Professional Documents
Culture Documents
Cyber Security Issue For Boards Exec PDF
Cyber Security Issue For Boards Exec PDF
Cyber Security
PwC found that just 44% of corporate boards actively participate in their companies’ Showing that cyber security is taken seriously at the top helps enforce a security
overall security strategy, showing that many boards still consider it a matter for IT.2 culture among employees. As people are your first line of defence – and as human
This is in line with Ernst & Young’s study, which found that more than half (55%) of error is one of the most common causes of data breaches and other security failures
surveyed organisations do not make protecting themselves a key part of – you should make every effort to ensure every member of staff takes their security
their strategy.3 responsibilities seriously.
Business disruption as a result of a cyber attack or data breach (the top threat
Technology is an integral part of business according to the BCI Horizon Scan Report 20197) affects the whole organisation, and
could even threaten its existence.
62% of CEOs surveyed by Gartner say they have some sort of management initiative
or transformation programme to make their business more digital.4 Moreover,
the rapid – and still growing – adoption of and reliance on new technologies,
such as the Cloud, machine learning and AI, has created more opportunities than
ever for cyber criminals. Cyber security should therefore be an integral part of an
organisation’s overall strategy.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 3
Susan Story, president and CEO of American Water, says8: Although the Companies Act 2006 and SOX are UK and US laws respectively, such
requirements are increasingly common around the world – almost every organisation
In the old days, you had business and then you laid technology on top of it [...] (and director) needs to consider and meet them.
Today, business is technology and everything we do has technology threaded
through it. How you most effectively and efficiently do that is what distinguishes Legal and regulatory requirements
companies that are digitally transformed from those companies that aren’t.
This is not limited to reliance on websites and the Cloud, but extends into Company laws are not the only legal requirements directors should concern
recognising newer practices like data mining and AI. Technology is now integral themselves with. There are also a wide range of cyber security and data protection
both to running the organisation and as part of its products and services. laws to comply with around the world, including the GDPR, the UK’s Network and
Information Systems (NIS) Regulations 2018, New York’s Cybersecurity Regulation
Boards cannot treat IT as simply a functional or operational issue. In this information (23 NYCRR 500) and Singapore’s Personal Data Protection Act 2012 (PDPA).
age, an organisation’s key asset is its intellectual capital, which in turn depends
on information technology. As an asset is, by definition, something that someone The penalties for non-compliance can be severe. The GDPR in particular has
outside the organisation wants, it is also something worth protecting. attracted attention because of its potentially heavy fines – anything up to €20 million
(about £17.5 million) or 4% of global annual turnover, whichever is greater, and such
Any solutions must be proportionate to the value at risk and in line with the fines are likely to result in a great deal of negative press. In addition, the Regulation
organisation’s strategic and operational goals. As such, information and cyber demands data protection officers (DPOs) – an important role that is mandated by
security decisions should be made by the board, not the IT department alone. the GDPR for certain organisations – report to the “highest management level”.
Companies Act 2006 and SOX Finally, a Ponemon Institute study showed that the costs of non-compliance –
including fines and settlement costs, but also business disruption, productivity
In addition to sensible practice, under Section 172(1) of the UK’s Companies Act losses and lost revenue – are on average 2.71 times the cost of compliance.9
2006, directors must consider “the likely consequences of any decision in the long
term”, and “the desirability of the company maintaining a reputation for high
standards of business conduct”. Given the potential impact that security incidents
Top-down approach
can have on an organisation and its customers, failure to take an active interest
in information security provisions could constitute a breach of a director’s Good practice demands that information security rests on three ‘pillars’: people,
statutory duties. processes and technology. Naturally, solid and up-to-date technological measures
are vital to security – but for IT to successfully implement them, the board must
Similarly, for any company publicly listed in the US (whether based in the US or first provide the necessary resources. Moreover, people and processes – major
not), the Sarbanes–Oxley Act of 2002 (SOX) requires management to certify the underlying causes of security incidents10 – require significant board attention if
company’s financial reports, and both management and an independent accountant training is to be taken seriously, and policies and procedures are to be enforced.
are required to certify the company’s internal controls. In almost every organisation,
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 4
Consider, for instance, the data breach Heathrow Airport suffered in October 2017.
On the face of it, the airport was fined £120,000 for losing a USB stick11 – a scenario,
Reputational and business impact
you might argue, that could happen to anyone.
