disrupted remote working tools and capitalising on fear and uncertainty to execute highly sophisticated attacks.
“Its critical businesses are focusing on cyber security as a priority. Already we’re seeing the fallout from post-COVID incidents with spikes in ransomware affecting businesses both overseas and here in New Zealand. This is not something to sleep on,” says Bailey.
Here are the top five things boards should keep in mind when tackling cyber security:
1. Get visibility of your digital risk profile
Boards need to have a good understanding of their organisation’s digital risk. Financial and reputational damage caused by a breach has the potential to be severe and devastating.
CIOs and CISOs should regularly review their organisation’s risk profile to identify vulnerabilities early and ensure they report back on risks and how to mitigate them.
This is critical, especially post-COVID when remote working and quick deployment of new technologies might have changed your perimeter.
Kordia Group CISO and Regenerate Christchurch board member, Hilary Walton, says you can’t plan if you don’t have a good grasp of the current lay of the land.
“A cyber security analysis and audit is a great way to inform your risk strategy, so make sure as a board you are asking for this.”
2. Increase your own understanding of cyber security concepts
Business is now digital, and to be a strong governance leader each board member must have a working knowledge of cyber security and information security frameworks. Understanding information security and defence strategies will help ensure the board is across all requirements needed to strengthen the organisation’s security posture.
“All directors must be able to evaluate cyber risk and information security as a critical part of your organisation’s operations,” says Bailey, adding it’s no longer effective to have just one digital expert on a board.
3. Be clear on the incoming Privacy Act 2020 and what it means for your organisation
The long-awaited changes to the Privacy Act will come into effect this December, and it’s important for boards to understand what impact the legislation will have on information security and privacy management practices.
Key changes include fines and disclosure requirements of cyber security incidents to the Privacy Commissioner. Now’s a good time to update any policies and procedures around privacy to ensure they are up to date and meet new requirements.
“The last thing you want is to be slapped with a fine when trying to manage a security incident. Likewise, the additional reporting means you will have to make potentially damaging information public, putting your reputation on the line,” says Bailey.
4. Reporting on cyber security defence frameworks and roadmaps
Beyond understanding security concepts boards also need to understand what defences and frameworks are in place, and work with the CIO and CISO to set benchmarks and regular reporting.
Walton says threat detection, security awareness training, firewalls, testing of new applications and systems, and verifying cloud controls are all examples of reporting the boards should have visibility on.
“Boards should be asking CIOs and CISOs to regularly report on metrics around these to accurately gauge the level of cyber maturity of the organisation,” says Walton.
5. Ensuring the organisation has an appropriate response plan
Cyber-attacks and data breaches are becoming more common in New Zealand, and for too long companies haven’t taken the threat seriously. It’s important for boards to understand that a cyber attack is now a case of when, not if.
A good response plan is critical for ensuring an organisation is resilient enough to survive an incident.
“Planning ahead roles and responsibilities, ensuring systems are safely and securely backed up, factoring in customer and shareholder communications, are all key for managing a potential crisis,” says Walton.
“Don’t forget to regular test and practice your plan to ensure you can execute it and make any adjustments beforehand.”