This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice (http://www2.deloitte.com/ca/en/legal/cookies.html) for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

How cyber savvy is your organization – Considerations for the board

Peppers

 Posted on February 11, 2016

It’s no longer a matter of whether a cyber breach will occur; it’s when it will occur if it hasn’t already. Globally, in the first half of 2015, more than 245 million data records were stolen by cyber hackers every single day – or 16 records per second (Gemalto, 2015 First Half Review, Findings from the Breach Level Index).

Cyber attacks are becoming more sophisticated and harder to investigate and contain. Advanced Persistent Threats (APT), for example, are low-key attacks that slowly siphon off critical data and are difficult to detect using traditional methods.

Cyber attacks come in various forms:

  • Data breaches – stealing an organization’s data or manipulating it so the organization can no longer trust it.
  • Cyber crimes – the theft of data, such as credit card information that hackers use for their own financial benefit.
  • Acts of sabotage – denial of service or other attacks that literally shut down the organization.
  • Espionage – attacks on the industrial or economic security of the organization.

Cyber attacks are inevitable, and often the attackers are already inside the organization’s network.

In addition to the immediate disruption created by a cyber crisis, a cyber attack often leads to drawn-out litigation, regulatory actions, ongoing operational disruptions, an impaired ability to execute strategy and increased insurance liability – all of which diminish corporate value. It’s not surprising, then, that cybersecurity is an increasingly important oversight responsibility for directors, and one with personal implications for members of the board. Following some cyber breaches, shareholders have called for the removal of directors or have filed derivative lawsuits against them. Class action lawsuits are also becoming more common following a cyber breach and the Cybersecurity Disclosure Act of 2015, recently introduced in the US Congress, would require publicly-listed companies to disclose the names of directors with cybersecurity expertise and add details of which directors know about online security in filing to the SEC.

The bad news is that the problem is likely to become worse because every organization has a growing number of cyber risks. For example:

  • Organizations are linked with others in their ecosystem through their supply chains that, to function effectively, require sharing of information among the ecosystem partners. Each of these links introduces vulnerabilities.
  • Cyber espionage and data theft are becoming commonplace in mergers and acquisitions where hackers attempt to gain financial or operational intelligence to use as leverage in the negotiations or to devalue one of the organizations in the transaction.
  • Employees often utilize their own personal digital devices to access an organization’s data – an entry point whose security depends largely on the cyber awareness and care employees take with their devices both in and out of the workplace.
  • A growing number of companies and individuals are taking advantage of the cost-effective and convenient alternative of cloud technologies – something that is equally convenient for cyber criminals and malicious actors.

Building a cyber secure organization

It has been said that an organization’s cybersecurity is only as strong as its weakest employee, since cyber hackers look for naïve, uneducated, or untrained employees to provide them with an entry point into their employer’s network. Hackers will use bogus email accounts designed to look as if they were sent by a friend or co-worker, which, when opened, will upload malicious software (malware) to the organization’s networks. Free gifts, such as thumb drives that are generously handed out at trade shows and other events, could also contain malware. Employees who use their digital devices to access unsecure WIFI could unknowingly be giving access to hackers.

In this environment, organizations need to build a culture of data security – a process that should be led by the board and management and needs to involve more than just the IT department. Today, organizations need their entire workforce to be cyber savvy to ensure that they continuously operate in a secure, vigilant, and resilient environment.

Secure – Many organizations have spent significant amounts of time and money on traditional security controls and preventative measures, and most likely that investment will need to be increased in the future. Despite this, it is impossible to protect everything equally. Organizations need to focus on their “crown jewels” – the mission-critical data that they absolutely must protect. Organizations must also know the cyber hygiene of their partners and authorized connections – contractors, vendors and suppliers – who may be security allies or liabilities. It’s important to think in terms of the information supply chain, and decide who will or will not be allowed to access the information network.

Vigilant – Being vigilant means being cyber savvy. Awareness of cyber risks needs to be a priority for everyone within the organization, and for every one of its external partners. Cyber vigilant organizations build, maintain, proactively monitor and test their cyber defense. When hackers attempt to gain entry or other suspicious events occur, the organization needs to respond appropriately to fend off the intrusion, and also learn from it so it can adjust its business and technology environment accordingly.

Resilient – Inevitably, some cyber intrusions will succeed so organizations need a crisis management strategy and cyber risk management plan that enables them to respond and recover quickly. See the article on Crisis Management in the 2016 Directors’ Alert “Ingredients for success: Striking the right balance”.

Cybersecurity and the board

Boards of directors need to challenge management’s assessment of the organization’s cyber posture and critically review the cyber crisis management capabilities that management has put in place.

The board may also want to review its own processes for providing oversight of cybersecurity. For example, the board may want to expand the charter of the board-level committee responsible for overseeing cyber risk to include how the organization allocates resources in managing cyber risk. Another consideration may be to create a board cyber chair to oversee management’s activities and ensure that senior management is appropriately focused on cybersecurity.

Boards may also want to establish a cyber risk process that defines cyber risk management priorities for the organization and outlines mechanisms of accountability. The board may also want to have access to its own cybersecurity experts.

Dina Kamal

Dina Kamal
Partner, Cyber Risk Services

Dina is a partner in our Enterprise Risk Services practice, leading cyber intelligence services in Canada. Dina also specializes in providing cyber security services for financial and public sector organizations and is an active conference speaker on cyber risk management.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.