The three questions boards should ask to manage cyber risk

Posted on 2022-11-25 by Matt Strahan in Business Security

If you were a company director and you could ask three questions to judge the cyber security of the organisation, what would they be?

Last week I attended the AICD Essential Director Update. I found the event really useful for both getting new information for my own job as a director of Volkis and for keeping my finger on the pulse of what boards care about. A big topic, of course, was cyber security.

These events lately have made me feel popular. After spending years trying to convince everyone I could that this is something they should care about suddenly even the boards are having cyber security as a top priority and demanding their management do something about it. This can get mixed results, of course. After all, boards aren’t cyber security experts.

In his excellent presentation, David Thodey, the chair of Xero volunteered three questions that boards should ask their management. My ears picked up, both as a cyber security expert and a Xero customer that hopes they are managing their cyber security risks.

The three questions

What data do we have?

What a good first question! You’d be surprised how many organisations we deal with get surprised when they find out what they’re storing. Until you know what data you have, how can you hope that you’re securing it properly?

Why do we have this data?

Another spot on question! There are companies that buy into “big data”, thinking about the low costs of vacuuming up as much data as possible. In the end they get dubious benefit from their data hoarding and don’t even account for the risks that they’re taking by holding all this information. Until you ask yourself “do we really need this data”, you’re going to just keep on hoarding.

Is the data encrypted?

Hang on… Why are you asking this?

I immediately felt that this question showed some of the distance between the board and the technical reality of cyber security. Hacking is a technical practice that has business ramifications and it’s hard to connect the two.

The issue with this question is that data usually has to be stored in a way that allows it to be used. It needs to be shown in dashboards on websites or used to send messages to the customer. If the data is encrypted, the system must have a way of decrypting it before it can be used. The hacker then just uses the same method that the system uses to gain access to the data.

While there’s plenty of reasons for encrypting data (for example long term archiving and backups, protecting laptops and removeable media against theft, transmission of data over public networks, etc), just because a data is encrypted doesn’t mean it can’t very easily be decrypted by hackers. In several recent breaches the company said “our data was encrypted”…but the hacker still got it all.

What should that third question be then?

What would I ask instead? I’m going to disappoint you all and hedge my bets. For me, it depends on what kind of business you are. I’m going to split it up into data driven organisations and digital driven organisations and offer a question for each.

Data driven organisations

These organisations carry a lot of personal information and sensitive information. If this is released, there’s huge ramifications for the privacy of their customers, the reputation of their business, or the protection of trade secrets and intellectual property.

If you’re a data driven organisation, I’d like to offer this replacement question:

Who has access to the data?

This is a simple question that has complex ramifications. When thinking about who has access to the data, we’re not just thinking about who should have access to the data, but who does have access. Access can span:

  • The physical location (“Is the data located in a datacentre or the cloud? Can someone literally pick it up and walk away?”)
  • It’s transmission (“What systems and people have access to it when it’s being passed between systems?”)
  • How it’s processed (“Who will be working with this data?”)
  • Where it’s processed (“OK I know that the data is physically in Australia, but can offshore people access it?”)

Data leaks and spreads around an organisation. Could any of these parties have access?

  • Software as a Service companies: If you’re using a third party SaaS platform, then you’re relying on them for your security. If they get hacked, then so do you. Since your customers have a relationship with you rather than the provider, they’ll blame you.
  • Managed service providers: The admins can control your systems. If they get hacked, so do you.
  • Systems in your environment: If you have a data repository, what systems can access that repository? Who then has access to the systems that can access the data?
  • Third party suppliers and partners: They may use that data to help you provide products and services to your customers. Suddenly, though, their risk becomes your risk.
  • Marketing: They help build your channel with your customers. They can also build a channel to spread the data to hackers.

And so on. The process of figuring out who has access is a long one but, again, until you know where your data is and who has access how do you secure it?

Digital driven organisations

If I accidentally tripped over the wrong cable and brought down all of your IT systems, how long could you stay in business? What would the costs be per hour?

There are digital driven organisations that couldn’t survive a day.

These organisations rely on their website, OT manufacturing devices, communications platforms, digital coordination, or ERP systems so much that if they are down they simply cannot run as a business anymore. A ransomware attack ends with people running around saying “what did we do before digital took over?”

For these companies, I’d like to offer:

If our IT systems are taken down, how do we keep our business running?

The business continuity planning and processes that should be in place should be well known and appropriately funded by the board. This could include hot backups that are entirely disconnected from the main environment, resilient even against total compromise. It could include backup paper processes that get your employees through the day. It could just include a fast return from backup.

You may need to pre-arrange alternative channels with suppliers and customers that can be employed in times of need.

What’s more, this infrastructure should be resilient against full compromise of your IT systems. What good are backups if the hacker can just delete them?

Technical compromises with business ramifications

Cyber security risk is being presented at the board level, but there’s a big distance between the “high up view” that boards take and the underlying technical reality of cyber compromises. It’s understandably hard for boards to be across the technical aspects of cyber security of organisations even though they are expected to face the business ramifications of major compromise.

These questions, though, might just help take a few steps to bridge that gap and gain an understanding of what’s actually there.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Jason Goodman on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn