The Significance of Cyber Resilience
Companies and Organisations have experienced rapid growths due to digitization hence e-commerce has been increasingly adopted. Company activities are now transacted with a click of the mouse, thus Transactions that took long are done in a day or days thereby Companies and organisations are recording high profit margins in return. The positive transformative nature of e-commerce cannot be underestimated.
However, digitalization now poses new threats to Companies, which need to be addressed. Companies that have embraced e-commerce and other internet activities in their businesses operations are now under relentless cyber attacks by cyber hackers and other malicious entities. According to Grant Thorton, cyber risk encloses a number of issues which may hinder an organization due to internet activities. Cyber risks are dynamic and increase with the increase of internet activities in a company. These risks include but are not limited to: Intellectual Property theft; Reputational damage; Crypto locker Data; breach; Down time; Privacy infringement, Hacking, Damage to infrastructure, Fraud; Financial loss and SLA breach (Grant Thornton Australia | Audit, Tax and Advisory, 2017). The risks are not a blanket phenomenon to all Companies but present themselves in relation to the line of businesses that are run by a company. A financial institution like a bank or insurance company finds itself at a risk of Financial Loss through cyber activities as compared to other businesses.
It is significant that Cyber bombards are an international distress thus, cyber risks have been evaluated by the World Economic Forum amongst the top 10 risks a company faces as far as risk by businesses is concerned(Grant Thornton Australia | Audit, Tax and Advisory, 2017). Moreover, it is imperative that approaches are put in situation and the plans of cyber resilience must be clearly defined to guard businesses against those risks associated with e-commerce and other internet activities.
Cyber Resilience can only be achieved when the leadership of any organization sets its mind, strategizes and give themselves to see the strategy works in fighting the Cyber Risks that their Organisation is and may be exposed to .(World Economic Forum’s System Initiative on the Digital Economy and Society, 2017). The Leadership of the Company is the Board of Directors. The Board of Directors plays the pivotal role in the operations of any Company and is charged with the duty of recognizing and managing the risks of the Company. (ASX, Principle 7). Cyber risks just like any other risk is equally a risk that the Board must recognize and manage with an aim of achieving Cyber Resilience in the Company. To achieve this Resilience, the Board must adopt several principles and tools the World Economic Forum has researched on and reported to be the road map to Cyber Resilience in any organisation. The Board Principles and tools in achieving Cyber Resilience set out by the World Economic Forum is the premise of the discussion and recommendations in this report.
The Role of the Board in Cyber Resilience
As mentioned earlier, Cyber Risk is a growing threat to businesses that if not addressed with the urgency and the seriousness needed may crumble a business. The Board of Directors are therefore called upon in every Company to rise up to their duty to recognize this risk and come up with ways of managing it at all levels of the business. How the Board approaches this risk and manages it is what determines whether the Company will achieve Cyber Resilience and to what extent the Resilience will be achieved. The set down principles in achieving Cyber Resilience cut across all the Boards and when incorporated in the Board operations will lead to a better Cyber Risk Management (Biener, Eling and Wirfs 2015).
Cyber Risk Management and ultimate Resilience can only be a reality if the Board of Directors makes a deliberate decision to deal with the Cyber risks that the company is and or will be exposed to.
This therefore means that the Board must undertake to bring to speed each of its member need to manage the Cyber risks and further have this endeavour as their core objectives that is revisited in every of their meetings. To achieve this, the Board depending on how big it is may appoint a few people to form the Cyber Risk Management Committee or have the entire board as members of that Committee. The Members of the Cyber Risk Committee have to be persons who have devoted their time and energy in dealing with the Cyber risks that present themselves and are likely to present themselves to the Company. This will also require the Cyber Risk Management Committee that has experts or persons with some Cyber Skills. The Chairperson of the Cyber Risk Committee should be one that is well vast with issues of Cyber Risks and Security Strategies (Andress and Winterfeld 2013). This Committee is tasked with assessment of the cyber risk to the company, the level of the company’s preparedness to handle the cyber current and future cyber risks and set out the plan and strategies in achieving cyber resilience in the Company.
The overall board is however the supervisor of each committee formed to deal with Cyber Risk Management and the Committees must report to the Board in each of the Board Meetings. There have been reports of increased cyber attack called ‘ransom ware’. This holds hostage an organization’s encrypted data until payments are made on order of the attacker. Such attack can be prevented by the restricting the user installation application as set out by the NACD Cyber Risk Oversight Guide. It is only the board that through its resolutions and through its committees that can look into and pass resolutions to the effect of such restrictions. Further it is the board that through the management can give direction to have all the data backed up in formats that are secure (Corpgov.law.harvard.edu, 2017).
Principles and Tools to Achieve Cyber Resilience
The threat of Cyber attacks to Companies cannot be ignored and is not only a concern of the few board members appointed to the Cyber Risk Management Committee. This is a concern of every member of the Board and therefore every board member on appointment must be oriented on the Cyber risks that the Company is and may expose to. The Orientations are aimed at giving each of the directors a general understanding of Cyber Security, the risks the Company is exposed to, the current and emerging trends in Cyber risks, the strategies put in place to curb the cyber risks and the ways that the resilience may be maintained and or improved at the Company Level. Further, periodic trainings by an expert are important to bring the board up to speed with the state of cyber security and risk that they may be unaware of. In these trainings the experts may give their independent expert audit on the Resilience Plan adopted by the Company (Sridhar, Hahn and Govindarasu 2012).
