The days of board directors delegating oversight of cybersecurity to department managers are long behind us. Today, board directors must be hands-on in the management of their organisation’s cybersecurity – and knowledgeable about existing and emerging threats. We have compiled a list of questions boards should ask about cybersecurity to understand and manage business risk.
Boards must know and understand what the organisations most important assets are and must ensure there are sufficient resources protecting those assets.
These assets will differ from organisation-to-organisation. For some, it will be personal data. These boards must know about organisational data collection practices and the lifecycle of the data it collects. The board must also know controls are in place to protect data at rest (e.g. stored in file servers, databases etc) and in transit (e.g. when sent via email or file transfer, particularly where using the internet). For many organisations, these services will be provided, often cloud service providers. This makes understanding the organisational reliance on third party service providers a key issue for boards.
IBM’s 2022 Cost of a Cyber Breach Report noted that 19% of data breaches were caused by a business partner initially being compromised. (For context, ransomware was the root of 11% of breaches.) This is an emerging cyber threat boards should be asking questions about.
Key information boards should know and understand include:
Cybercriminals are sophisticated, persistent, and often incredibly well-resourced, so prevention is just one side of the coin. Organisations must have plans and systems in place to detect a breach – quickly.
Boards should care about the organisation’s plans to detect a breach since the cost of the breach tends to be lower if it is detected and contained in under 200 days.
The mean average lifecycle for a data breach in 2022 is 277 days. While the average cost of a data breach in Australia is $4.54 million (AUD).
IBM’s Cost of a Data Breach Report 2022 revealed average savings of $1.1 million USD where the breach lifecycle was less than 200 days.
Due to the significant potential for achieving a better financial outcome, boards should ensure there are resources available to quickly detect and contain a data breach. Ideally, there should also be resources and planning in place to deploy Security AI since these result in the most significant cost savings in the event of a breach.
As we saw recently with Optus (and its poor communications following its data breach), planning for a breach and implementing that plan is important.
Boards should also ensure the organisation has a plan in place to manage communications, regulatory compliance, and operational recovery following a breach. The board should ensure this plan includes the allocation of key accountabilities, so the organisation can make (good) decisions quickly in the wake of a breach.
For more information, read our earlier blog post discussing questions boards should be asking about cyber incidents.
Cyber threats are likely to remain a key threat to organisations long into the future. Boards should be taking steps to ensure their organisations are planning and adequately funded to address existing and emerging threats.
If your organisation needs assistance with its cyber resiliency or managing the training of your biggest cyber risk – your staff – reach out. Our privacy team would love to help.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