The Heathrow incident received coverage in the press outside the UK, including
However, the follow-up investigation by the Information Commissioner’s Office in France14 and Sweden15 – even when the key thing to report was a lost USB stick
(ICO), the UK’s supervisory authority, found a “widespread use of removable media containing personal data.
in contravention of [Heathrow’s] own policies and guidance” as well as “ineffective
controls preventing personal data from being downloaded onto unauthorised or Many organisations lose (potential) clients in the aftermath of a breach, particularly
unencrypted media”. In addition, just 2% of all staff had received any information if that breach involved customer data. A Ponemon Institute study from 2018 shows
security training.12 this to be particularly the case for US organisations, as customers tend to have
more options, making their loyalty harder to preserve: for 2017, lost business cost
In other words, the problem was not primarily the loss of a single USB stick, but an average of $4.2 million.16 Data protection is not just something demanded by
how widely removable media was used and, worse still, how it was relatively easy to law and good practice: it is also a means of standing out from the competition
download sensitive information onto such media. All of this suggests a lip-service and winning customers’ trust. As KPMG points out, “CEOs whoensure their
approach to security: a policy is barely as good as the paper it is written on if it organization’s data-handling procedures are robust will be rewarded
meets requirements but is unenforced and not supported by appropriate training. A by consumers”.17
preventable data breach was only a matter of time.
Moreover, being breached may never be good news, but if handled well, can
Looking deeper still, all of these problems point to the same thing: a lack of board receive positive press. Consider, for example, MyHeritage, which managed a breach
involvement. As Steve Eckersley, the ICO’s director of investigations, pointed out13: well and was rewarded with the headline “This Company Was the Latest to Suffer a
Data Breach. Its Reaction Was Perfect”,18 or the pre-GDPR “Under Armour praised
Data Protection should have been high on Heathrow’s agenda. But our for breach response”.19
investigation found a catalogue of shortcomings in corporate standards, training
and vision that indicated otherwise. [...]
Management system solutions
Data protection is a boardroom issue and it is imperative that businesses have the
policies, procedures and training in place to minimise any vulnerabilities of the Cyber security is a system of defences designed to protect information and
personal information that has been entrusted to them. information systems in the interconnected world. Naturally, we strongly recommend
you put such defences in place, appropriate to the risks you face, but you should
If the board does not appear to take security seriously, employees will, also consider implementing business continuity measures.
unfortunately, follow suit.
Business continuity management helps organisations continue to operate during
business disruption and recover to normal functionality as quickly as possible.
As security incidents are now a matter of when, rather than if, cyber resilience –
covering both cyber security and business continuity – is becoming an increasingly
important competence.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 5
We believe that the best approach to cyber resilience is to implement two Common features
management systems: one addressing information security, and the other business ncus ultrices. Duis feugiat a tortor in consectetur. Nam sagittis me
continuity. As management systems are a top-down process of managing risks, Your organisation can seek independent, accredited certification against both ISO
this approach helps ensure that the board has oversight of both matters. This 27001 and ISO 22301. Certification is awarded on the basis of a third-party audit.
contributes to protecting the organisation, but also helps directors meet their This confirms your compliance, saving your customers (and other stakeholders) from
statutory duties. having to conduct their own audits or go through a rigorous process of setting out
complex contractual terms. This could then lead to increased trust and
ISO 27001 – information security new opportunities.
For information to be useful to an organisation, it must preserve three ISO standards are supported by a range of other publications that provide best-
characteristics: practice guidance on finer points or specific needs. Drawing on these can extend
and improve your management systems to help you meet a larger range of
1. Confidentiality: inaccessible and not disclosed to unauthorised persons, requirements and prerequisites, which could ultimately turn into new
including competitors and cyber criminals. business opportunities.
2. Integrity: accurate and complete (in other words, reliable).
3. Availability: accessible and usable on demand by authorised persons.
All three are addressed in an information security management system (ISMS) that
complies with ISO/IEC 27001:2013, the international standard for information
security management. An ISMS is a systematic, documented approach to managing
confidential or sensitive company information so that it remains secure.
Besides dictating best practice for an ISMS, ISO 27001 may also be used as the
basis for supplier information security audits and supply chain assurance, and as a
common reference point for laws and regulations that touch on information security.
Speak to an expert
ISO 22301 – business continuity
ISO 22301 and ISO 27001 follow a common structure, including internal audit,
monitoring processes and management review. Both standards also require
engagement from the top of the organisation.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 6
IT Governance offers a unique range of cyber security products and services, Identify, detect and contain cyber security incidents faster by
including books, standards, pocket guides, training courses and professional deploying a cyber incident response management programme
consultancy services. based on best-practice incident response frameworks.
Cyber Health Check Get a true picture of your ISO 27001 compliance gaps, and receive
expert advice on how to scope your project and establish your
Assess your cyber risk exposure and identify a practical route to project resource requirements.
minimise your risks with our three-phase cyber health check.
Penetration testing
Cyber Security as a Service (CSaaS)
Our penetration testing process involves assessing your chosen
Backed by years of cyber security experience and a deep
systems for any potential weaknesses that could result from poor or
understanding of the challenges organisations face, our experts can
improper system configurations, known and unknown hardware or
transform your organisation from ‘unsure’ to ‘cyber secure
software flaws, and operational weaknesses in process or technical
and resilient’.
countermeasures.