The Board on its own may be inadequate in managing the Cyber Attacks. There is therefore need to have a corporate officer who is learned and has the requisite Skills in Cyber Risks Management. The officer plays an accountability role in Cyber Risk Management. Being an appointee of the Board, the officer is tasked with reporting to the board the cyber resilience capability of the Company and the status of the Company as far as achieving the cyber resilience goals are concerned. This officer must be accorded authority to work on behalf of the board and interact with the management of the company as far as discharge of his duties is concerned. The Board must see to it that the officer has the right budgetary allocations to enable him carry out his duties and that he has an open access to both the board and the management. A case is reported of an American bank where the administrator deleted the virtual machines crushing the working of the credit cards and other vital departments of the bank for a day. Such can be easily avoided where there is an expert who handles IT matters and Cyber related issues, backing up the Companies records periodically to avoid such data loss (Corpgov.law.harvard.edu, 2017).
To effectively attain Cyber Resilience in any Company, the need for Cyber Resilience must be communicated and the same owned by each and every department of the Company. The Board has a mandate to bring awareness amongst the different levels of management of the Company on Cyber Risks that the Company is and may be exposed to, the need to attain resilience and the strategies put in place to attain this resilience. It therefore means that Cyber Resilience must therefore be integrated in the objects of the business and given the attention and seriousness it requires. Further, the management must conduct constant awareness of the cyber risks that the company faces and have the different levels of management deal with the risks involved. This includes appointment sub- managers in charge of cyber risk management in every section and or managerial class (Sense of Security, 2017).
Board Responsibilities in Cyber Risk Management
The Company just like any other business has a given capability to take risks. The Board of Directors determines the level of risk, including Cyber Risk, which the Company is able to take without the same adversely affecting the business operations and production (Mukhopadhyay et al. 2013). To reach this decision the Board relies on the report by the Accountability Corporate officer and the reports from other entities including other businesses strategies and recommendation on dealing with similar risks. The reports and advice by the accountability officer gives the board the road map in making decisions as to acquisitions, mergers, adoption of new technologies and systems amongst many other decisions. In assessing the risk to determine the risk appetite of the Company the board will need to consider the objectives of the company before delving itself to such risks.
The Board takes up a supervisory character over the management in considering the cyber risks and warnings to the organization. The board needs to understand the risks on the ground and come up with ways to check them. Therefore, it is under the control of the Board to guarantee that they are in agreement with the management in suppressing and attacking the cyber risks at present and in future.
In upholding its responsibility for Cyber Resiliency the Board must ensure that the liability officer is entirely assisted by the management in producing, effecting, testing as well as improving the aims for Cyber Resilience in the organization. The board needs to be informed at every step, the things that are taking place on the ground in attaining the Cyber Resilience structure and the necessary support is being accorded to the executive in charge at every level of management in the organization.
However, it is under the control of the Board of Directors to encourage the management to act together along with the stakeholders of the organization in protecting all systems at place, which are being utilized, are cyber resilient. It is not enough for a Company to run with one a onetime approach. Consequently, the Board must review their strategy annually. This evaluation is to be guided by an unconventional third party and suggested to the board for their gesture. The unconventional third party critically evaluates the past, present and the future challenges and guides the Board appropriately on what might work for the organization and what steps are to be taken to attain Cyber Resilience.
The Need for a Corporate Officer
In carrying out its performance the Board of Directors reviews its performance from time to time as far as implementation of the set policies and or principles. Upon the review the board may recommend better ways to action the Cyber Resilience Plan. The Board may also invite independent expert audits to its Cyber Risk Management and seek recommendations for further action (Grant Thornton Australia | Audit, Tax and Advisory, 2017).
A good example can be popular Yahoo Company; internet explorer underwent a data violation in 2014 that was linked to a state- sponsored hacker. However, it is detailed that over 500 million user’s accounts were overblown, yet the Organization’s cyber safety knew of this push earlier but did took any action. Presently, the organization which was introduced by Verizon has accepted a powerful cyber security committee with the internal mechanisms to prevent any breaches in the future.
LinkedIn, which is an online social networking Company was hacked into in 2012 which exposed 6.5 million user passwords and e mails, is now believed to be over 167 million users. The Company is currently strengthening its Cyber resilience by employing the recommended strategies. Lastly, Sony’s PlayStation Network was hacked in 2011 and the impact was more than 77 million accounts of the PlayStation Networks were hacked. However, hackers accessed names, addresses, history of purchase and the credit card numbers. Sony Company has updated its IT security and is now applying security controls consistently across the Company to avoid any fatal breaches which result to law suits.
