By Ashwin Ram, Evangelist, Office of the CTO, Check Point Software Technologies Australia & New Zealand

The latest report from the Office of the Australian Information Commissioner (OAIC) reveals a troubling trend that boards can no longer afford to ignore: 527 data breaches in just six months – an alarming nine per cent increase for the period of January to June 2024.

With high-profile brands such as Medibank, Optus, MediSecure and Latitude falling victim to cyber-attacks in recent years – and with penalties for data breaches significantly increasing – cyber resilience must take centre stage in boardroom discussions. Australian regulatory frameworks, such as APRA’s Prudential Standards CPS 234 and CPS 230, place significant emphasis on the accountability of Boards of Directors for effectively managing cyber risks.

In this challenging landscape, it is imperative for boards to actively drive cyber resilience across their organisations. A successful data breach can result in weeks if not months of intense media scrutiny, coupled with substantial unplanned costs, underscoring the need for proactive and robust cyber governance.

The reality is that many of the successful breaches are not the result of so-called sophisticated attacks, but failure to get the basics right – in other words, lack of good cyber hygiene. In many conversations with cyber executives, it is obvious that one of their primary challenges is getting the appropriate level of risk awareness and then, the appropriate senior executive sponsorship for cyber security programs.

While risk management is fundamental to good corporate governance, it often feels as though addressing cyber risk requires some black magic before being taken seriously at the executive table. This is where boards can play a crucial role, ensuring senior executives give cyber risk appropriate attention to ensure it is within the organisation’s risk appetite if not within acceptable tolerance level.

According to consulting powerhouse PwC, “Cyber is a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have a fiduciary obligation to understand and oversee this significant risk.”

What can boards do to navigate the cyber minefield and steer their organisations towards cyber readiness?

In this article, I will share some key questions and considerations for boards, helping them drive cyber maturity by focusing on a robust risk management program and fostering a cyber-aware culture throughout the organisation, starting from the very top.

To achieve this, board of directors should prioritise several key areas to drive cyber resilience, beginning with enhancing their own cyber literacy and demanding the implementation of robust cyber security governance. They should also request to receive regular updates on the status of cyber risks to business-critical operations, customer data, intellectual property, and regulatory compliance.

Equally important are regular updates on risk assessments conducted specifically by third parties, along with updates on breach preparedness plans. While other areas are also essential, these priorities demand the board’s immediate attention.

Cyber Literacy

You can’t fix a problem you don’t understand. A critical question for boards, therefore, is, ‘Do we have cyber expertise within our ranks?’ While not every board member needs to be a cyber expert, cyber literacy across the board is essential. To accelerate this, boards may want to consider engaging external cyber advisors. Prioritising access to a cyber expert is vital to keep pace with current and emerging cyber threats.

Additionally, foundational knowledge—such as top attack vectors, recent successful cyber-attacks among peer organisations, and factors that drive the financial impact of breaches—is indispensable. Board members can stay informed by regularly consulting trusted online publications focused on cyber threats and trends.

Another valuable approach is for board members to mentor cyber executives. This practice not only enhances the board’s understanding of the cyber landscape but also provides valuable insights and guidance to cyber security leaders, fostering mutual growth.

Cyber security governance

In many organisations, cyber security is still perceived as a technology issue rather than a critical business risk. To achieve true cyber resilience, this mindset must shift to recognise cyber risk as a business-wide concern, extending beyond IT departments. Driving this change requires organisations to align cyber security strategies with business objectives through the implementation of sound governance practices.

Boards play a pivotal role in this transformation by advocating for governance frameworks that enable business growth while prioritising cyber security. Effective governance ensures that cyber security strategies receive the backing of the C-suite and align with the organisation’s overarching strategic goals.

Establishing clear roles and responsibilities is equally important to empower cyber security teams to meet the needs of key stakeholders effectively. While these teams are tasked with implementing and managing cyber strategies, accountability must remain with senior executives. With strong governance in place, organisations are better equipped to navigate the complexities of the evolving cyber threat landscape.

Key Questions for Board Members to Consider:

• Does our organisation have a cyber security charter defining roles and responsibilities within the cyber security program?
• Have we established a cyber steering committee to oversee our cyber security efforts?
• Are all key stakeholders from critical business areas represented on the cyber steering committee?
• Is the cyber steering committee chaired by senior executives accountable for cyber security?

Regular updates on the status of cyber risks

With governance structures in place, boards must also ensure they are informed about the evolving risk landscape and the organisation’s current resilience status.

