The “Someone will look after it” mentality
While cyber security may be on the risk register of every board Cheryl Hayman cautions that many boards consider it too low or unlikely a risk.
The mentality of directors that “someone else will look after it”, presents a gap in boards’ understanding of the prevalence of the cyber security threat, not just in the technology space, but across the entire organisation.
According to Hayman, “As a director, and especially as a non technical director, you need to change the frame by which you consider cyber risk and cyber security, and understand that it comes right back down to having customers and stakeholders who expect a certain kind of experience or journey, and that they are relying and trusting us to ensure that it is a secure journey.”
Hayman, as the non executive director of several listed businesses, recently was on the receiving end of a ransomware attack to the Australian listed consumer goods company Shriro. The company experienced a huge cyber data breach that they immediately reported to the market.
She says that one cannot fully understand the impacts of such an event, without having experienced it first hand.
“We believed we had everything in place. The premise of surprises, however, is just that, you can’t ever be prepared fully for any surprises.
I can tell you that my learning curve on how to manage through that process has been massive,” says Hayman.
“For all the best planning in the world, things happen. And then you need to know how to deal with it. And I’m not sure unless you’ve lived it, you can be fully across what you need to do.”
Despite doing due diligence planning for such an event, Hayman reveals that there were key questions that the board had not considered prior to the attack.
“I don’t think we’d had a discussion about if we ever get a ransom ask what’s our view on paying or not? Do we have a list of experts ready to go? Do we know what others in similar situations have done? And on what basis would we decide how and whether we will or won’t pay?”
Hayman suggests seeking the expertise of board members who may have experienced a similar cyber attack in the past, to learn through their experience.
She also encourages the mindset shift for boards in considering cyber security as about technology, to about information.
“Whether you’re a shopfront that only has some tech or a high tech organisation, you are dealing with technology by way of information. And so you have to consider it as an information piece. And so with that comes that need to consider it in the context of problem solving,” says Hayman, “and across the entire organisation”.
“In order to deal with cyber risk, you need to think of it like that, because it’s the connective tissue in an organization between the business, the strategy, the culture, and the user experiences of your product.”
While Hayman concedes that boards’ awareness of cyber risk has increased in the last few years, she questions whether boards recognise the depth of the issue as a concern that impacts every facet of the business.
“It is on every single risk register for sure. Whether they have enough understanding as to the depth of detail and consequences that sit below the cyber strategy and associated risks and the pieces of the organisation and impacts involved, may be questionable. The fact is that it has to actually be embedded in your entire organisation as an item and as a risk and that it doesn’t just sit in certain parts of the organisation, nor is it any one persons responsibility, it’s everyone’s.”