The advice is out there
Director advisory organisations from around the world have been singing from the same hymn sheet for several years – cyber risk is a key element to enterprise risk:
“Guidelines from the National Association for Corporate Directors (NACD) advise that Boards should view cyber risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyberthreats in the context of the organisation’s overall tolerance for risk.”
The New Zealand Institute of Directors have written a Cyber-Risk Practice Guide subtitled “Put cybersecurity on the agenda before it becomes the agenda”
The Institute of Directors in the UK agree “New reports of data breaches and instances of cyber crime appear each year, contributing to an annual loss of around five billion pounds for the UK economy. It is therefore more important than ever to address Cyber issues at board level in order to safeguard our businesses and employees.”
The Australian institute of Company Directors are on board too “Cybersecurity is a critical issue for boards and senior management. A cyber breach can impact your bottom line, brand and reputation. What can organisations do to address cyber risk and embrace opportunity through change?”
Governments too are the same recommendations for businesses of all sizes
The Australian Small Business and Family Enterprise Ombidsman provide the following advice:
“Develop a business-wide policy so everyone knows that cyber security is a priority, and so the business owners can be seen to be actively engaging with cyber security. If cyber security is thought of as a strictly IT issue, it doesn’t send the message that it’s a top priority, and won’t make your business or staff cyber secure. Because cyber attackers target people just as they target hardware, cyber security is for everyone at every level in the business. Establishing and communicating their responsibilities is vital to build a cyber aware business.”
The UK’s National Cyber Security Centre declares “Companies benefit from managing risks across their organisations - drawing effectively on senior management support, risk management policies and processes, a risk-aware culture and the assessment of risks against objectives. There are many benefits to adopting a risk management approach to cyber security”
Is this Advice being heeded?
To some extent, yes. However it is clear from the data and the headlines that the development of cyber responsible cultures, driven by the board has a long way to go.
Kathmandu Holdings – Customer data lost, fraudulent transactions reported
Cryptopia – hackers steal $20million in cryptocurrency
Marriott Hotels – millions of credit cards and passport details stolen
Equifax - millions of credit records breached
So why are organisations not following the unanimous advice and taking heed of the data?
The experience that we have at Cybercraft has lead us in an interesting direction. From working with organisations of all sizes and natures, we have found that it is the attitude of key individuals toward cyber risk as being of key importance. From this, we have identified 5 cyber risk personas: