Some basic questions Board Directors can ask about cybersecurity (2013)

We are now all working in an IT company and ever increasingly interconnected. Cyber-attacks are becoming more widespread and destructive, and strengthened Privacy Laws with heftier penalties came into effect in March, 2014.

Effective cyber security governance, then, is a critical component of any appropriate let alone good corporate governance. Cyber security is a risk board directors own and in this economic climate, we need to be able to justify our cyber security spend.

There is no single or bullet proof solution to cyber security. It is a risk to be managed. The key issue for board directors is to understand the nature of the risk, identify it as it relates to their businesses and ask the right questions of their executive, suppliers and team to ensure it is being managed effectively. 

Cyber security – the current state of play

The landscape of cyber threats and vulnerabilities is complex and changing. Here are some of the issues to understand:

1/ Powerful cyber weapons are being used by some nation states directly to attack foreign citizens and organisations. They may also sponsor other attackers such as organised criminals and hacktivists.

2/ These and other cyber weapons, along with information about vulnerable businesses, are proliferating and being professionally traded on the internet with helpful how-to’s and expertise for hire.

3/ Businesses are either a) specifically and persistently targeted, or b) opportunistically breached because of a common vulnerability in their technology.

4/ The first few steps in a cyber-attack are often similar and can bypass traditional (and still important) cyber security measures, such as firewalls, encryption and antivirus:


5/ Because an organisation is closely interconnected with its supply chain and customer base, it is only as secure as its weakest link.

6/ Motivated attackers research these weak links using social media and information stolen in other breaches to reach their targets.

7/ A seemingly benign file or record may become important to an attacker using Big Data technologies that provide relevance and meaning to information in the aggregate. 

Balancing cyber security risk with business performance

Cyber security measures need to be balanced with the performance of the business and how important the data is. The more secure the data, the more limited the systems’ usability.


However, we don’t want to stifle business performance or innovation. Neither do we want to be breached, have our information stolen, hurt the businesses’ reputation or go out of business. Like securing any other belonging, cyber security risk management needs to be contextual.

Some questions for Boards to raise

  • What data (information) do we have?
  • What would be the consequence of it being stolen or unavailable?
  • Where is it?
  • Who has access to it?
  • Do they need that access?
  • Are we comfortable that the nation state hosting our data has our best interests at heart?

Note here, that a foreign government may have lawful access to your data without your knowledge if it is stored or transmitted by a foreign company and/or in a foreign location.

The risk of a successful attack may be reduced

There are a number of measures that may reduce cyber security risk by around 80-85% in an opportunistic attack, as described by the Australian Signals Directorate. These are primarily aimed at preventing malware from being effective and spreading.

Think of it like a flu shot. Some systems holding important data and those accessing them will need clear justification as to why these measures aren’t implemented, other data of lesser consequence may have a reasonable justification for it not being implemented or implemented in full. 

Some questions for Boards to raise

  • Do we have an accurate and up-to-date hardware and software register?
  • Is the latest version of software installed and up to date?
  • Is all other software prevented from running?
  • Do we limit what people can do on machines and systems to what they need to perform their role?
  • What is our justification for not implementing any of these measures?
  • Is our supply chain doing the same?

The risk of an attack can be managed (but not removed)

Just like physical security, if someone really wants to get at you – they will. The key to this is stemming the bleed as measured by things like “time to detection” of a breach, “time to recover” after a breach, and “resilience” – the ability to continue operating despite a cyber-attack.

Some questions for Boards to raise

  • Is there a way for the government or anyone with a cyber security concern to contact us?
  • How long does/ would it take for us to detect a breach?
  • How long does/ would it take for us to remedy a breach?
  • Can our business continue to operate despite a cyber-attack?

Dr Sally Ernst I UK and Australian Cyber Security Networks I I I @DrSallyErnst

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s