Cyber-risks are no different to other areas of risk. Boards must grasp the specific risks, determine risk appetite and take actions to deal with cyber-risk. By Cathy Parker.
Cybersecurity – an area full of ongoing nightmares for CIOs, business managers and directors. And rightly so, as there is a very real risk of significant business disruption, expense and significant reputational damage.
It is the major security failures that make the headlines – and they should concern us.
In the midst of writing this yet another hit the headlines with an embarrassing breach of the Government’s gun buy- back website. But also think of the Treasury’s budget leak; major data theft of people’s logons and password details and customer data along with other significant recent outages at major organisations including the Institute of Directors.
Of note is that a number of these breaches are not due to active hacking but more bad design or implementation.
The gun buy-back site breach was due to inadvertently giving gun dealers access to supposedly confidential user details under their existing logins. Whilst the Budget leak was the result of an unsecured test site which, while not directly accessible, did return search results with the short information snippets that revealed a lot.
While these risks of major data loss are real, the more likely, and I would say daily, risks come from smaller intrusions.
They might not make the headlines, but they still create a lot of angst. This might be as small as a virus on a single PC, but even this can still take days to fix. Or an infection by a bitlocker virus (WannaCry or similar) where a ransom has to be paid to unlock data.
Other common challenges include email interception and spoofing, with legitimate-appearing emails sent to customers advising a new bank number or even to the company finance person asking them to make a payment.
I recently heard from a business acquaintance about one of the latter. His finance person got an email that appeared to come from him and looked legit, the email address was right, signature etc, it was asking for several large sums of money to be transferred to an account that day.
Fortunately, he was actually sitting in the next-door office, so his staff member came to check because the request was unusual and they discovered the scam.
A lot of these issues arise not directly through hacking per se, but through social engineering, often called phishing, spear phishing, etc., where the hackers attempt to get people to click email links or open attachments that contain viruses or other malware.
These emails are getting more and more realistic and harder to spot. With busy inboxes staff may also not be as vigilant or may be vigilant until one arrives at 3pm when they are rushing to get stuff finished. One click is all it takes to start a breach and even the best antivirus and security systems may not be able to prevent this form of attack.
So Cybersecurity is definitely a board topic. To quote the IoD’s Cybersecurity fundamentals for boards report: “Cybersecurity requires board level attention and responsibility and is not just an IT issue.
“Given this, it is critical that boards include time on the agenda to discuss their approach to cybersecurity, and constantly assess and reassess their capacity to address cybersecurity threats.
“The principles behind cyber-risks are no different to other areas of risk. Boards must grasp the specific risks, determine risk appetite and take actions to deal with cyber-risk.”
The full report is available from IoD https://www.iod.org.nz/resources-and-insights/guides-and-resources/cybersecurity-fundamentals-for-boards/# .
On a final note you can report a breach to CERT NZ (see cert.govt.nz). Future legislation is likely to make reporting privacy breaches mandatory, but it is best practice to do this now.
Cathy Parker is the director of Adrenalin Publishing, which owns Management magazine, and she sits on a number of boards.