Cyber risk questions the Board needs to ask about COVID-19

Cyber risk questions the Board needs to ask about COVID-19

Thanks to COVID-19, boards have many new challenges and risks to tackle right now.  Unfortunately, one of their main pre-crisis worries has just shot up the stress scale.  Even before the crisis, it was hard for boards to know how best to deal with cyber risk.  Now, with many people working from home, the risks are likely to have increased, possibly hugely.  In the old days (remember those?) employees generally operated within controlled environments and networks and in line with security protocols.

Now it’s mostly about using multiple devices in less secure places – and that’s opened up crevices in the cyber security landscapes for many organisations.  The risks are huge –  which makes it a board issue, not just an operational challenge.  So there are a raft of new questions that boards need to be asking management to get assurance that the risks are minimised or there’s at least a plan being put in place to close the gaps.  Working with our expert partners, Cobweb Cyber, we’ve put together guidance for boards suggesting the practices they should adopt – and what they need to avoid.  We have also produced a handy checklist of handy cyber risk questions boards need to ask.

Good practices to consider…

Ask what the new exposures look like and assess their scale and scope in your own organization.  Does IT know who is using which devices?  Are patches fully up to date?  Are the physical environments secure?  How far are laptops and other devices encrypted?  Are home PC and device security settings in line with corporate standards?  What exposures are introduced by use of home routers? And what level of confidential discussions and data transfer is happening through the various media?  And that’s just part of it.  Boards don’t need to know the detail – but they do need to work out with management what level of mitigation and assurance is acceptable, and over what time frame.

Things to avoid…

Assuming that good practices and training for working from home have previously been in place. This is highly unlikely.  It might have been the case for regular homeworkers in organisations with top class IT security functions.  But how far is that covering all those many, many others who have found themselves with no choice but to use what they have?  And even with good controls and a strong risk awareness, new risks need new levels of caution.  This isn’t a time to be taking things for granted.  To understand how far things are under control, you’ll probably need to get the Chief Security Officer or CTO into the room.

Good practices to consider…

Know how the external threats have changed.  There are the usual criminal actors looking for opportunities for DDOS attacks or hacks in order to obtain data or simply cause reputational harm.  But now there are many more points of entry.  You should be asking how the external landscape has changed (it’s got a lot worse), and how far the usual protections and mitigants are coping in response.  Has the net risk exposure been minimized in a convincing way?

Things to avoid…

Assuming that the pre-crisis cyber risk response is still adequate to meet the new threat levels.  For example, your staff might know to avoid phishing emails, but hackers are seeing great opportunities as people are tempted to open emails providing news and guidance on COVID-19.  Even the tightest of organisations needs to refresh its people’s awareness, simply because hackers are quickly detecting new ways in, raising the potential scale of attacks.

Good practices to consider…

Understand how the organisational systems and resource threats have changed.  Are internal systems and resources overloaded?  Is this leading to short cuts – and, if that’s unavoidable, is triage being applied to reduce the risks?  Do past constraints on budgets need to be released in order to enable immediate risk responses (eg providing new devices and new software)?  Only those who were 100% on top of their game can afford  to adopt a business-as-usual approach to systems and resources.

Things to avoid…

Allowing management to carry on managing resources in the same old way even though the game’s changed.  In the same way the government has had to open the financial floodgates to manage the risk, boards might need to make sure that management is not putting the organisation at major risk by allowing constraints or unwieldy approval procedures to get in the way.  Sometimes there isn’t much that can be done.  But be sure you aren’t managing relatively minor risks at the expense of much bigger ones.

Good practices to consider…

Keep a keen eye on the people threats. Are the internal human stresses of threatened – or actual – redundancy, lower pay or the mental anxieties arising from isolation or family pressures increasing the risk of attacks from insiders?  Or the risk of fraud-related hacking?  And when thinking about this, do remember that readers of this bulletin are probably in better physical circumstances than most staff, many of whom will have little privacy and no way to escape.

Things to avoid…

Failing to think through the human consequences of where we are and how these have changed the cyber risks.  The threat from insiders is an old one – but from a tiny number who were previously constrained by internal security measures and physical oversight.  Now the numbers have changed – whether it’s intended actions from the disgruntled, or misguided behaviour from those suffering emotional anguish.  Boards need to understand how management is assessing the behavioural angle and not just assume that the old methods of control remain sufficient.

Good practices to consider…

Know how the domestic (working from home) threats have changed. We have given some examples already – but the list goes well beyond the “logical” risks (those relating to systems and software). Often it will be physical: who is working on confidential or personal data in a shared house? Are housemates or family accidentally (or intentionally) becoming insiders through leaky walls, shared spaces or uncontrolled access? How are GDPR-related standards being maintained? Are PCs logging off automatically – or being logged off if left alone? The list is long. Boards don’t need to go through it – but they do need to be confident that management has.

Things to avoid…

Thinking narrowly. Yes, the systems are important, but the required solutions are known (patching, two-factor authentication, VPN use, etc) and can be policed remotely. It’s the physical ones that are tough to tackle – they will be near-impossible to police remotely. More than anything else, it requires individual staff members to take responsibility by acting in a very disciplined way. It will often come down to culture – and that’s certainly an area boards should be asking about.

Good practices to consider…

Be clear on who at senior management level is responsible for the various developing risks.

Things to avoid…

Assuming this all falls to the CTO and IT department. They may understand that it’s up to them to tackle the systems-related risks. But what about the softer behavioural and working-from-home risks? Accountabilities need to be clear. This means that the CEO needs to set out for the Board who is responsible for what, and this needs to be aligned with the updated risk profile.

Good practices to consider…

Understand the communication strategy. A lot of the risk management will come down to making everybody aware of the risks and what they need to do personally to manage them.

Things to avoid…

Just relying on assurances that things are covered by the IT Policy. That’s something everybody is supposed to have received and read – but as we all know, that doesn’t necessarily get us very far… Even if it is easy to find (quite a big if), it almost certainly won’t do justice to the new state of affairs. The Board Audit/Risk Committee can’t avoid getting into the detail on this one – they need to take a look to make sure management has covered the ground and communicated in a clear and understandable way. If the NEDs can’t understand what’s required, what chance does everyone else have?

Good practices to consider…

Show leadership.  That means the Chair and the Chief Executive telling the organisation how serious this is, and pointing to where people can find help.  And the Board should be leading by example, putting out the message about what steps they have taken – collectively and as individuals taking personal responsibility – to keep the organisation as safe as possible.

Things to avoid…

Going silent at the top level.  It’s obvious that, in a time of crisis, very visible leadership from the top is essential.  Most of the time, of course, that’s up to the Executive.  But in some areas – ethics, cyber security, confidentiality – some visible leadership from the directors can help hammer the message home.

Good practices to consider…

Set an example (a good one, obviously!).  That means understanding the risks around virtual board meetings – and showing management that you’re taking them very seriously.

Things to avoid…

Putting on the pressure in the board meeting without having solid ground to stand on.  Better to work out a way of explaining how the directors have taken personal and individual responsibility by working with IT to take immediate action to close any gaps.

Download This Post

To download a PDF of this post, please enter your email address into the form below and we will send it to you straight away.



Ready to speak to a board evaluation specialist?

Learn how we help boards to become more effective and have a bigger impact on strategic performance.