The last few years have been very interesting in terms of blame allocation with regard to cybersecurity for employees. There have been so many of them that people are suffering notification fatigue and becoming desensitised. The responsibilities and ramifications of cyber incidents to an organisation’s Executive Leadership Team (ELT) and the Board can be deciphered through breaking down what cyber incidents can be. Below are three types of cybersecurity incidents:
1) Malicious intent – hacker in a basement with a hoodie trying to murder your data
Often considered to be the most likely. Viruses; ransomware; stolen passwords; phishing emails; social engineering; fund transfer fraud, etc. All rife. The evil people.
2) Dave – an overworked and undervalued IT superhero who keeps your organisation operating by the skin of their teeth, or any employee, user error.
Having spent many years in IT support and operations, CTRL Group’s experts can absolutely state that IT staff are expected to know everything. Sometimes, staff members do not know everything and sometimes that may lead to mistakes. Sometimes people flip out and hit send on an email they really shouldn’t. People leave phones on trains. You would be amazed, in 2019, at how many people will plug in a USB they find in the car park. People click the wrong link. All the time.
3) System failure! – This happens all the time and causes business interruption
I seem to remember recently a supermarket chain kicking people out of their stores after they’d filled their trolleys because they couldn’t process electronic transactions. And not many Aussies transact any other way. Apparently, some quality store managers let people work out with full trolleys. They all should have. That would have been a good action outlined in their Cyber Incident Response Plan, hmm – the what? Sorry I digress.
So these issues lead to the following:
- Brand and reputation damage
- Regulatory fines and penalties
- Business interruption costs
- Third-party legal action including class-actions
And many other nasties.
If you are a member of the ELT and/or a board member you may be thinking that a cyber incident is an IT problem. If so, think again.
A cyber incident is an organisational crisis and needs to be dealt with accordingly. You remember that drill you did regarding a “shooter onsite” or as fire, you need to do one, and keep doing them, for “someone has stolen our customer data” or “we can’t pump gas” as well. In 2016 global law firm Norton Rose Fulbright provided this insight: “A failure to implement appropriate cybersecurity or cyber risk management measures could constitute a breach of directors’ fiduciary duties. … Directors could therefore conceivably face personal liability to the company and to third parties for a breach of these duties that relates to cyber risk.”
The only way to reduce the brand, reputation and financial damage from as cyber incident is to handle it well.
What steps can the ELT and Board take to reduce the risk here?
- Ensure the CIO and the Chief Security Officer are an active and respected part of the ELT
- Have the Board risk committee consistently report on cyber incidents and potential threats
- Be aware – there is no excuse for Board members to say “I didn’t know”, Google “Centro” or “Hayne” for reference
- Consider a board member or an advisory board member that is a cyber risk expert, especially if you deal in highly confidential information
- At least witness, if not be a participant in, regular threat simulations. Incident response plans are only as good as their last test
- Take an active role, it frustrates me incredibly to see IT experts marginalised
- Be proactive at all senior management levels.
Organisations depend on IT and the rapid uptake of technology has created a whole new world of risk. The role of the ELT and the Board here is to understand what is taking place, the risks it creates for the organisation and provide support to those who are on point in terms of risk mitigation.