Seven things every director should know about IT security
There is something of a Pollyanna approach to information security in boards around Australia at present. Many boards (in fact 88 per cent according to a recent Deloitte survey) believe they are not vulnerable to cyber attack.
They are wrong.
My starting point is that every board should assume that it has been breached by some form of cyber-attack. The United States National Security Agency, even with all the money it spends on technology security, assumes its systems have been compromised and develops its policies on the assumption there are enemies inside the walls.
It is time for a rethink on how Australian boards view information security. Fallout from breaches overseas in recent years have highlighted the huge scale of theft of customer records that can occur and the impact this has had on the companies.
It is time to move from a culture of focusing on how we reduce IT spend as a percentage of revenue to what we need to protect the valuable information assets we hold.
Infosec is a protection issue not a compliance issue.
Here are seven key issues every director should be aware of. Some will surprise many directors.
1. There is an immediate and real danger to companies
The Ponemon Institute study in 2011 showed that of 50 companies studied, there was on average one successful cyber-attack per company per week.
According to Cisco, cybercrime increased by 14 per cent in the past year – making online fraud one of the fastest growing parts of the technology sector. There are some key drivers to this.
Firstly hacking is no longer the province of anti-establishment crusaders breaking down the walls of big business for the greater good. Cyberattacks are being perpetrated by well-funded, organised criminal gangs with remarkable skills.
Businesses are also becoming more reliant on third parties for technology (outsourcing, cloud, etc), meaning the network is only as robust as the weakest link.
On top of this advances in technology, such as the rise of mobility and “bring your own device” raise significant security challenges.
2. The stakes are high
Forrester Research found in the US the hard cost of a security breach is between $US90 and $US305 ($328) per lost record.
Associated costs include forensics to analyse how a breach occurred, before fixing the flaw, reconstructing corrupted data, paying legal fees and notifying customers. Any PR requirements, compensation and fines, just add up.
The US is a different case as there are more than 45 separate regulatory obligations to consider when there is a breach, and the class-action culture is stronger there.
However, earlier this year in Australia we saw the implementation of new privacy fines (up to $1.7 million per breach) and I am sure we will see a significant class action in the privacy space in the next few years.
What is omitted from the calculation is brand damage.
A CMO Council study found more than 50 per cent of consumers would take their business elsewhere if their personal information was compromised and 60 per cent of marketers said information security was a brand differentiator.
3. To notify or not to notify
The Coalition knocked back the mandatory data breach notification bill in June, on the basis that it needed more work. I believe this means Australia will have mandatory breach notification laws in the next year or so.
Most other developed economies have such laws and Australia will be under pressure to conform.
Companies should prepare for a world where they will need to notify people (such as customers and partners) whose data has been compromised.
In Australia, there is no specific legislation requiring notification of breach. However, companies should notify where the person would suffer loss had they not been notified of the breach. Also listed companies need to consider if their continuous disclosure obligations would require notification of a breach.
4. No insurance cover
This one is a surprise to most directors. Generally the standard insurances held by organisations do not cover losses due to cyberattack.
The result is that, in most organisations, this potential loss is self-insured, without the board or senior management being truly made aware of the extent of the risk and the lack of insurance coverage.
Another event earlier this month in the US will attract the interest of directors. A disgruntled shareholder of Wyndham Worldwide Corp filed a $US10 million class action in relation to losses suffered by the company as a result of cyberattack. This raises the issue of whether directors and officers liability insurance covers directors for such claims.
5. Punish the victim
Hackers are now holding companies to ransom by freezing their systems and demanding ransom to unlock them or by exposing vulnerability and threatening to publicise the information unless paid.
This poses a conundrum for boards. It is vital to get systems back up and certainly preferable not to have network vulnerabilities publicised. These considerations may make the payment of a ransom seem like an expedient approach.
However, blackmail is an indictable offence and, as it is a crime to conceal an indictable offence, it means the legal obligation is on companies to notify police of the blackmail.
Failure to do so means the company itself is committing a crime, potentially punishable by a jail term.
This is a difficult decision, meaning that might be the board meeting to miss.
Australian cybersecurity company Bugcrowd’s chief executive Casey Ellis says, “it is also the case that companies are being contacted by genuine security researchers who have discovered a vulnerability”.
Companies can help themselves by being proactive in the communication channels they have with bona fide security researchers, Ellis says.
“Companies should have a reasonable disclosure policy which sets out, among other things, that there is the possibility of a reward at the discretion of the company. This should defuse any pro-active contact from a researcher being construed as extortion, he says.
6. Never mind the fence – we have company
Old-school information security was about building amazing firewalls to keep intruders out. The next generation of security companies, such as the Silicon Valley darling FireEye, work on the assumption the walls have been breached and try to identify the intruders inside.
This new way of thinking about security – from the inside – has caused a huge run on cybersecurity start-ups in the US, with early stage funding of the sector soaring 60 per cent this year to $US244 million.
7. What boards need to do
Boards should ensure first and foremost that they are educated on privacy and information security governance. At least one director should have some infosec knowledge and take the lead on the issue.
Then, it is important the audit committee receives sufficient information to understand the IT security strategy. This strategy should include quarterly cyberthreat risk management review by the company’s internal audit function and ensuring programs, such as BYOD, have appropriate safeguards and policies.
For when things go wrong the company needs a breach response plan and this needs to be socialised across the organisation.
As part of a mature approach to infosec a company should not simply seek to push liability onto suppliers. Rather the company needs to work collaboratively with suppliers to ensure there are no weak links.
Finally, in recognition of the fact that no plan is foolproof, the company and the directors should look into being adequately insured for losses from cyberattack.
Nick Abrahams is partner and leader of the APAC technology practice for global legal practice Norton Rose Fulbright and is also a director of the Institute for Economics & Peace. Follow Nick on Twitter @NickAbrahams
The Australian Financial Review