The Board's Role in Cyber Security 2020
With almost every modern company in the world relying on some form of internet-connected technology, cybersecurity has never been a bigger priority. While some larger companies have taken steps to secure their systems, others are still severely lacking, treating cybersecurity as an “IT issue” instead of the vast threat that it truly is.
As the board plays a vital role in the day-to-day running of a company, it’s their responsibility to treat their cyber and data assets with the same care and attention they do their real-world assets. Research shows that the average cost of a data breach is $3.92m, and that’s before businesses factor in the cost of fines, compensation, and rebuilding their cybersecurity.
So far in 2020, companies such as Zoom, Magellan Health, and even Twitter have come under attack from hackers. In response, the Federal Government of Australia delivered a statement warning of this spike in cyber-attacks and the need for everyone to be prepared. In particular, businesses were told to take action to improve their cybersecurity.
Today, we’re taking a look at what threats are facing companies in 2020 and how a company’s board of directors have a responsibility towards their company’s cybersecurity.
Key Terminology: Threat Actors
In cybersecurity, threat actors are individuals, groups, organizations, or countries who illegally access digital networks to exploit them for their own gain. When we talk about threat actors as a group, we refer to people like hackers, cyber-terrorists, and cyber-criminals.
Threat actors don’t always have the same motivation for attacking a network, however from research we know that roughly 71% of all data breaches are financially motivated. Threat actors have also been known to attack networks for revenge, and there are also “hacktivist” threat actors who will break a network to bring attention to a social cause.
Many countries classify threat actors on certain levels depending on their skills, resources, motivation, and level of sophistication.
It’s worth noting that white hat hackers are not considered threat actors, because regardless of the methods they use to access a network or system, they’re employed to find cybersecurity weaknesses.
Business Cyber Security in 2020
Businesses are more interconnected than ever before. While the growth of the Internet of Things (IoT) software has helped companies become more efficient and generate more revenue, they’ve also opened more avenues for threat actors. A very memorable example is that in 2019, it was found that hackers breached smart home devices from both Google and Apple, and convinced users to hand over personal data.
With this in mind, one of the greatest threats facing business cybersecurity in 2020 is IoT devices, particularly given their growing popularity with Australian businesses.
In addition, as more workers use the internet at work than ever before, phishing and social engineering attacks have been on the rise. Regardless of how secure a company’s network is, these attacks take advantage of human weaknesses by spoofing emails, websites, or login pages to gain “legitimate” access to a company’s network.
Legal Ramifications of Cyber Security Breaches
In recent years there has been a myriad of new laws, and amendments to old ones, to tackle the growing rate of cybercrime and keep businesses safe. With the board of directors being responsible for upholding the legal requirements of their company, it’s vital that they understand the ramifications of cybersecurity breaches.
Privacy Act 1988
The Privacy Act 1988 was updated in Australia in 2018 to include the Notifiable Data Breaches (NDB) scheme, which applies to any organization or agency covered by this act.
In short, if a company suspects that an eligible data breach has occurred, they must assess the circumstances behind the alleged breach. If they find that there are reasonable grounds to believe that there has been a data breach, then they must notify the individuals affected and the Office of the Australian Information Commissioner (OAIC) as soon as possible.
What is an Eligible Breach?
An eligible breach is when the three following conditions are met following a cyberattack:
- There is unauthorized access or unauthorized disclosure of personal information,
- A reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach,
- The entity has not been able to prevent the likelihood of serious harm through remedial action.
In short, if a company suffers a data breach of personal information, and it isn’t caught in time to avoid harm to the people whose data has been compromised, then it must be made public.
What Happens if this Act is Breached?
Under this Act, the Information Commissioner has multiple enforcement powers that it can use should a company fail to act on their responsibilities. These include:
- Accepting and bringing proceedings to enforce an enforceable undertaking,
- Making and bringing proceedings to enforce a determination,
- Seeking an injunction to prevent ongoing activity or a reoccurrence,
- Applying to the court for a civil penalty order for a preach of civil penalty provision, which includes a serious or repeated interference with privacy.
Corporations Act 2001
Under this Act, directors are obligated under civil law to go about their duties with the same care and diligence that a reasonable person would excise if they were in the same position and facing the same circumstances.
With this in mind, directors can be held responsible for not acting to improve a company’s cybersecurity. In modern companies, data is considered a key asset, and it is a director’s responsibility to protect a company’s assets. Therefore, if a director is found at fault for failing to make sure a company’s cybersecurity is upgraded, responding too late to a known data breach, or failing to respond at all, they can be punished under this Act.
What Happens if this Act is Breached?
