Board members and cyber responsibility

By Mark Goudie, APJ Services Manager, CrowdStrike

Cybersecurity is a business problem, not just a technology problem. Cyber security oversight and leadership requires an enterprise-wide approach led by board members who have a fiduciary duty to shareholders and investors to actively oversee the measures used to protect sensitive data and customer information.

As part of this process, board members need to have an understanding of the threat landscape and high value targets. For board members thinking about what information within the business would be of value to cyber criminals, they often focus on data and commercially sensitive information. But as a member of the board, they themselves are high value targets.

Threat actors often focus their efforts on senior leaders because of the influence they wield and the information they have access to. In many organisations, board members are viewed as non-employees, they aren’t required to undertake the same training as employees and regularly use their own devices without corporate defensive and monitoring controls. These risk factors, coupled with access to privileged information makes them vulnerable to cyber-attacks.

As influential leaders, board members play an important role in establishing a culture of security in an organisation and there is a responsibility to not only understand what the company is doing to mitigate cyber-security risk, but also to ensure they personally are practicing safe behaviour. 

The rise of cyber responsibility

Cyber security is as much a people issue it is a technology one: think about how easily you could click on malicious links or open attachments with malicious content. The Office of the Australian Information Commissioner (OAIC) recently released a quarterly report into data breaches under the Notifiable Data Breaches (NDB) scheme, revealing that human error accounted for 36 per cent of breaches.

As the senior leadership, board members need to limit risk to the company and have oversight of corporate risks. One of the simplest things directors can do to mitigate cyber risk is to ask questions and hold themselves to a higher standard. Make sure you have taken the appropriate steps to secure your own business and personal accounts, and ask security staff for guidance on how to best protect yourself and corporate data. As a leader you could be personally liable in the event of catastrophic cyberattack.

Travel is the perfect time to be targeted

Cyber-attacks can happen anywhere, but the threat can be especially high for board members when they’re traveling. They work at home, on the road and regularly mix the use of personal and business devices and accounts. These unsecured networks do not have the same degree of security as the office setting and our behaviour changes when we remove ourselves from the physical office.

When we travel, most people don’t think twice about connecting to public wi-fi at an airport, hotel or café. For board members, there is every chance they’ve download sensitive papers or checked confidential emails while on an unsecured network. This simple and all-too-common act has the potential to expose the company to significant risk. Many attackers are very aware of board member travels and will compromise hotel wi-fi for the express purpose of gaining access to sensitive materials.

CrowdStrike’s Global Threat Report found that nation state adversaries have developed a deep interest in the hospitality sector, whether for tracking persons of interest while they are traveling, or to enable access to these potential victims when they use electronic devices outside the confines of protected networks. This way they know exactly when and where their intended victims are likely to be open to compromise.

Education and awareness

Board members do not need to become cybersecurity experts in order to help their companies prepare for a cyber-attack, but a key part of protecting themselves is understanding the threats and being aware.

Most of all, boards must resolve to take greater ownership of cybersecurity. Here are some guiding tips to consider:

  • Set the tone: Boards need to provide guidance on how to prioritise cybersecurity risk. Increased security often comes at a cost in terms of efficiency or trade-offs with other business objectives, and absent board level guidance too often tilts the scale away from security and increases the risk of doing business.
  • Demand information and ask questions: Ideally, cybersecurity should be a topic at every board meeting or dealt with by a sub-committee. Briefings should go beyond the surface, delving into the details of the organisations security posture.
  • Secure third-party evaluations: Boards need to objectively understand the exposure of the organisation to cyber risk.  Similar to the way organisations hire independent auditors to evaluate their financial practices, leading businesses engage third-party organisations that are familiar with the current cybersecurity risks in the businesses vertical to assess their risk posture.

Education alone is not going to stop threat actors targeting organisations, but it can stop unwise or careless behaviour. Encouraging greater awareness of how and why senior leaders are specifically targeted will increase the chances that an attack will be caught and stopped before it can be successful.

Learning how to deal with cybersecurity risk and understand your personal responsibility is of critical importance and it must be addressed strategically from the very top. Cybersecurity management is no longer a concern delegated to the IT department. It needs to be everyone’s business — including the board’s.