Cyber security incidents are not only increasing in frequency but also in cost.
In fact, the average cost of a data breach in 2024 in Australia is $4.03 million, with the Healthcare and Financial services sectors experiencing the most data breaches. This is also the highest cost to date. Of course, financial repercussions are not the only cost organisations face when they deal with a cyber security incident — as reputational and operational damages can also cripple the business.
Board members must play an active role in mitigating and preventing cyber attacks. However, only 12 per cent of S&P 500 companies have a current or former board member who is a cyber expert. This knowledge gap may be hurting your organisation now and in the future.
How can you ensure your organisation doesn’t end up in the latest cyber security breach news cycle? It starts with asking the right questions.
Navigating today’s cyber security landscape: Areas of focus for boards
Technology capabilities have grown significantly over the years, empowering organisations to operate more efficiently and drive expedited outcomes. As technology becomes increasingly intertwined with business objectives, board members need to evaluate technology decisions in the same way they evaluate strategic business decisions. Just as the board guides an organisation’s business direction, it is now also responsible for ensuring that the correct technology elements are enabled to support the business strategy and that the right level of cyber risk tolerance is achieved and managed.
To ensure responsible oversight, the board should focus on the following areas:
- Strategic alignment: Ensure that cyber security initiatives align with the organisation’s business and technological goals. To be proactive, boards should also ensure that future risks and trends are considered.
- Regulatory compliance: Provide oversight of the organisation's compliance with relevant regulations and laws. This includes confirming that the required audits and assessments are performed and that the board has insight and a clear understanding of the results.
- Governance and oversight: The board should oversee the organisation’s cyber security policies and strategies and ensure alignment with the overall risk management framework. They should also understand the organisation's relevant cyber risks and ensure that established policies support mitigation.
- Monitoring and reporting: As a board member, it’s important to receive regular updates regarding the organisation's cyber health, including progress on key cyber security initiatives, key metrics, and key performance indicators.
- Expert engagement: Engage with cyber security experts, either through the appointment of a cyber expert to the board, leveraging a Chief Information Security Officer (CISO) on the management team, or consulting an external Virtual CISO (vCISO). This will ensure the board is well-informed on emerging threats and trends.
- Cyber incident response: Ensure the organisation has a defined incident response programme and regularly reviews updates on the results of incident response testing. In the event of a cyber incident, the board should play a role in overseeing how the organisation communicates with the public and stakeholders.
Six strategies to increase your cyber security knowledge
For boards to successfully oversee their organisation’s cyber security programme, bridging the current knowledge gap is essential. This will help ensure cyber security is adequately addressed in regular board meetings and allow boards to confidently carry out their duties where cyber security is concerned.
Here are six strategies you can use to build your knowledge and become more prepared to integrate technology risk into decision-making processes:
- Establish regular cyber education sessions. Ensure you are getting regular updates about cyber security. During these sessions, carve out time to discuss the top risks in your industry and relevant experiences of similar organisations. Ask questions about what your business is doing to mitigate, prevent, or respond to the risk of those types of incidents happening to your organisation. The answers you receive may be key in strengthening your organisation’s defence framework.
- Refocus the metrics and leverage industry benchmarks. It’s important to shift the focus from technical metrics to common sense metrics that highlight risk and value. For example, identifying the number of end-of-life systems with vulnerabilities and the controls in place to mitigate their risks or discussing the complete costs of cyber breaches, which includes the actual response team and legal support, as well as the impacts to insurance premiums and the organisation’s revenue. Use industry benchmarks to compare your organisation with others in your vertical, helping you understand where the organisation stands and what improvements are required.
- Bring in external cyber security experts. By bringing in external cyber security experts, board members can not only enhance their cyber security knowledge but also get support translating technology-focused information into risk-focused insights and strategies. Ultimately, adding a cyber seat to the board will offer regular access to the expertise you need that complements your organisation’s risk management, security, and technology teams.
- Conduct cyber simulations. To get a deeper understanding of actual cyber threats and how to respond to them, consider hosting facilitated incident simulations. These exercises will help you understand your role as a board member during a cyber event, potential impacts, areas for continuous improvement in process flows, and build muscle memory.
- Provide oversight during an incident. In the event of a cyber attack, board members should actively engage with and receive updates from security experts and incident response teams. By staying updated on the progress and outcomes of an incident, they can offer independent oversight and ask questions to uncover any lingering risks. It’s also important for boards to understand how the organisation plans to respond to future cyber attacks.
- Look back with hindsight. What you can learn from close calls or even a previous cyber incident may be what stops it from happening again, especially since 83 per cent of organisations have had more than one cyber security breach. Ask how many times these close calls or actual incidents have happened and what the organisation has learnt to identify gaps and develop appropriate measures.
The board’s critical role in managing cyber risk
What has changed in recent years is the level of scrutiny around the board of directors. After all, boards are there to help the organisation manage risk—and that includes risks from cyber security incidents.
In a recent Gartner study, 88 per cent of boards of directors said they view cyber security as a business risk, which highlights the move to prioritise cyber security as a focus of the board. It is your fiduciary duty to not only provide independent oversight to manage the company’s cyber security posture but also to challenge your organisation in different ways to raise the bar for your defence framework.
How BDO can help
At BDO, our approach to cyber security includes a business focused approach for managing cyber risk. We offer board education sessions to help bridge the knowledge gap and enable board members to stay ahead of the rapidly evolving technology landscape. In these sessions, we show board members how to refocus a technology-centred conversation into one about business risk so that boards can effectively offer a responsible level of oversight and ask the right questions of their teams. Our board education sessions also cover the latest cyber risks organisations are facing today and what organisations are doing to mitigate those threats.
Contact our cyber security team to enhance your knowledge of cyber security and be prepared for whatever the threat landscape brings next.