[BreachExchange] Board members and cyber responsibility

[Destry Winant]

https://www.cso.com.au/article/646733/board-members-cyber-responsibility/

Cybersecurity is a business problem, not just a technology problem.
Cyber security oversight and leadership requires an enterprise-wide
approach led by board members who have a fiduciary duty to
shareholders and investors to actively oversee the measures used to
protect sensitive data and customer information.

As part of this process, board members need to have an understanding
of the threat landscape and high value targets. For board members
thinking about what information within the business would be of value
to cyber criminals, they often focus on data and commercially
sensitive information. But as a member of the board, they themselves
are high value targets.

Threat actors often focus their efforts on senior leaders because of
the influence they wield and the information they have access to. In
many organisations, board members are viewed as non-employees, they
aren’t required to undertake the same training as employees and
regularly use their own devices without corporate defensive and
monitoring controls. These risk factors, coupled with access to
privileged information makes them vulnerable to cyber-attacks.

As influential leaders, board members play an important role in
establishing a culture of security in an organisation and there is a
responsibility to not only understand what the company is doing to
mitigate cyber-security risk, but also to ensure they personally are
practicing safe behaviour.

The rise of cyber responsibility

Cyber security is as much a people issue it is a technology one: think
about how easily you could click on malicious links or open
attachments with malicious content. The Office of the Australian
Information Commissioner (OAIC) recently released a quarterly report
into data breaches under the Notifiable Data Breaches (NDB) scheme,
revealing that human error accounted for 36 per cent of breaches.

As the senior leadership, board members need to limit risk to the
company and have oversight of corporate risks. One of the simplest
things directors can do to mitigate cyber risk is to ask questions and
hold themselves to a higher standard. Make sure you have taken the
appropriate steps to secure your own business and personal accounts,
and ask security staff for guidance on how to best protect yourself
and corporate data. As a leader you could be personally liable in the
event of catastrophic cyberattack.

Travel is the perfect time to be targeted

Cyber-attacks can happen anywhere, but the threat can be especially
high for board members when they’re traveling. They work at home, on
the road and regularly mix the use of personal and business devices
and accounts. These unsecured networks do not have the same degree of
security as the office setting and our behaviour changes when we
remove ourselves from the physical office.

When we travel, most people don’t think twice about connecting to
public wi-fi at an airport, hotel or café. For board members, there is
every chance they’ve download sensitive papers or checked confidential
emails while on an unsecured network. This simple and all-too-common
act has the potential to expose the company to significant risk. Many
attackers are very aware of board member travels and will compromise
hotel wi-fi for the express purpose of gaining access to sensitive
materials.

CrowdStrike’s Global Threat Report found that nation state adversaries
have developed a deep interest in the hospitality sector, whether for
tracking persons of interest while they are traveling, or to enable
access to these potential victims when they use electronic devices
outside the confines of protected networks. This way they know exactly
when and where their intended victims are likely to be open to
compromise.

Education and awareness

Board members do not need to become cybersecurity experts in order to
help their companies prepare for a cyber-attack, but a key part of
protecting themselves is understanding the threats and being aware.

Most of all, boards must resolve to take greater ownership of
cybersecurity. Here are some guiding tips to consider:

- Set the tone: Boards need to provide guidance on how to prioritise
cybersecurity risk. Increased security often comes at a cost in terms
of efficiency or trade-offs with other business objectives, and absent
board level guidance too often tilts the scale away from security and
increases the risk of doing business.
- Demand information and ask questions: Ideally, cybersecurity should
be a topic at every board meeting or dealt with by a sub-committee.
Briefings should go beyond the surface, delving into the details of
the organisations security posture.
- Secure third-party evaluations: Boards need to objectively
understand the exposure of the organisation to cyber risk.  Similar to
the way organisations hire independent auditors to evaluate their
financial practices, leading businesses engage third-party
organisations that are familiar with the current cybersecurity risks
in the businesses vertical to assess their risk posture.

Education alone is not going to stop threat actors targeting
organisations, but it can stop unwise or careless behaviour.
Encouraging greater awareness of how and why senior leaders are
specifically targeted will increase the chances that an attack will be
caught and stopped before it can be successful.

Learning how to deal with cybersecurity risk and understand your
personal responsibility is of critical importance and it must be
addressed strategically from the very top. Cybersecurity management is
no longer a concern delegated to the IT department. It needs to be
everyone’s business — including the board’s.