Three simple questions every board should ask about cyber security

Depending upon the attack, the amount of public information available to explain what happened varies significantly. In some instances, the breaches may have been the result of sophisticated attacks, whilst in other instances normal good hygiene practices would have likely prevented or significantly reduced the impact of each event.

It is worth remembering that there is no silver bullet defensive strategy that organisations can take to eliminate cyber risk. Instead, and based on the known circumstances of these breaches, the goal of most organisations should be to implement practical measures to reduce cyber risk. In particular, Boards and Executives should be asking:

1. How strong is your security culture? Does each executive in your organisation have a KPI around cyber security?

• • Security culture is the single most important variable that is within the direct control of the organisation.
  • A strong cyber security posture relies on everyone connected to the organisation understanding their role in keeping information safe. Everyone, from the Board to casual employees, needs to believe that they have a key role to play.
  • For non-IT users, this includes things like using strong passphrases, recognising and avoiding clicking on dangerous links, exercising caution when receiving emails that ask for information or actions outside of normal processes, taking due care of technology assets and reporting suspicious behaviours to the technology team.
  • IT users will have additional responsibilities related to the diligent maintenance of the technology infrastructure and being the security champion to the broader organisation.

2. Are your authentication and user access procedures in line with best practices?

• • Recent guidance from NIST has updated some of the traditional views on authentication.
  • Stop making team members change their passwords? It seems the more frequent the change, the less complex the password is likely to be. There is a shift in traditional thinking on authentication to remove the friction in using long and complex passphrases.
  • Many organisations purport to follow the concept of ‘least privilege’. In practice, we find that very few actually do so.
  • For example, does your organisation require administrators to use separate privileged and un-privileged accounts while only accessing the privileged accounts for limited periods of time (e.g. ‘just-in-time administrative access’).
  • There will always be a balance between accessibility and security, and now may be a good time to revisit that balance to see if an adjustment might be required.

3. Are you “data hoarders”? Do you have a valid business purpose for all the information you hold? What would public reaction be if everyone knew the extent of data you hold?

• • “Data hoarder” is a term we hear often in discussions with executives.
  • Hoarding data puts a bigger cyber target on the organisation and it can drastically increase reputational damage in the event of a breach.
  • Recent attacks have brought to light the need for organisations to adhere closely to the data protection principles outlined in the GDPR – specifically around ensuring data collected has a valid business purpose, and the minimum amount of information is collected/stored to support that business purpose.
  • If this is a blind spot for your organisation, now is a good time to consider reviewing and uplifting your data management practices.

Indeed, the past few months have induced a seminal shift in how Australians are viewing cyber security, privacy and data governance. Rarely a day goes by without reports on a new development in a cyber event or government headlines in terms of stronger regulations and reforms. With stolen medical data now being released in a drip-feed fashion, it is likely that cyber will stay in the news for the months to come.

If you are interested in discussing your cyber security, get in touch with our specialist team.