Director’s head in the sand approach to cyber threats

When Governance Matters Associate Guy Hamilton came across an article in a recent issue of Harvard Business Review (HBR) that suggested a laxity from directors when dealing with cyber threats, he was astonished and decided to delve a little deeper…only to come up alarmed. Here, he shares his thoughts on this most ominous of governance issues

After reading this disturbing report, reflecting on the many malware attacks on businesses and digesting the IT professionals’ view that simply updating systems with the latest patches from the  software suppliers would have prevented most infections, I couldn’t but shake my head in disbelief.

If it was that simple, why was it not done?

So I decided to catch up for a coffee with an IT support engineer friend to chat about cyber infections and found his analogy most illuminating. It’s a bit like walking through a house with many rooms and doors, he told me. Locked doors can’t be entered, open ones can – and the same goes for data files. If they’re properly compartmentalised with good access controls, a virus’ ability to spread is greatly limited.
The problem is exacerbated by the growing trend that has executives and staff working remotely, often using personal laptops and devices to access work databases and, here’s the rub, many external sites for personal reasons.  Add the ubiquitous uploading and downloading of files with USB sticks and we have just left the front door – and all the others – well and truly open!

Returning to the HBR article, it noted two deeply alarming findings of its survey of 5,000 directors around the world: just 38 per cent reported a high level of concern about cyber threats; and, more starkly, of the 23 board responsibilities listed, most ranked cybersecurity preparedness last.

With all the media attention this fast-growing business risk receives, you’d think boards, whose overriding duty is to ensure that businesses under their stewardship are run with care and in the best interests of stakeholders, would satisfy themselves that the business is properly protected.

Apparently not! And again, it begs the question: why? All the more so as a major system failure represents one of the fastest propagating and most far reaching contingency risks a business faces.

I think part of the problem is that for many directors, detailed IT discussions fall well outside their comfort zone and are often a blind spot. They can’t comprehend the language and thought processes around platforms, interdependencies, back-up protocols and access rights, let alone distributed databases and block chains. And they’re generally too quick to say “ah, that’s something our IT people look after… ”

But what if they aren’t? What can Boards do to get on top of and defuse a ticking time bomb?

I’d like to think the first step is to impress upon executive management the significant reputational threats posed by cyberattacks and the expectation that mitigating such risks is one of their core responsibilities – and then walk the talk by having IT performance, failures and security on the risk register and as a Board-endorsed policy with regular reporting.

Other measures should include regular independent security assessments, presented for Board consideration; ensuring that there’s a robust systems outage contingency plan and it’s regularly tested; and having data security, access rights and disciplinary actions for breaches linked to HR policies.

Similarly, data and company documents should be segmented by both criticality and confidentiality, and with appropriate access rights; while an informative IT dashboard can, over time, offer a sound insight into IT safety and effectiveness.

Finally, don’t be overawed by the industry jargon and acronyms – and if you are, remember get an expert in to run a board development session.


Until next time,


Share on social media...
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.