The rising incidence of cyber-security threats means boards must be more proactive when considering risk-management strategies, writes Nigel Phair.
Smart boards recognise the value IT plays in their organisations. Technology not only maintains business as usual, but with appropriate investment and thinking can also create productivity gains, improve service delivery and drive untapped market opportunities.
Some of these same boards also understand information security risks. The constant evolution of the online environment presents cyber threats, which are constantly evolving.
Many organisations, particularly at the small and medium end of town, do not believe they would be the target for a cyber-attack. But ongoing ransomware attacks – a type of software which encrypts files and databases, restricting access to the victim computer system, followed by the perpetrator demanding a ransom be paid in order for the restriction to be removed – should be changing the thinking of all directors, regardless of the type, size or sector of the organisation they govern.
There are a variety of reasons why organisations are attacked. It may be for the perpetrator to make money, to steal intellectual property, to gain the upper hand during trade negotiations, to use the company’s bandwidth or merely hold criminal intent to take them down. The result can mean loss of revenue, loss of data and/or loss of reputation.
So what should boards be discussing when deciding how to secure their organisations’ online information security assets? Firstly, they need to know their information. What it is, which parts are most important, where is it stored and controlled, whether the organisation adheres to thePrivacy Act, what security software protects it and how it impacts on business continuity.
Secondly, boards need to know their systems. Have they been tested to determine if they are secure from attack? Is software routinely patched? Who has access (and who has administrator rights) and at what stage is the investment lifecycle for upgrading or replacement?
Thirdly, they need to know their people. We all love our employees and think they will always do the right thing, but the statistics demonstrate otherwise, with one in five staff being responsible for an attack, usually through theft of information and even stealing computing hardware.
The increased possibility of a cyber-attack should focus risk-management oversight and most likely result in additional spending. Organisations have many choices on where to spend information security dollars. Such decisions should consider risk tolerance, business priorities and stakeholder expectations.
Measuring the return on investment from information security spend is inherently difficult. It is paying for something that may, or may not happen, and if an organisation doesn’t suffer from a cyber-attack, was that because of the investment? Information security is not an investment that provides a return but an expense that pays for itself through loss prevention.
A common approach is assessing the upfront information security detection, mitigation and response expenditure against the direct and indirect costs of doing nothing. The return on investment may be calculated as the percentage cost of mitigation divided by the cost of the risk.
A starting point is to understand the value of an organisation’s information and the systems it uses. Accepting that a cyber-incident may be inevitable, creating a culture of pragmatic risk management that is commercially orientated is key. This should be followed by continuous improvement of detection and response capability.
Logically if one investment has a higher return than another, then that investment is more likely to be made. There are many hardware and software security products designed to protect information systems. These vary in sophistication and of course, cost. Some of these products have marginal use due to the ongoing phenomenon of phishing – where employees are targeted in an attempt to trick them into divulging company secrets, or allowing unauthorised access to a corporate network. Organisations need to analyse their risk tolerance and commit ongoing resources to a level where attackers will look elsewhere for easier targets.