Helping directors recognise cyber security red flags

What is it like for a director of a listed company when the business is hit with a ransomware attack? 

Cheryl Hayman, a non-executive director of Australian manufacturer Shriro, has discovered this for herself after the business was subject to such a breach last month.

In a new iTnews Digital Nation mini-documentary about cybersecurity and boards (watch it at the start of this story), Hayman outlines the questions that came to mind immediately after the breach.

“The first question we all asked was, ‘how did it happen? Do we know how they got in, what data did they get? Has there been a ransom ask? Do we know anything at all about the threat actors?’, which is a new term that I've discovered, who are effectively criminals. ‘What are our duties as directors personally, as well as what's the business piece, what's the insurance cover, who are the experts we need to bring in?’” Hayman says.

Experiences like those at Shriro reinforce calls for boards to recognise the importance of treating cybersecurity as a critical and current risk.

Cyber threats have rocketed to the top of corporate risk registries in recent years, leaving the days of tick-a-box compliance far behind. These days, boards are expected to be able to interrogate the issue of cybersecurity effectively and are required to ensure the right policies and responses are in place.

But as Mike Tyson famously observed, everybody has a plan until they get punched in the face.

Roger Sharp, the co-founder of investment advisory firm North Ridge Partners and the chair of two large Australian listed businesses in the finance and travel sectors, says, “If you're considering this once a month, for a nanosecond, you’ve got it wrong. But if you have risk processes, and a risk committee or an audit and risk committee set up that spends time on this, you'll quickly understand that it is a many headed beast.”

Sharp has strong knowledge of technology and business through his work at North Ridge Partners. But that makes him somewhat unique as a director in the large listed company community in Australia.

Few directors attain their board positions due to any deep knowledge of cybersecurity. Instead, they rely on advice from managers and subject matter experts, including Chief Information Security Officers (CISOs).

Robert Mitchell, CISO for deputy.com, says it is important to communicate the risks to directors in ways that encourage them to engage with the issue.

According to Mitchell, “Most of the directors and most of the people that are sitting at that board level, if you start having a conversation with them about things like threat profiles, they're going to switch off, they're actually not going to be interested in that." They want to know that everything is under control, he says.

“But the language of risk and the language of threat is fundamentally negative. It's about containment. It's about management. It's about insurance, it's about loss prevention,” Mitchell says. He argues that such conversations may not be the most effective.
  
“So the most common tactic that I've used to try and get success about interesting things like risk management, or cyber threat, is to talk about it as a growth opportunity. A lot of what we do within security is around threat management and about making changes to make things more secure. But an awful lot of what we do in security is also fundamentally about making things more efficient," he says.

Red flags

The growing cost of cybersecurity is certainly one more reason for boards to engage directly with the subject. But of course, the key reason is business risk.

Claire Pales, along with Anna Leibel, literally wrote the book on cyber risk and boards, which is titled The Secure Board and was published earlier this year. She says there are three red flags directors should keep an eye out for.

“One of them would be if the board has to chase information – if they are not receiving information on a regular basis.

“The second one would be that they don’t know what the strategy is, and they don’t know what risk-based investments have been made.

“As a board, they want to understand the current risk position, and the future or target risk position, and what's the strategy to get there. So, if they're interrogating the executives for information around that strategy, that's another red flag,” Pales says.

The third red flag, which Pales regards as the most important, is if boards have to discover for themselves what they are expected to do in the face of a crisis.

“If they don't feel well versed in the incident response process, they don't know what their role would be, they don't understand the timing – would they be alerted within two hours of an incident being declared? Or a day? Or, if at all? Are they even in the incident response plan as a director?" Pales asks.

Pales says it's not just about the operations of the business. “How's that going to impact their customers and potentially the broader community?” she asks.