Questions Boards Should Ask About Cybersecurity
The days of board directors delegating oversight of cybersecurity to department managers are long behind us. Today, board directors must be hands-on in the management of their organisation’s cybersecurity – and knowledgeable about existing and emerging threats. We have compiled a list of questions boards should ask about cybersecurity to understand and manage business risk.
What are our most important assets and what protections do we have in place?
Boards must know and understand what the organisations most important assets are and must ensure there are sufficient resources protecting those assets.
These assets will differ from organisation-to-organisation. For some, it will be personal data. These boards must know about organisational data collection practices and the lifecycle of the data it collects. The board must also know controls are in place to protect data at rest (e.g. stored in file servers, databases etc) and in transit (e.g. when sent via email or file transfer, particularly where using the internet). For many organisations, these services will be provided, often cloud service providers. This makes understanding the organisational reliance on third party service providers a key issue for boards.
What risk do our supply chains and partners pose?
IBM’s 2022 Cost of a Cyber Breach Report noted that 19% of data breaches were caused by a business partner initially being compromised. (For context, ransomware was the root of 11% of breaches.) This is an emerging cyber threat boards should be asking questions about.
Key information boards should know and understand include:
- Is the organisation practicing access management with its suppliers?
- What (if any) cybersecurity requirements does the organisation include in its supplier contracts?
- What steps is the organisation taking to reduce the risk its suppliers pose to its cybersecurity?
What is the organisation’s plan to detect a cybersecurity breach?
Cybercriminals are sophisticated, persistent, and often incredibly well-resourced, so prevention is just one side of the coin. Organisations must have plans and systems in place to detect a breach – quickly.
Boards should care about the organisation’s plans to detect a breach since the cost of the breach tends to be lower if it is detected and contained in under 200 days.
The mean average lifecycle for a data breach in 2022 is 277 days. While the average cost of a data breach in Australia is $4.54 million (AUD).
IBM’s Cost of a Data Breach Report 2022 revealed average savings of $1.1 million USD where the breach lifecycle was less than 200 days.
Due to the significant potential for achieving a better financial outcome, boards should ensure there are resources available to quickly detect and contain a data breach. Ideally, there should also be resources and planning in place to deploy Security AI since these result in the most significant cost savings in the event of a breach.
What is our plan in the wake of a breach?
As we saw recently with Optus (and its poor communications following its data breach), planning for a breach and implementing that plan is important.
Boards should also ensure the organisation has a plan in place to manage communications, regulatory compliance, and operational recovery following a breach. The board should ensure this plan includes the allocation of key accountabilities, so the organisation can make (good) decisions quickly in the wake of a breach.
For more information, read our earlier blog post discussing questions boards should be asking about cyber incidents.
What plans do we have in place to maintain or increase our cyber resiliency?
Cyber threats are likely to remain a key threat to organisations long into the future. Boards should be taking steps to ensure their organisations are planning and adequately funded to address existing and emerging threats.
If your organisation needs assistance with its cyber resiliency or managing the training of your biggest cyber risk – your staff – reach out. Our privacy team would love to help.