If a director acts dishonestly or recklessly, then criminal proceedings can be brought against them under statute. At general law, a director breaching their duties will be penalized with equitable damages, statutory compensation, or rescission.
Why Should Cyber Security be a Top Priority for Directors?
With nearly every aspect of business being interconnected in the modern world, it’s vital that company boards treat their company’s data and other online assets with the same due diligence that they do their physical assets. In particular, the data each company handles should be treated the same way as company finances, and it should enjoy the same protections and oversight as an organization’s banking.
Data is a valuable asset to companies, which is why so many cybersecurity breaches in modern years have been financially motivated. Despite this, many directors don’t know exactly where their company’s data is stored, who has access to what information, and what security the company has in place to protect against breaches.
As laws such as the Privacy Act 1988 and Corporations 2001 govern what responsibilities directors have over a company’s data, company boards need to take responsibility for how their organization handles data as a whole, otherwise they can face significant repercussions under Australian law.
In addition, the way a company board acts trickles down to the rest of the company. As they are in a position of power to push changes throughout the company, for them to care deeply about cybersecurity won’t only result in physical changes, but also cultural ones.
How Can Boards Improve a Company’s Cyber Security?
Thankfully, company directors are in the perfect position to enact change from the top, and they have more power to create positive change within their organization. These following procedures can ensure that directors take more responsibility for their company’s cybersecurity.
Cyber Security Training
Research shows that 67% of company boards haven’t undertaken cybersecurity or IT security training within the last twelve months. With how fast modern technology develops, threats will always develop faster, and it’s vital that directors keep on top of emerging trends both in technology and in cybersecurity threats.
Not only this, but directors can enforce cybersecurity training for the rest of the company, in particular, targeting employees who work with computers or other network-connected devices.
Many companies still have a culture in which only employees who work with computers have intermittent cybersecurity, which has led to the alarming statistic that 34% of data breaches involve internal actors. This is most likely to come from employees not being wary of phishing or scam attempts sent to internal email addresses, phone numbers, or other work contacts, meaning that cybersecurity training needs to be pushed down through the company to see meaningful results.
Data Risk Assessment
A key part of handling company data is having a plan in case there is a breach. While the Privacy Act 1988 outlines the steps that companies must take if they suspect they have fallen victim to a data breach, many companies can act too late, leading to significant legal action.
With this in mind, company boards should have a risk assessment for their data, just as they do with any other company assets. Through this, they should have a regularly updated document detailing how data is stored, which third-party companies have access to data, key names for data handling responsibilities within the company, and an action plan should the company be breached.
This risk assessment should be made available to every person who handles data throughout the company, and, if necessary, key data holders should also be made to perform data risk assessments for their area of responsibility.
As we talked about before, having the board take personal responsibility for cybersecurity at the highest company level has a vast cultural impact on other executives, managers, and employees.
Managing Company Reputation
Almost every modern company handles personal information about their employees, however, some may handle more sensitive information than others. For instance, some companies may hold medical records about their employees, handle patient information, or have extremely private customer information.
While the mandatory reporting brought into law by the Privacy Act 1988 and its effect on company reputation hasn’t yet been studied, companies that have been the first to report a data breach before it reached the news have seemingly lost less reputation than those that were put on the defensive.
Company directors have a responsibility not only to shareholders but also to employees to manage a company’s reputation. Should their reputation sink, then it will undoubtedly affect dividends and revenues, which can lead to job losses further down the line.
This is one of the major reasons why company boards should have a plan in place should they suffer a data breach. Having a pre-written press release, an understanding of who will give interviews, and how they will recover from a data breach is key to managing such a crisis. While undoubtedly a significant data breach will affect the company’s reputation, they can mitigate the damage by taking control of the situation.
Defining Cyber Security at a Company Board Level
The board’s role in cybersecurity shouldn’t be limited to setting policies. In order to understand how company policies will affect data security, it’s vital that boards are trained to understand not only the value of data assets to a company’s revenue but also the consequences of breaches at the hands of threat actors.
The quick pace of progression in modern technology means that data security and management is changing almost every day. With such a rapid pace of evolution, it’s not surprising that as technology evolves, so does the sophistication and resourcefulness of threat actors.
Directors need to have a clearer understanding of what data their company manages, who is responsible for managing it on a daily basis, and what third-parties have access. A wider view of a company’s data ecosystem can allow directors to get an idea of a company’s cybersecurity, and with the proper training in place, they can start to implement policies that make company networks harder to breach.
Once directors realize the value of data, its management, and its security to a company can they implement real change to protect against cyber attacks.