By Stephen Bonner, Partner, Information Protection
Audit committees have a critical role to play in ensuring that their organisations have robust cyber security defences.
Sir Iain Lobban, GCHQ, once said that business secrets are being stolen on an ‘industrial scale’ with 70 sophisticated cyber espionage operations a month against government and industry networks. Clearly, this is not an issue where a ‘wait-and-see’ approach is viable.
Governments around the world are increasingly aware of the growing importance of cyber security. In the UK, the government is keen for UK plc to improve cyber security defences, and the recent call for FTSE 350 companies to take part in a ‘cyber governance health check’ highlights the level of concern.
The reality of cyber crime
The reality is that all companies are an attractive proposition for cyber criminals. Hardly a day seems to go by without news of another corporate being attacked and the simple fact is that intellectual property is under systematic attack.
The aim is typically to cause reputational damage and promote a change in corporate strategy rather than to access financially valuable data or disrupt production.
And how often have you heard about malicious employees being vengeful towards their employer? The fear is whether they remove sensitive company information or introduce malicious software to corrupt company databases.
So what does good cyber security look like?
Getting the basics right is important – from technical security measures, such as running anti-virus software or setting up firewalls to protect company networks. There is also the need to establish cyber incident management policies, and a broad user education and awareness campaign.
At the heart of cyber security is information risk management – understanding the organisation’s key information assets and managing the risks to those assets – a board level responsibility.
Programmes to improve cyber security must take a holistic view of security. It is a mistake to think it as just a technical issue. Instead an integrated approach to preparing, protecting, detecting and responding to cyber incidents is critical.
What audit committees should do?
The audit committee should test whether the company has:
- identified the critical information assets which it wishes to protect against cyber attack – the crown jewels of the firm – whether financial data, operational data, employee data, customer data or intellectual property
- processes in place to understand the threat to the company’s assets
- a way of identifying and agreeing the level of risk of cyber attack that the company is prepared to tolerate
- controls in place to detect and respond to a cyber attack
- a means of monitoring the effectiveness of their cyber security controls, including where appropriate, independently testing, reviewing and assuring such controls
- a programme of continuous improvement, or where needed, transformation, to match the changing cyber threat – with appropriate performance indicators
It’s easy to see cyber security as an issue for the techies – but that’s the wrong approach. To succeed, the Board, the audit committee and C-suite need to work to closely with their IT and security teams to understand the real risks to the business. Surveys suggest more than 10 percent of IT budgets are now spent on cyber security; I doubt this figure will reduce, meaning Boards and their audit committees are right to demand clarity on what the investment is delivering.