October 2023 marks the 20th iteration of Cyber Security Awareness Month, an annual initiative aimed at highlighting the ever-growing importance of cyber security in our increasingly connected world. This year’s theme is ‘Be cyber wise – don’t compromise’, a concept which is of particular significance at board level.
In the digital age in which we live, where information flows freely and the boundaries between physical and virtual realms blur, the importance of robust cyber security practices cannot be overstated. As businesses of all sizes navigate a constantly evolving landscape, ensuring sound cyber security at board level is not just a matter of compliance, but a fundamental necessity for safeguarding data, privacy and the integrity of organisations in the face of escalating cyber threats.
As we acknowledge Cyber Security Awareness Month, it is vital to underscore the critical role board members play in steering their organisations towards cyber resilience, fostering a culture of cyber security and embracing proactive measures to protect against the ever-persistent cyber risks that threaten our national and economic security.
Here, we revisit a series of cyber security tips we originally outlined in 2022.
- Treat cyber safety in a similar way to workplace health and safety (WH&S) – safeguarding against cyber threats is a people issue as much as it is a technology issue.
- Alternate between WH&S and cyber safety shares at the outset of each board meeting.
- Understand what information security culture your organisation promotes. For example, are staff encouraged to report when they might have experienced a cyber security breach, such as clicking on a suspicious link in an email?
- Require all directors to have a base level of digital and technological literacy as part of fulfilling their duties of reasonable care and diligence.
- Ensure your board understands the organisation’s key cyber vulnerabilities, including through third party suppliers within your supply chains.
- Articulate a clear and granular cyber risk appetite – that is, what are the critical information assets that your organisation must protect? This risk appetite should be informed by relevant stakeholder expectations and regulatory frameworks.
- Use a cyber maturity framework to provide a consistent point of reference and common language between the board and management.
- Define collectively what information and insights the board needs to receive in a regular cyber posture report.
- Ensure the board receives regular reports on assurance and other third-party testing of the integrity of the organisation’s IT systems and processes.
- Be satisfied that your organisation has the right resources (financial and people) to support the cyber security function.
- Ensure that everyone views cyber security as part of their role – and not a function left to the CISO and their team.
- Monitor the well-being of those in the demanding and high-pressure cyber roles, as part of the organisation’s WH&S responsibilities.
- Be satisfied there are cyber response, business continuity and disaster recovery plans in place in relation to cyber events. This should include ‘playbooks’ such as for ransomware, a communications and media plan in case of a breach, and established relationships with key parties to support the organisation through such an event.
- Ensure the board is involved in scenario exercises regarding a cyber-attack and has considered what role individual directors and the board as a collective will play in such an event.
- Seek assurance that the management team possesses the right cyber capabilities, and the board has set clear responsibilities for management to which they are held to account.
- Ensure the board understands the extent to which their organisation is able to insure against its cyber risks and the conditions of that insurance (including systems, training, deductibles and exclusions).
- Receive regular board briefings on new developments in information security areas including privacy, AI governance and robotics.
- Require directors to keep their knowledge up to date on cyber security – their personal cyber habits will impact their director and board cyber habits.
- Require directors to maintain secure email accounts for discussing and transacting board business.
- Ensure the board has approved a formal archival and destruction procedure for the handling of board papers and other highly confidential information, and all papers are stored on a secure board portal.
Directors Australia works with the boards of publicly listed, government, private, APRA-regulated and not-for-profit organisations across all sectors and industries Australia-wide to achieve real, ‘best fit’ corporate governance appropriate to the organisation’s nature, and thus enhance board and organisational performance.
We provide board and governance advisory services to a wide range of boards across Australia. For further information on any of the above tips or if your board is seeking ways to bolster its approach to cyber security, contact us here.
Kerryn Newton
Chief Executive Officer