Companies all over the world are facing a wide range of cyber threats and Malta is no exception. The confidentiality, integrity and availability of sensitive information are all at risk. Adversaries include governments, criminal groups and hackers, with their own agenda. Their aims may include stealing intelligence and intellectual property, siphoning off money, political spying and even operational disruptions for fun. And yet, according to a recent EY Global Information Security Survey the disparity between accelerating cyber threats and organisations’ responses is growing at an exponential rate.
The majority of companies (51%) in this study say that business continuity is the number-one information risk they face. But nearly half of them (46%) believe that their vulnerabilities are increasing. Most revealingly, more than three of every four companies believe that there has been a surge in external attacks.
This scenario calls for a new approach. The attackers’ increasing cyber-savvy requires a rethink of defence strategies. Efforts to keep adversaries out of IT systems – such as firewalls – remain important but they are just the starting point. Companies should assume that some attacks will breach these barricades and therefore more robust protection is needed. They should establish comprehensive, in-depth defences and prioritise the organisation’s efforts so that truly critical information is more likely to remain safe. They also need to implement real-time monitoring to detect and respond to attacks. This might require the board or audit committee to develop a much better understanding of which information assets are critical, who might want to launch an attack, which business risks might be triggered by a security breach and what defensive capabilities and options are available.
Security always has a context. Actions to deal with this growing threat need to be balanced against the company’s other objectives – such as the pursuit of profitability and the desire to collaborate across national and business boundaries. A company which becomes a cyber fortress cannot prosper.
For many directors, this level of involvement in cyber security entails a paradigm shift. This is the case in Europe and, particularly, Malta. Boards in the US already tend to be more engaged in the battle with cyber threats.
The board or audit committee (needs to) develop a much better understanding of which information assets are critical
Board directors without specialist IT knowledge can sometimes be reluctant to debate risks related to cyber security. But, as this problem festers, the need for their high-level involvement can no longer be staved off. The ability of board members to hold management accountable for deve-loping and executing a sound, rapid-response strategy can make the all-import-ant difference.
Audit committee members have an important role in this regard. They often have the key responsibility for oversight of cyber risks integrated with their remit to oversee risk management in general. They should treat cyber security just as they would any other significant, growing threat. Technical knowledge – or perceived lack of it – should not be a barrier. As with other complex and fast-changing areas of risk, they should seek to tap into internal and external expertise.
Some questions that audit committees and boards should be asking might include the following:
• What are our most significant cyber-security risks?
• What strategies do we have in place to secure our operations?
• Who is our lead executive on cyber-security issues and what reporting line do they have to the audit committee?
• How do we build IT expertise within the committee?
There surely is an immediate need for action, and boards and audit committees must prioritise cyber security in their agenda setting. It is the only way to surf the cyber waves smoothly rather than be engulfed by them.
Anthony Doublet is a partner at EY.