A cyber security guide for board members

Cyberattacks are a key risk for boards and happen more often than people think. Such criminal acts usually make the headlines when they involve large data breaches or significant public disruption. As a company director, or senior executive, you must understand that cybersecurity is the responsibility of the entire board, not just a digitally-savvy non-executive or the risk committee.

A few major incidents in recent years have revealed that cybercriminals are keen to attack large systems to cause significant disruption in order to extract a ransom.

The Health Service Executive and the Department of Health in Ireland, for example, both suffered major cyberattacks in May 2021. It appears that the attacks were financially motivated by a gang that used ransomware to encrypt vast amounts of patient files. According to reports, the gang demanded $20 million to reverse the attack and hand back the data. The Irish government said it would not pay the ransom.

Due to the attack, all the HSE IT systems were shut down, which caused chaos in hospitals and many out-patient appointments to be cancelled.

The HSE director general at the time, Paul Reid said it would cost “tens of millions” of euro to fix the damaged network system, leaving the Irish taxpayer to foot the bill.

In the USA in May ’21, a ransomware attack on a major fuel pipeline took the service down for five days, causing supplies to tighten across the USA. As petrol prices rose, several states declared an emergency.

The pipeline owner, the Colonial Pipeline company, is thought to have paid the cyber-criminal gang DarkSide nearly $5m in ransom to reverse the attack.

In light of the crime and the significant disruption it caused, President Biden signed an executive order to improve American cyber defences.

The reality of the digital age is that cyberattacks will continue; they will increase in volume and become more sophisticated. In terms of risk management, cybersecurity should be a top priority for all boards and company directors.

Make no mistake; cybersecurity is the responsibility of the entire board.

In a cybersecurity incident, the whole organisation is affected, not just the IT systems.

Depending on the situation, an attack may affect sales, customer loyalty, your brand, contractual relationships and ignite legal and regulatory actions resulting from data breaches.

For a cybersecurity strategy to be effective, the board must have enough expertise to make decisions and then be accountable for these decisions.

Each board member must have enough expertise to understand how it impacts their particular area of focus and the broad implications for the organisation.

Cybersecurity is protecting devices, services and networks, and the data they contain from theft or damage.

While board members don’t need to be technical experts, they should know enough about cybersecurity to have a fluent conversation with their IT security experts and know the right questions to ask.

The key to cybersecurity is managing risks.

To improve cybersecurity, you should follow the same process you use for other risks. Cybersecurity is a continuous, iterative process, and you should follow three main steps:

1. Get the information you need to make an informed decision on your risk exposure.
2. Use this information to prioritise your risks.
3. Make sure that these risks are managed effectively.

Directors must understand that cybersecurity defences should be multi-layered and include technology solutions, employee education, and effective policies.

One of the best cybersecurity guides available for boards was written and published by the National Cyber Security Centre in the UK. It is called a ‘Cybersecurity toolkit for boards’, and you can download it here for free.

To understand more about cyber security and the duties of a company director, you can take the Diploma in Corporate Governance.