The short answer is ‘yes’. Boards should be very concerned. Cyber risk is a growing threat for all organisations. If an organisation has not already suffered a cyber attack it almost certainly will in the future, probably sooner than later.
I chair a group called the Control and Risk Self-assessment Forum. We meet from time to time to discuss risk and governance issues. In January we spent a day discussing cyber risk. The event proved highly popular with all the available places being taken within 24 hours of listing the meeting. We were kindly hosted in London by the Institute of Risk Management who also offered to publish a report of the discussions. This article is a short summary of what’s in the report. The report itself, and details of the speakers, can be found here. Many of the participants had personally been affected by cyber attack.
In the UK, many public sector National Health Service hospitals were hit by WannaCry ransomware cryptoworm attacks in 2017. We heard from a former non-executive director of one hospital. The attacks, which targeted computers running Microsoft Windows, temporarily crippled activities. Almost everyone was affected and, amongst other things, surgical operations had to be cancelled. The hospitals were not specifically targeted but were vulnerable because they had not properly protected themselves; a key oversight was that software updates had not been installed. This should be a salutary lesson for any board thinking their organisation is not a target and so will not be attacked.
Many organisations are under prepared and few boards have the skill set to understand the risk fully. They may also not understand who below board level is or should be responsible for protecting the organisation against cyber risk. It may be that no one actually regards it as their responsibility. Security is not the first concern of programmers, chief information officers (CIOs) or chief technical officers (CTOs). Software developers are rarely security experts, they are paid to get a program operational and security may not feature in their thinking unless it is part of the brief. Until an attack happens CIOs will be more interested in operational matters along with CTOs who may prefer to spend money on new technology than on cyber security. Similarly at management and C-suite levels there are likely to be many competing priorities meaning that security concerns get trumped by operational or cost issues.
In our discussions there was a general view from both speakers and participants that most boards lack anyone who understands digital risks and few board members know enough to ask the right questions of their staff. For example do directors know exactly where their data is, might it in fact be in another country? The fact is that, as one of the speakers Sue Milton pointed out, technology is now a utility. But it is an increasingly complex one, where no one individual understands all the detail. This means the causes and effects of cyber risks are underestimated.
Another speaker, Dan Roberts, took us through some fascinating role play where in one session we role played staff at management level and C suite level executives in another. In both it became very clear that cyber security issues are unlikely to get the attention they need because everyone else, apart perhaps from risk managers and internal auditors, will be more concerned with operational matters, project delivery, maximising revenue and keeping costs down. Addressing security concerns costs money and takes time so many people won’t want to be bothered especially if other priorities are delayed. In our role play, no one was willing to delay operations to address security concerns. As a result, none of the teams agreed to deal with them. It is very easy to ignore a risk until it actually happens. Several of the participants reported having had similar experiences in real life.
Many organisations understandably have a culture of rewarding delivery – of getting things done. This is generally a good thing but not if it means that other important issues are not properly addressed. Such issues could include expressing concerns. CTOs and CIOs, like most managers, are unlikely to admit to failings or risks – unless they see this as a way of sharpening focus on their priorities or the ability to raise their budgets.
So what can be done? Perhaps the first and most important thing is to ensure that boards have sufficient buy-in to cyber security risk and genuinely own the issue. One possible approach is to make it clear that cyber risk could put the organisation out of business – and directors could suffer personally. This may focus people’s minds and enable proper resources to be applied.
Boards can be taken through a model of cyber risk with examples:
- Threats: from various actors, criminals, states, disaffected insiders.
- Vulnerabilities: unpatched systems, “bring your own device”, poor training and awareness, poor supplier change control systems.
- Exploits: phishing, Distributed Denial-Of-Service (DDOS), social engineering (i.e. getting people to talk about the security system).
- Outcome: fraud, reputational damage, IP.
Every director on a board should know who in the organisation is responsible for addressing cyber risk and ensure the board, and relevant committees such as the audit committee, give at least as much attention to cyber risk as they do to other key risks. They also must ensure they know which questions to ask, where they can get answers and make sure they can understand and, if necessary, challenge the answers they get.
In our final session we brainstormed how managers could get their boards more engaged on cyber risks:
- Create an awareness of the scope and scale of the threat; rate the organisation’s, and the board’s awareness of the threat.
- Ensure good training within the organisation, and at board level, about the threat and its mitigation.
- Build a roadmap for how the Chief Risk Officer (CRO) and others could persuade board members of the seriousness of cyber risk (ie it’s not a one-off); CROs to lead.
- Identify what information there is in the organisation and where and how it flows. Define information needs – who, why and how they will get it.
- Identify and assess the at-cyber-risk assets and targets.
- Explicitly define the cyber risk acceptance or tolerance level – and the “Crown Jewels” which need protection; set target risk as well as net risk and analyse the difference. Do this at a Board away day.
- Use a 2×2 box grid of impact and likelihood as a starter methodology for the risk ignorant then carry out SWOT analysis.
- Explore different scenarios of what might happen and how risk can be mitigated.
- Recognise that at some time the organisation will be hit by a cyber attack and so build a response plan.
- Consider if people properly understand the product or service business model and the risks to it and the associated information business model.
- Boards are reliant on having the right people in the organisation supporting them. Review if the right people are in place; do they understand the processes?
- Answer the Canadian CPA paper ’20 questions on cyber security‘.
Written by Paul Moxey, SAMI Fellow and Visiting Professor of Corporate Governance at London South Bank University and author of a textbook on corporate governance and risk management. He has chaired the CRSA (Culture, Control and Risk Self-assessment) Forum since 2000. He lectures widely and provides executive education and consulting support on governance, risk management, business ethics and culture. A former financial controller, company secretary and management consultant, from 2001 to early 2015 he was Head of Corporate Governance and Risk Management at ACCA where he was involved in governance developments across the world, including speaking at conferences and other events in five continents as well as a considerable amount of writing. His main work interest is in the behavioural aspects of governance and risk and his last major project at ACCA was to lead an ESRC funded international research study of corporate culture and behaviour.
The views expressed are those of the author(s) and not necessarily of SAMI Consulting.
SAMI Consulting was founded in 1989 by Shell and St Andrews University. They have undertaken scenario planning projects for a wide range of UK and international organisations. Their core skill is providing the link between futures research and strategy.
If you enjoyed this blog from SAMI Consulting, the home of scenario planning, please sign up for our monthly newsletter at firstname.lastname@example.org and/or browse our website at https://www.samiconsulting.co.uk