In today’s digital landscape and hostile international environment, non-executive directors must possess a solid understanding of cybersecurity to protect their organisations from growing cyber threats. As we continue to see, data breaches and privacy violations can lead to reputational damage, financial losses, and legal ramifications. Therefore, all board directors must be well-equipped with the necessary knowledge to navigate this complex landscape.
This month has seen the release of 3 new cybersecurity reports. I recommend you read all three, regardless of your executive or non-executive roles. It is a pressing issue that can affect all businesses today regardless of size, industry or sector.
Cybersecurity Importance for Non-Executive Directors
The Issue is Not Going to go Away
Cybersecurity failure is considered one of the top threats facing Australian businesses, and with customer information being accessed in these attacks like the one on Optus, the Australian Cyber Security Centre is warning companies to remain alert.
According to the Australian Bureau of Statistics (ABS), 22% of businesses experienced a cyber security attack during the 2021-22 financial year, compared to 8% in 2019-20. Over half of those who experienced a cyber attack in 2021-2022 were negatively impacted. That includes downtime of services and loss of staff productivity.
These statistics are only set to show an increase in the 2022-2023 financial year.
Role of Non-Executive Directors in Cybersecurity Governance
All non-executive directors must play a crucial role in cybersecurity governance, ensuring that organisations have adequate measures to protect their digital assets. The board must oversee and guide the organisation’s cybersecurity strategy, policies, and practices.
A breach or attack can result in financial losses, reputational damage, legal liabilities, and even the compromise of customer data. Non-executive directors need to recognise these potential consequences and understand that cybersecurity is not just an IT issue but a critical business concern that requires their attention.
Prioritising Cybersecurity Knowledge
Cybercriminals are constantly evolving their tactics. The rapidly changing nature of technology and the intricacies of cybersecurity can make it difficult for non-executive directors, particularly those who may not have a background in IT or cybersecurity, to fully grasp these concepts and potential risks. This is not an excuse. As a director, you must educate yourself about the latest cyber risks and mitigation processes.
These three comprehensive reports from ASIC, the Australian Cyber Security Centre and the Minister of Home Affairs and Cyber Security provide a sound knowledge base to get you started.
The survey was designed to assess participants’ cyber resilience against six functions: governance and risk management, identifying information assets, protecting information assets, detecting cyber security events, responding to cyber security incidents, and recovering from cyber security incidents.
The questions within each function were divided into 12 distinct cyber risk categories:
Vulnerabilities and threats
Supply chain risk
Information asset management
Identity and access management
Cyber security awareness training
Protection of information assets
The survey responses also showed that:
44% do not manage third-party or supply chain risk. Organisations should consider the risks introduced by external third parties. These parties could be vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks. An organisation can implement robust cyber security measures for its internal networks and IT infrastructure. However, unless these efforts are extended to third parties, it will be exposed to supply chain vulnerabilities.
58% have limited or no capability to protect confidential information adequately. Ransomware threat actors target confidential information. To limit the impact of cyber breaches, organisations should identify, classify and secure confidential information – and limit what is stored. To protect confidential information from unauthorised disclosure, alteration or destruction, organisations should classify information based on risk exposure in the event of a breach and implement cyber risk controls proportionate to the classification of the data.
33% do not have a cyber incident response plan. A well-defined cyber incident response plan ensures that an organisation can quickly and effectively respond if its cyber security measures fail to prevent an incident. Regularly testing and updating the plan is necessary to maintain its effectiveness. An effective response plan should be consistent with an organisation’s protocols for incident, emergency, crisis and business continuity management. It should also identify regulatory reporting obligations and interactions with critical third parties.
20% have not adopted a cyber security standard. Cyber security standards and frameworks help organisations to improve their cyber security and resilience by taking a comprehensive approach to: › identifying and managing cyber risk › protecting confidential information › mitigating and managing cyber threats, and › guiding appropriate investment in cyber security
2023–2030 Australian Cyber Security Strategy – Minister of Home Affairs and Cyber Security (November 2023)
The Minister of Home Affairs and Cyber Security has released this report this month. It outlines the government’s vision and strategy for cyber security up to 2023.
“By 2030, Australia will be a world leader in cyber security. We envisage a future where stronger cyber defences enable our citizens and businesses to prosper, and to bounce back quickly following a cyber attack. To achieve our vision, we need to protect Australians. We will do this with six cyber shields. Each shield provides an additional layer of defence against cyber threats and places Australian citizens and businesses at its core. Throughout the period covered by the 2023–2030 Australian Cyber Security Strategy (the Strategy), the Australian Government will work with industry to reinforce these shields and build our national cyber resilience.” Clare O’Neil MP
The government intends to protect Australians with six cyber shields. Each shield provides an additional layer of defence against cyber threats and places Australian citizens and businesses at its core. Throughout the period covered by the 2023–2030 Australian Cyber Security Strategy (the Strategy), the Australian Government will work with industry to reinforce these shields and build our national cyber resilience.
Cyber security requires government and big business to lead. The government will hold industry and organisations to higher standards to protect our devices, data, and critical infrastructure. This means that boards and board directors must also prioritise cyber security within their organisations.
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, such as the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against cyber threats. The most effective of these mitigation strategies are the Essential Eight.
This guide details a process for undertaking assessments of the Essential Eight. In doing so, it includes guidance on assessment methods that can be used to assess the implementation and effectiveness of controls that underpin the Essential Eight – as articulated within the Essential Eight Maturity Model. The Essential Eight is based on ASD’s experience producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations.
The mitigation strategies that constitute the Essential Eight are:
patch operating systems
restrict administrative privileges
restrict Microsoft Office macros
user application hardening
This guide and its associated publications are reasonably technical it is unlikely that, as a non-executive director, you will be conducting an assessment or implementing any mitigation strategies. What this guide and the supplementary documentation will provide you is a substantial insight and level of knowledge into what your organisations should be doing to assess and mitigate cyber risk. So, don’t be put off by the technical detail in these guides. I recommend reading them all and taking in what you consider as the necessary strategic knowledge for your organisation and board director role.
Boards must mitigate cyber risks to protect their organisations and stakeholders effectively. To do so, all board directors must prioritise their cyber security knowledge and take proactive measures to bridge the gaps in their skills.
Not having the required knowledge or considering it an IT responsibility is not an excuse. Non-executive directors must set the tone at the top, ask the right questions and drive their organisation’s cyber policies. Compliance alone should not be accepted as the standard; board directors must advocate for preventative measures and policies to avoid cyber threats.
About the Author
David Schwarz is CEO & Founder of Board Direction – Australia’s leading board advertising and non-executive career support firm. He has over a decade of experience of putting people on boards as an international headhunter and a non-executive recruiter and has interviewed over one thousand non-executives and placed hundreds into some of the most significant public, private and NFP roles in the world
Share this article on your favourite platform!