Company digitisation means cybersecurity needs scrutiny

There were several high-profile cyberattacks in New Zealand with CERT New Zealand reporting a 42%...
There were several high-profile cyberattacks in New Zealand with CERT New Zealand reporting a 42% rise in incidents during the first half of 2020 compared to the corresponding period in 2019. PHOTO: GETTY IMAGES
When you live with a teenager, I find you are quickly reminded that the limit of your technological capability is the on-off button on the TV remote.

However, as a governor, chances are you find yourself at the head of an organisation with a significant budget combined with an ambition to deliver state-of-the-art user experience with robust cybersecurity.

It could be inside your organisation, that technology is inwardly focused and centred on delivering an efficient operating platform that has effective controls.

Regardless of internal or outward direction, as a director you are charged with bringing perspective, critical thinking and informed judgement.

Chances are you not required to be an expert coder, a guru in black box testing or the next Elon Musk with bleeding edge ideas.

So where do you begin? As I noted in last month’s Director Dialogue, there has been a sharp acceleration of digitisation inside many businesses.

This has brought with it many advantages but equally recognised, is that now is the time to take stock and consider all facets of what technology means in a 21st-century organisation.

Let’s start with one of the most important considerations, cybersecurity. Without a doubt, Covid brought this to the forefront of many a board agenda.

Some might say incursion is not a matter of if but when. Indeed 2020 saw several high-profile cyberattacks in New Zealand.

CERT New Zealand reported a 42% increase in incidents during the first half of 2020 compared to the corresponding period in 2019.

Aura Information Security’s market research report for 2020 reported more than half of the businesses they surveyed were successfully targeted by a ransomware attack, with one in five saying the attack caused serious disruption.

Overlay that disruption with the very real direct costs associated with mitigations and brand impacts that need to be proactively managed and you likely have significant expenditure to contemplate.

Such statistics are enough to make anyone think, but what are the things that directors need to be asking?

Perhaps start by understanding precisely what your organisation’s online activities are and how these are being managed. Are there any single points of failure around the activity? If the worst happens and your website is taken down, what are the organisation’s redundancy plans? How do your business continuity plans intersect with your cybersecurity? When were they last tested, was it a desktop exercise or full scenario role play? What was your business doing pre-lockdown compared to post-lockdown and has cybersecurity kept pace with that change? Do your vendors share the same values with you in relation to cybersecurity? Hand-in-hand with cybersecurity is the board’s role in data governance. The internet of things and artificial intelligence creates big data, analytics and privacy considerations that a decade ago were unknown. Do you understand the data your organisation is keeping and how this interrelates with the privacy principles inside the new Act? Do you have a privacy impact assessment process that considers the potential effects of any work being undertaken on an individual’s privacy and how any negative effects might be mitigated? How about a privacy breach, what is the organisation’s response plan?

Simple questions, yet they require big answers which go straight to the heart of trust and confidence that consumers have in your brand and the products and services you provide.

The third point I would make relates to cultural attitude towards cybersecurity. It’s great having it on the board agenda but have you considered how staff are being trained and their attitude in this space.

Simply put, do they care, is this a thing to them or yet another management task that requires a box ticked?

Are they vigilant towards potential cyber-breaches, do they understand basic security protocols, and has your executive created a safe space to share learnings when someone is "hacked" or processes that bogus request from the MD to purchase iTunes cards or Steam credits?

Being caught out in cybercrime is a learning opportunity for the business and a chance to reinforce that it’s not just an IT team issue.

Technology and data considerations are only going to increase. We have moved from a local and linear perspective to global and exponential growth thanks to the advances technology has bought us.

Overlay the speed Covid gave us in terms of standing up a technology response to business problems and you have a rapidly changing world.

Be it emerging technologies or server stacks, approaching technology is no different to approaching any other governance challenge. It requires critical thinking and bringing a curious mind to the conversation.

Directors should expect regulatory authorities to increasingly flex their authority in this space and as such increased reporting that focuses on both the risks and opportunities is prudent.

Bring in specialist digital capability when required and invest in ongoing professional development in this space as you would any other director skill. These actions will all contribute to the cyber-resilience of your organisation.

Not-for-profit or NZX-listed company, we all strive to manage our critical infrastructure to continually deliver our intended outcomes.

 - Trish Oakley is the chairwoman of the Otago Southland branch of the Institute of Directors (IOD).

Add a Comment