Wednesday , 20 June 2018
Home » NEWS » THIS WEEK’S GURUS » How does the board make informed decisions on cyber risk?
Jean Frederic Karcher, Maintel
How does the board make informed decisions on cyber risk?

How does the board make informed decisions on cyber risk?

Picture the scene: your organisations’ name splashed across the papers for all the wrong reasons. Employee data lost, customer data leaked online, passwords stolen. With the number of data breaches increasing every day, this scene is all too familiar. As the challenges of information security continue to garner the attention of business executives, information security and risk professionals require accurate, traceable and actionable data to be able to reduce cyber risk effectively.

An organisation may think that it has all bases covered but being able to provide accurate analysis and appropriate communication of security metrics to the board is a vital component of the cyber risk reduction process by IT and security executives.

A recent survey indicated that cyber risk was the top priority for 26 per cent of board members, while other risks such as financial, legal, regulatory, and competitive were the “highest priority” for no more than 16 to 22 per cent of respondents. 40 per cent of IT and security executives agreed that the information provided to boards contains actionable information. Worryingly, eight out of 10 rely on manually compiled spreadsheets to report data to the board. Finally, more than one-third of respondents indicated that they weren’t even aware of all the data breaches that occurred within their organisation!

A single breach will send shockwaves throughout an entire organisation. In today’s data driven world the need for senior executives to comprehend threats and identify risks has intensified. Data risk is now the top concern of executives, and if we all adopt the mind-set that a breach is inevitable, the best course of action for security teams is to better manage data risk.

With the General Data Protection Regulation’s (GDPR) looming and the ICO on hand to distribute major fines (up to 4% of global turnover) for non-compliance boards and senior management can no longer afford to ignore this security framework. Businesses will need to take responsibility for the way they collect and process data on European residents (Brexit or no Brexit), and must take immediate action to align their business systems with the requirements of the GDPR.

Furthermore, the regulation requires that businesses must protect the confidentiality, integrity and availability of the personal data they handle. In a GDPR world, there will simply be nowhere to hide for an organisation that suffers a breach.

Mandatory breach notification rules, common in the US are now being introduced to the EU. A company must notify the relevant authorities within 72 hours of discovering the breach. This presents two challenges for organisations: discovering the breach in a timely manner (breaches are discovered on average140 days after the initial intrusion) and managing the reputational fallout after such a breach.

Companies need to be adequately prepared for a breach and have a well-thought-out mitigation process in place. This shouldn’t be limited to a technical response, but include managing regulators, customers and media inquiries. How an organisation responds and manages to a breach can have a residual effect on reputation and a powerful impact on customer trust. A complete media blackout while an internal investigation takes place isn’t an appropriate response.

As we reflect on the past year, one thing is evident: no industry or organisation is immune from an attack. Cybercrime does not discriminate; it affects businesses of all shapes and size. Even the most robust defenses will not disqualify you from being breached. However, there is a silver lining. Organisation can understand how cybersecurity breaches occur, what types of data present the biggest risk and what you can do to reduce the risk, including accurate analysis and appropriate communication of security metrics.

Given the range of security solutions and services now available, the days of compiling spreadsheets are over. The focus must now be on identifying and responding to threats rapidly and robustly – reducing the 140-day detection period to 140 seconds – and even that will be too long as the methods of bad actors evolve!


Jean Frederic Karcher, head of security, Maintel

About Lara Lackie

Lara Lackie is a reporter for The IT Security Guru.