In today's technology led world, where organisation transformation is led by huge investments in technology, Boards of any sized Organisation cannot afford to ignore cyber security risks , especially since digital transformation has meant a great reliance of technologies that may possibly be vulnerable to cyber security risks, if they are not managed properly.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to Board involvement in cyber security risks
In this episode, we're looking at the Board’s role cyber security in small and medium-sized organisations. In many large enterprises, Boards have been evolving their role in cyber security risks for several years, but this hasn't happened to the same extent in Small Organisations yet, and that’s partly why we’re looking at it today.
What is a Board in a Small Organisation?
In Small Organisations, what is classed as a senior manager, director or Board Member may vary greatly, as well as it being a formal or informal Board. Not only that, but the legal entity may make it more or less obvious too. The Board may consist of an owner, senior staff, senior managers, and even some investors, further, senior management meetings may actually be serving as Board meetings for a part of the meeting for certain decisions without actually documenting that it is what is happening.
In many respects, in those early days, a Board could involve anyone who has a final say in key risk decisions. Examples include those who signs off the checks and payments, or those people whom the Organisation can't really do anything without their authorisation, or who can stop staff activities at any point. Obviously, as the Organisation grows, divisions may become more apparent as to who is and is not part of the company Board but is in fact a senior manager.
For the purposes of this topic today, if a Small Organisation does not have a formal Board, we are talking about the group of people or individuals who will be responsible if anything goes wrong. In many Small Organisations the Board is usually between two and seven people.
Gone are the days when those people responsible for security avoid the Board, as there is a greater acceptance that although much can be done without their involvement, to really succeed in improving security the board must play an active role, as opposed to just hands-off involvement.
Why a Board has a role in cyber security
As a Small Organisation grows it will discover the many reasons, and what may be a good reason for one Organisation may not be for another. But here are a few reasons why a Board has a role in the cyber security of Small Organisations:
- Board members may likely be targets of cyber attack – as a formal Board Member or senior decision-maker their details will become more public. As they do so, they will get noticed and end up becoming targeted. To protect the Organisation, these individuals need to understand that they will be targets and that they need to adapt their working practices that make them less vulnerable. Board Members will often be more visible targets than non-Board staff. Not acknowledging this can make the Organisation more vulnerable to successful attacks;
- Provide governance – in every Organisation no matter how big or small, it will always be the Board that should provide the governance for every aspect of cyber security;
- Setting the example. In every Organisation usual standard practices are copied from the top down. So, if the Board are engaging in bad practices that leaves the Organisation open or vulnerable, so will the staff;
- Demonstrating cyber security priorities. This is in every aspect of the Organisation, from resources allocated and the controls in place to protect staff and Organisations;
- Demonstrating cyber security leadership. In most cases the Board will lack of familiarity with cyber security, but by putting it on the Board agenda and taking a structured approach the Board demonstrates that it is willing to make a start somewhere. This can be important to staff, customers and suppliers;
- Providing guidance. The guidance the Board needs to provide in the early days will be on responsibilities and clarity on who owns which risks.
In many Small Organisations, the person responsible for IT also becomes the person responsible for cyber security. But it must be remembered that no matter which staff members are responsible for the day-to-day aspects, the overall responsibility will still lay with the Board.
It's often easy to tell whether there is Board involvement or not when walking into a Small Organisation office. Because when you start talking to staff, those where the Board is involved in security and it is taken seriously, the staff will take it seriously too. Where the staff don't take it seriously, it is usually because the Board don't either and it's often apparent in the culture of the organisation.
In Small Organisations, life for anyone responsible for implementing security controls is far easier and more enjoyable – they get more done and do not bang their head against the brick wall if the Board's actively involved.
"Most Small Organisation Boards understand that the buck stops with them."
What should Boards be doing?
Even Boards of very Small Organisations or start-ups can start somewhere. The most important thing is for them to start with a discussion and explore from there, perhaps with the help of a consultant or expert. Even if there is no budget to pay for an expert, the Board can still start with the following activities:
- Gather information on key assets and staff. The Board can very easily identify what the organisations,’ key assets and staff are that they need to consider protecting;
- Gather threat and risk information. Again a discussion on this is easy to start and to brainstorm a list that can be considered further as more information is understood;
- Discuss data protection and other compliance requirements. Many Small Organisations may not have detailed understanding of their compliance requirements, but they can start to list what the different requirements are and where they need to explore getting further assistance;
- Get cyber insurance. This is something that we believe has improved a lot for Small Organisations in the last few years, and there are some that offer some basic introductory training as part of the insurance;
- Consider getting Cyber Essentials. We mention this certification often, as just by knowing what needs to be completed for the certification provides a good indicator of what the Bboard needs to explore to protect the organisation;
- Consider controls to protect key assets. Although Cyber Essentials may help get started for most Organisations, because all Organisations are different, we understand that alternative or additional controls may be required for some;
- Plan regular reviews. These don’t have to be major but should ensure that the Board is moving forward on improving its security over time.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.