Cyber Essentials
ISO 27001 Certified ISMS Foundation Training Course Save time, hassle and expenses with Compliance Manager when
finding applicable laws to cover in your information security risk
Take the first steps towards building a career in ISO 27001 with assessment.
this introductory course on the key elements required to achieve
compliance with the Standard.
This course teaches staff the basics of data security, information and
cyber security risks, and dealing with threats.
Tools
Accelerate your ISO 27001 project with this bestselling toolkit, used
by more than 2,000 organisations, which includes documentation
templates, easy-to-use dashboards, gap analysis tools, and direction
and guidance from expert ISO 27001 practitioners.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 8
IT Governance solutions
IT Governance writes and publishes extensively on cyber security and IT
Training
governance, risk management and compliance (GRC) subjects, and has developed a
range of tools for IT governance, information security and regulatory
We offer training courses from staff awareness and foundation courses, through
compliance practitioners.
to advanced programmes for IT practitioners and certified lead implementers and
auditors.
IT Governance is your one-stop shop for corporate and IT governance information,
books, tools, training and consultancy. Our products and services are designed
Our training team organises and runs in-house and public training courses all year
to work harmoniously together so you can benefit from them individually or use
round, as well as Live Online and distance-learning courses, covering a growing
different elements to build something bigger and better.
number of IT GRC topics.
1
Quote by Ali Ahmed Al-Kuwari, CEO of QNB Group, the largest financial institution in the EMEA region. Taken from: KPMG International, “Growing pains: 2018 Global
CEO Outlook”, May 2018, https://home.kpmg.com/qm/en/home/insights/2018/05/growing-pains-2018-global-ceo-outlook.
2
PwC, “Strengthening digital society against cyber shocks”, October 2017, https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-
survey/strengthening-digital-society-against-cyber-shocks.html.
3
Ernst & Young, “Is cybersecurity about more than protection?”, October 2018, https://www.ey.com/en_gl/advisory/global-information-security-survey-2018-2019.
4
Gartner, “Gartner Survey Reveals That CEO Priorities Are Shifting to Embrace Digital Business”, May 2018, https://www.gartner.com/en/newsroom/press-releases/2018-
05-01-gartner-survey-reveals-that-ceo-priorities-are-shifting-to-embrace-digital-business.
5
“Growing pains – 2018 Global CEO Outlook”.
6
“Is cybersecurity about more than protection?”.
7
BSI, “BCI Horizon Scan Report 2019”, https://www.bsigroup.com/en-GB/iso-22301-business-continuity/bci-horizon-scan-report-2019/.
8
“Growing pains – 2018 Global CEO Outlook”.
9
Ponemon Institute, “The True Cost of Compliance with Data Protection Regulations”, December 2017, https://www.globalscape.com/resources/whitepapers/data-
protection-regulations-study.
10
For instance, Ponemon Institute’s Cost of a Data Breach Study 2018 shows that 52% of all breaches are caused by human error or system glitches (including business
process failures), while the IBM X-Force Threat Intelligence Index 2018 shows that misconfigured Cloud servers and networked backup incidents unintentionally exposed
more than two-thirds of total records compromised in 2017.
11
Note that, at the time, the UK’s Data Protection Act 1998 was still in force, under which the maximum fine was £500,000. Had the fine been levied under the GDPR, the
penalty would likely have been much higher than £120,000.
12
ICO, “Heathrow Airport Limited fined £120,000 for serious failings in its data protection practices”, October 2018, https://ico.org.uk/about-the-ico/news-and-events/
news-and-blogs/2018/10/heathrow-airport-limited-fined-120-000-for-serious-failings-in-its-data-protection-practices/.
13
Ibid.
14
Le Figaro, “Aéroport d’Heathrow: enquête après une faille dans la sécurité”, October 2017, http://www.lefigaro.fr/flash-eco/2017/10/29/97002-
20171029FILWWW00035-aeroport-d-heathrow-enquete-apres-une-faille-dans-la-securite.php.
15
Dagens Nyheter, “Topphemlig information tappades på gata – hittades av arbetslös”, October 2017, https://www.dn.se/nyheter/varlden/topphemlig-information-
tappades-pa-gata-hittades-av-arbetslos/.
16
Ponemon Institute, “2018 Cost of a Data Breach Study”, July 2018, https://www.ibm.com/security/data-breach.
17
“Growing pains – 2018 Global CEO Outlook”.
18
Adam Levin, “This Company Was the Latest to Suffer a Data Breach. Its Reaction Was Perfect”, Inc., June 2018, https://www.inc.com/adam-levin/this-company-was-
latest-to-suffer-a-data-breach-its-reaction-was-perfect.html.
19
IAPP, “Under Armour praised for breach response”, April 2018, https://iapp.org/news/a/under-armour-receives-praise-for-myfitnesspal-breach-response/.