Older directors have been more complacent with cyber risk
Disturbing new research shows that older directors have been more overly comfortable than younger directors when it comes to cyber risk. 63% of directors aged 55 and older believe their board actively oversees cyber risk whereas only 55% of directors under 55 years of age agree with their older counterparts.
The Board actively oversees the risk of IT breaches and cyber attacks (including risk of loss of customer, proprietary and other sensitive information).
- Only 60% of directors agree or strongly agree that their board actively oversees cyber risk
- 21% of directors slightly agreed that their board actively oversees cyber risk – and slightly agreeing to such an important issue as cyber risk is not good enough for many organisations
- Older directors (55 years and older) appear to have been more complacent concerning cyber risk than younger directors aged under 55 years. Only 7% of directors aged 55 and older disagree that their board actively oversees cyber risk whereas 17% of directors under 55 years of age disagree
- Males and female directors of a similar age have similar perspectives in relation to cyber risk
This new research was based on the views of almost 1,000 different directors who sit on the boards of a very broad cross-section of primarily Australian organisations who have competed in Board Benchmarking’s benchmarked Board Effectiveness Survey in the last two years. The research is based on director perspectives before the announcement by Optus that the personal data of over 2 million of its past and current customers had been compromised. It was also before Medibank Private’s belated admission that the personal data of around 10 million of its customers had also been compromised.
The Optus and Medibank cyber attacks have been a big wake-up call for all Australian directors. One would hope and expect that new research following the Medibank cyber attack will reveal a heightened level of concern and follow-up action from Australian directors of all ages concerning cyber security.
Extra rigor is required
Complacency among boards, executive teams and organisations about cyber risk is well past its use-by date much deeper thinking and extra rigor is required.
Hard questions need to be asked by boards, executives and organisations, do we really need to keep the detailed personal information of former customers and if so what information? Why? Have we done a rigorous analysis of the risks and benefits of keeping all that information? Do we need to have all that information stored on files that are connected to the internet?
Has all the deep thinking, the extra rigor, the conclusions reached and the plans made been shared with and signed off by the board? If not, has the board requested all that extra thinking, rigor and feedback?
Boards should also be asking themselves whether they have the depth and breadth of appropriate digital and cyber security skills on their board. If not, what external advice and assistance will they obtain to ensure they meet their oversight obligations with the necessary rigor concerning their organisation’s digital strategy and cyber security?
Boards and CEOs also need to ensure that they have the right capability to lead their organisation’s technology and information strategy and operations. Without the appropriate capability, there will always be a significant risk to their organisation’s intellectual property, customer data and other sensitive information.
The role of the board in governing and oversighting risk has not changed, what is needed is a recognition that the vulnerabilities and threats being posed continue to evolve. This means that there are obligations both on management teams – to better explain new and emerging risks – and boards – to take the time and curiosity to be actively engaged with the changes they need to oversight
Useful resources available
The Australian Institute of Company Directors (AICD) in conjunction with the Cyber Security Co-operative Research Centre (CSCRC) has recently published five Cyber Security Governance Principles that are recommended to all Australian organisations. The five principles are:
1. Set clear roles and responsibilities
2. Develop, implement and evolve a comprehensive cyber strategy
3. Embed cyber security in existing risk management practices
4. Promote a culture of cyber resilience
5. Plan for a significant cyber security incident
Helpfully, the principles also include a checklist of four or five red flags concerning each principle. We encourage boards to ask their executive teams to provide them with a rigorous analysis of these red flags to determine the extent that their organisation is complying with the principles.
The Australian Cyber Security Centre published the Essential Eight in 2017 and has continued to update its guidance on improving the cyber security maturity level of organisations concerning the Essential Eight since. The Essential Eight forms a useful baseline for organisations to assess their level of cyber security maturity and identifies what needs to occur for organisations to move to a higher maturity level.
For organisations that do not have more appropriate cyber security maturity frameworks, we also encourage boards to ask their executive teams to provide them with a rigorous analysis of their organisations’ cyber security maturity level concerning each of the Essential Eight.
Always keep things in context and see the big picture.
Boards and executive teams need to understand their own organisation’s context and the extent of cyber security maturity that is appropriate for their organisation. An extra high level of cyber security maturity is likely to be required, for example, for a bank or insurer with millions of customers and tens or hundreds of millions of credit card transactions annually. Context is critical.
Research shows that there are 20 important things that a board needs to do well to be high performing and highly effective. One of those 20 items is the governance of risk and part of that obligation includes the active oversight of IT breaches and cyber security.
If you want to see how your board benchmarks against more than 400 other organisations in relation to each of the 20 most important areas for a board’s performance and effectiveness you can design the components of your review here or ask Insync for a proposal for a bespoke review for your board.
You can also access a free trial of a shortened three-minute version of Board Benchmarking’s Board Effectiveness Survey.