search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
CYBER SECURITY I 1


Lead from the front


Effective cyber security requires leadership, which should come first from the board and then from the executive responsible for this aspect of the business. This is the other way round in many companies, with boards looking to their security leaders for guidance and objectives. Ask your cyber exec to explain the threats facing the organisation. Then give them clear guidance on how quickly you want these addressed and what level of risk you can live with.


5


Get more from your non-execs


Not every company needs a “cyber Ned”, but it is crucial to have someone on the board who has enough experience and knowledge to ask the right questions of the specialists. That person could have led an executive-level response in the past or observed how other firms’ boards approached a cyber incident. The challenge here is to get the appropriate skills on your board. Don’t assume that your most technically literate board member, such as a former chief information officer, will automatically fulfil this role. Instead, assess the capabilities of the board and form a plan to address any gaps in knowledge.


n just a few years, cyber has transformed from the nerd in the corner into the Kim Kardashian of risk. Everyone, it seems, has an opinion on the issue. That’s because it’s serious – businesses can be built on, and destroyed by, cyber risk. The World Economic Forum’s Global Risks Report


2019 ranks cyber attacks among the top seven risks facing the planet in terms of likelihood and impact, while high-profile CEOs including Warren Buffett of Berkshire Hathaway and Jamie Dimon of JPMorgan Chase see them as the number-one threat to business.


2


Talk to your CISO


Few chief information security officers (CISOs) have a close relationship with the board in their organisations – many do not report to it directly. Meanwhile, the chief information officer, who has a very different mandate, often covers cyber security at the most senior level, yet IT operations and security priorities frequently conflict. Boards can learn a lot from how security and technology leaders work together, but the best way to do this is to consult both of them.


6


Play your part in simulations


Our research indicates that only 13 per cent of board members feel they have learnt from the security mistakes their firms have made. A key contributor to this is a lack of understanding about how to handle a crisis. All companies should regularly test their readiness. This can be done as a desktop exercise, but it’s better if you make it as real as possible. For instance, the IBM X-Force Command Cyber Tactical Operation Center offers a training platform that can run full-scale simulations of cyber incidents. A board member should get actively involved in such exercises to practise how to respond.


3


Despite this, a Willis Towers Watson poll of 1,300 large international organisations has found that only 11 per cent of boards have taken direct responsibility for their firms’ cyber security. Although the private sector’s investment in protective tech and compliance has increased, few business leaders have a clear understanding of cyber risk and confidence that the necessary safeguards are in place at their firms. Practical advice for directors on this issue is still hard to come by, so here are some straightforward ways to improve your board’s grip on cyber risk.


Ask all the right questions


To understand your firm’s level of resilience, ask your security leader to tell you: what data systems and assets you have, where they are and which are important (most aren’t); what scenarios are most worrying and how your controls will prevent them; how you will find out – and how quickly – when something goes wrong; and how the organisation will respond if the worst happens, plus its chances of recovery. Use their answers to guide your incident response plan.


7


Practise dealing with the media


Serious cyber incidents will hit the headlines, so you need to have a media management strategy ready to limit any reputational damage. Baroness Dido Harding, TalkTalk’s CEO in 2010-17, sought to do the right thing by making a prompt public announcement when a cyber attack in 2015 compromised the details of millions of customers, yet she still had to handle intense criticism. Bring in a public relations specialist or crisis


management adviser, choose scenarios that most concern you and then stand in front of a camera and, with their help, practise how to handle a grilling from the media.


4


Demand clarity in reporting


Research by Willis Towers Watson has found that 96 per cent of board members want to invest more in cyber security. What’s stopping them? Security reporting can often be qualitative (terms such as “high”, “medium” and “low” risk can be interpreted differently) or unrelated to business goals. Insist on risk assessments that quantify the likelihood and impact of a cyber security breach. How does the potential cost of an incident compare with your investment?


8


Focus on the human aspects


Cyber risk is seen as an IT issue, but our research shows that 90 per cent of incidents leading to cyber insurance claims resulted from human behaviour. Your HR, IT and security teams should work together on this – discuss how your company’s culture supports cyber security and risk management.


Matt Palmer is a member of IoD Jersey. He will be discussing cyber security at a series of events under the “Connected” banner in the IoD Open House on the Road programme. Visit iodopenhouse.co.uk for details


 Turn to p48 for further advice on handling a cyber security breach


director.co.uk 25


KYLE BEAN


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68