We’re continuing our series of blog posts about the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre’s Cybersecurity Governance Principles. These principles help to guide boards in leading cyber strategy. Today’s blog post is all about principle 3: embed cybersecurity in existing risk management practices.
Cyber strategy involves risk. You can’t eliminate it completely. However – you can minimise and manage it. Cybersecurity Governance Principle 3 is all about managing risk. But it’s also about looking at cybersecurity through the lens of your wider risk management efforts.
Too often, cyber risk is handled apart from other business risks. This can cause some very basic problems for an organisation. The most common issue is giving cyber security a different risk appetite to the rest of the organisation’s risk profile. Then, either under- or over-budgeting on cyber risk controls.
Cybersecurity needs to work throughout your organisation. Different departments will often face different levels and types of cyber risk – just as they face different types of business risk. For example, HR departments might need to deal with wrongful dismissal claims (standard business risk) and fraudulent employee information requests (cyber risk). To allow for a good level of granularity and nuance, include cyber risk in your existing risk management framework.
Encourage your board to lead risk management policy. This includes policy around cyber risk.
Some key questions that board members can ask are:
- What is our cyber risk appetite?
- Do we consider our cyber risk appetite when making strategic decisions?
- Have we included cyber risk in our risk management framework?
- How often do we hear from management about cyber risk controls?
- What sort of oversight have we put in place?
Add cyber risk to your existing risk management framework
If you have a risk management framework, include cyber risk in it. Where applicable, relate each point to cybersecurity. For example, your organisation might rely very heavily on online payments systems. You’ll have a very low appetite for risk around these systems. When it comes to cybersecurity, your risk appetite in payments systems will also be low. You’d expect to put more resources into keeping your online payments systems secure and safe.
Include cybersecurity in risk management reports to the board. Provide a brief overview of the technical aspects, like patching and perimeter protections. But also show the human element. Give the board cyber hygiene metrics that are relatable and they can follow back to risk appetite discussions, like:
- Percentage of employees who completed security awareness training in the last year.
- The current staff phishing test reporting rate.
- How these metrics measure up against your risk appetite.
Seek regular input on your cyber risk controls
If you have the staff for it, put together a committee to oversee risk management. If you don’t, schedule regular meetings with key people and put cyber risk on the agenda.
Organise audits and reviews of your cyber controls. Set up penetration testing to check your defences. Where possible, use different companies to supply and test risk controls. This helps to avoid providers ‘marking their own homework’ and testing based on faulty assumptions.
Use the results of these audits, reviews, and testing to benchmark your organisation against others in your industry. Also benchmark against applicable standards frameworks. Report these benchmarking results back to your board.
Check that key service providers meet your security requirements
Online services are a common blind spot in cyber risk. Many providers include cybersecurity controls. However, the level of security might not match your risk appetite. This is most common with smaller, boutique solutions. Check larger providers as well, though – they’re not immune to this issue.
For example, you might have multi-factor authentication as standard to help protect against phishing attacks. However, your internal documentation is held on a cloud service that doesn’t mandate multi-factor authentication for all logins. Now your intellectual property is under a risk you’ve already mandated against.
List your standard cybersecurity measures. List all current service providers. Appoint someone to check that each service provider meets your standards, and that any admin-level configuration required has been done.
Fill vacated cyber management roles
Open cybersecurity roles create skill gaps. The people who should be doing specific tasks aren’t around to complete them. If they’re regular maintenance tasks, this can create gaps in your defences. If they’re required only during cyber incidents, they might be less obviously missing. But they might also be more crucial in the heat of the moment. If your organisation is hit with a ransomware attack, you don’t want to suddenly discover you don’t know where your backups are, or how to restore them.
Vacant cyber management roles can create defence issues during cyber incidents. To avoid this problem, replace people who leave or are promoted to other roles.
Regularly ask staff to check and amend their job descriptions. You’ll often find that people will take on new tasks as part of evolving and learning. This is great – but it can lead to problems if the person leaves and their replacement doesn’t know about the new tasks. When it comes to cyber management, these problems can be especially expensive.
Make people part of your cybersecurity strategy
Ask a lot of people what their organisation is doing about cybersecurity, and they’ll shrug. Keeping people interested and up to date can be tough! However, it’s crucial for ensuring that your staff are working with your cybersecurity strategy. A good cybersecurity awareness training program will help you keep your staff up to date and on the ball. If you don’t have a comprehensive awareness training program in place, talk to us about implementing one.
About PhishNet
We train people to reduce the risk of a devastating cyber incident.
To learn more about how PhishNet can work with you to train your people to make safe and smart choices contact us today!