After outlining the propositions to be embraced by the board in attaining Cyber Resilience, the Board should therefore start by conducting an orientation for all the board members on the risks that present themselves to the Company and that are likely to present themselves in the near future. In addition, training and seminars must be incorporated and a review of the strategies done regularly to seal any pitfalls.
Conclusion
Cyber security is essential in every Company to confirm the safety and reliability of prime assets of any company. Important decisions should be made by the board in discussion with the Management and the total employees to check efficient execution of the policies to be used. Moreover, skilled and educated human resource in the IT sector should be a preference in any company to further powerful and continuous cyber resilience for the development and posterity of an organization.
Communication and Ownership of Cyber Resilience
References:
Andress, J. and Winterfeld, S., 2013. Cyber warfare: techniques, tactics and tools for security practitioners. Elsevier.
Asic.gov.au. (2017). Cyber resilience | ASIC – Australian Securities and Investments Commission. [online] Available at: https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience [Accessed 6 Sep. 2017].
Biener, C., Eling, M. and Wirfs, J.H., 2015. Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance Issues and Practice, 40(1), pp.131-158.
Bodeau, D. and Graubart, R., 2016. Cyber Resilience Metrics: Key Observations.
Bodeau, D. and Graubart, R., 2017. Cyber Resiliency Design Principles.
Corpgov.law.harvard.edu. (2017). A Strategic Cyber-Roadmap for the Board. [online] Available at: https://corpgov.law.harvard.edu/2017/01/12/a-strategic-cyber-roadmap-for-the-board [Accessed 7 Sep. 2017].
Ctmfile.com. (2017). Cybersecurity performance can be managed, but only if measured. [online] Available at: https://ctmfile.com/story/cybersecurity-performance-can-be-managed-but-only-if-measured [Accessed 6 Sep. 2017].
Feltham, M., 2017. Three things you need to know about cyber security and some recent regulatory changes in Australia trends and special topics. Governance Directions, 69(3), p.152.
George, T., 2017. How to use the world economic forum’s cyber security principles. Risk Management, 64(5), pp.33-34.
Grant Thornton Australia | Audit, Tax and Advisory. (2017). How to be cyber secure. [online] Available at: https://www.grantthornton.com.au/insights/publications/how-to-be-cyber-secure-a-practical-guide-for-australias-mid-size-businesses/ [Accessed 6 Sep. 2017].
Inboxes, N., Directors, B., Ltd, N. and Ltd, N. (2017). Best Practice Guide Offers Security Advice to Boards of Directors. [online] New Net Technologies. Available at: https://www.newnettechnologies.com/best-practice-guide-offers-security-advice-to-boards-of-directors.html [Accessed 7 Sep. 2017].
Ingram, M. and Martin, M., 2017. Guide to Cyber security, Resilience, and Reliability for Small and Under-Resourced Utilities (No. NREL/TP–5C00-67669). National Renewable Energy Lab.(NREL), Golden, CO (United States).
Joiner, K.F., 2017. How Australia can catch up to US cyber resilience by understanding that cyber survivability test and evaluation drives defense investment. Information Security Journal: A Global Perspective, 26(2), pp.74-84.
Kopp, E., Kaffenberger, L. and Wilson, C., 2017. Cyber Risk, Market Failures, and Financial Stability. IMF Working Papers: Cyber Risk, Market Failures, and Financial Stability, 17(185).
Kumar, P.S., Emfinger, W. and Karsai, G., 2015, October. A testbed to simulate and analyze resilient cyber-physical systems. In Rapid System Prototyping (RSP), 2015 International Symposium on (pp. 97-103). IEEE.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukhan, S.K., 2013. Cyber-risk decision models: To insure IT or not?. Decision Support Systems, 56, pp.11-26.
Page, J., Kaur, M. and Waters, E., 2017. Directors’ liability survey: Cyber attacks and data loss—a growing concern. Journal of Data Protection & Privacy, 1(2), pp.173-182.
Pmc.gov.au. (2017). Cyber Resilience Taskforce: a cyber security sprint | Department of the Prime Minister and Cabinet. [online] Available at: https://www.pmc.gov.au/news-centre/cyber-security/cyber-resilience-taskforce-cyber-security-sprint [Accessed 6 Sep. 2017].
Rogers, R., Apeh, E. and Richardson, C.J., 2016, December. Resilience of the Internet of Things (IoT) from an Information Assurance (IA) perspective. In Software, Knowledge, Information Management & Applications (SKIMA), 2016 10th International Conference on (pp. 110-115). IEEE.
Sense of Security. (2017). Australia’s first ASX 100 Cyber Health Check – Sense of Security. [online] Available at: https://www.senseofsecurity.com.au/australias-first-asx-100-cyber-health-check/ [Accessed 7 Sep. 2017].
Sridhar, S., Hahn, A. and Govindarasu, M., 2012. Cyber–physical system security for the electric power grid. Proceedings of the IEEE, 100(1), pp.210-224
Stuart, D., 2016. Defence strategy. Company Director, 32(2), p.38.
World Economic Forum’s System Initiative on the Digital Economy and Society (2017). Advancing Cyber Resilience. Principles and Tools for Boards. World Economic Forum
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
