PRINCIPLES FOR BOARDS IN OVERSEEING CYBER RISK MANAGEMENT
As well as providing tremendous opportunities, the digital age brings numerous significant risks – the loss of intellectual property, the theft of customer data, fraud, reputational damage, disruption to critical infrastructure, and legal and regulatory sanctions, to name a few.
Many companies – especially SMEs – still believe that they are too insignificant to be the target of cyber attacks. This is completely wrong. In fact, most cyber attacks target smaller organisations precisely because they have fewer security resources.
In addition to being targets in their own right, SMEs may also be an attack vector into the larger companies with which they do business. Unfortunately, boards too often shy away from cyber issues, regarding them as ‘voodoo magic’, accessible only to technology experts.
We have to break through this mindset and approach cyber just like any other enterprise risk management issue. That means addressing it from a strategic, cross-departmental and economic perspective. The board may well require some expert technical inputs, but so does the management of business risks relating to tax, for example.
Boards of directors must ensure that their management has the appropriate tight grip on cyber threat management. To do this effectively, they need to follow four principles.
Apr-Jun 2016 Issue
Internet Security Alliance (ISA)