“The effectiveness of risk management depends largely on the degree to which it is part of an enterprise’s culture and the extent to which risk management becomes everyone’s responsibility”. ^[1]

Threat actors have many different motives: financial gain, intelligence gathering, disruption, and destruction, to name a few. Understanding the different threats to your organisation and having a plan to minimise the risks to acceptable levels is the primary goal.

The primary goal of financially motivated threat actors is to exploit an organisation’s most critical assets and maximise profits from their malicious activities. To achieve this, they constantly evolve their attack tactics. Ransomware attacks, for instance, have evolved from double extortion (encrypting data and demanding ransom) to triple extortion, where attackers also demand payments from the organisation’s customers. More recently, quadruple extortion has emerged, with threat actors threatening to disrupt organisations critical internet-facing services if their demands are not met.

To drive cyber resilience and safeguard the organisation’s reputation, board members must request regular updates from cyber executives on the evolving threat landscape and preparedness strategies.

Key Questions to Consider:

• Does our organisation maintain an asset management system with an up-to-date inventory of all business-critical assets, customer data, and intellectual property?
• Are the owners of our business-critical and highly sensitive assets clearly identified, documented, and communicated?
• How quickly can we restore critical operations in the event of a cyber-attack?
• What due diligence measures are in place to mitigate risks during vendor onboarding?
• How can we, as the board, support efforts to enhance cyber resilience?

Risk Assessments

To continually reduce the risk of a serious cyber-attack, organisations must adopt sound risk management practices that involves regular review of risks. Regular risk review is important because risks change over time; what was acceptable risk a year ago, may no longer be acceptable today due to changing threat landscape. In addition, countermeasures implemented may not be working as planned or countermeasures may have opened new risks.

When implemented correctly, risk management processes not only help reduce the likelihood and impact of a risk event but also enable sound decision-making processes.

“There are three distinct phases within risk assessment:

• Risk Identification
• Risk Analysis
• Risk Evaluation

The output of these three phases is the overarching risk assessment, which then can be used to inform risk treatment.” ^[1]

Boards can ask the following questions to ensure their organisation is effectively conducting risk assessments, prioritising risks, and mitigating them to remain within the defined risk appetite or tolerance based on how much risk they are willing to consume.

• Is there a formal process for identifying, assessing, and evaluating cyber risks?
• Are regular risk assessments conducted on our most critical assets?
• Are cyber risks systematically included in the organisation’s risk register?
• Do we have an effective process to identify and manage supply chain risks?
• What are the most pressing risks requiring immediate attention?
• As risks evolve over time, do we have a process to re-evaluate and address previously accepted risks?

Breach preparedness

The Cost of a Data Breach Report 2024 by IBM, noted that “ By investing in response preparedness, organizations can help reduce the costly, disruptive effects of data breaches, support operational continuity and help preserve their relationships with customers, partners and other key stakeholders. Moreover, rehearsed response reassures employees and reduces stress, distress and friction internally as the acute stages of an attack are handled, controlled and communicated by a well-prepared leadership team”.

The 2024 Cost of a Data Breach Report revealed that organisations with an Incident Response team that regularly tested their response plans saved an average of USD $2.66 million in breach costs compared to those without such a team or preparedness testing. The average breach cost dropped from USD $5.92 million to USD $3.26 million—a substantial 58% reduction—highlighting the critical importance of proactive incident response planning and regular testing.

To ensure an effective incident response capability, boards should consider the following:

• Are our top executives, including the CEO and key business stakeholders, actively participating in regular tabletop exercises?
• Has our incident response playbook been validated by an external Incident Response Team?
• What were the main issues identified in previous tabletop exercises, and have they been addressed?
• Do we have access to a 24/7 external Incident Response Team with a proven track record of providing rapid assistance?
• Are our general counsel, HR, public relations, and other key stakeholders integrated into the incident response team, with clearly defined roles and responsibilities?
• Have we established a clear process for notifying relevant authorities and business partners in the event of a cyber-attack?
• Is there a process to document security incidents in compliance with legal and regulatory requirements?
• What metrics are we using to measure the maturity and effectiveness of our tabletop exercises and track improvements over time?

As penalties for breaches and financial impacts rise, and the threat landscape evolves, it is imperative that boards lead the charge in cyber readiness. By prioritising cyber literacy, governance, proactive risk management leveraging regular risk assessments, boards can safeguard their organisations against the digital storms of tomorrow.

Footnotes:

[1] ISACA, CISM Review Manual, 16th Edition, ISACA Publications, 2022.

[2] ISACA, CISM Review Manual, 16th Edition, ISACA Publications, 2022.