Understanding cyber risk

How cyber risk dashboards can help protect organisations from attack.

type
Boardroom article
author
By Henry Jiang, Chief Information Security Officer, Diligent Corporation
date
24 Sep 2021
read time
4 min to read
side on blue stairs with a white light glowing behind them

Boards are under mounting pressure from regulators to tackle a wave of cyber attacks that are costing New Zealanders millions of dollars every year.

From the smallest to the largest organisations, no one is immune.

“Systems that the C-suite thinks are secure — and may appear secure because they’re password-protected or seem limited in scope — are often the systems that are ripest for exploitation,” says Diligent Corporation Chief Information Security Officer Henry Jiang.

But directors are being held back by a lack of transparency about their own organisations’ ability to withstand such a cyber attack due to the increasing complexity of cybersecurity, data governance and supply chain management.

Cyber risk in New Zealand is rising

The number of reported cyber incidents last year grew by 65% according to government cybersecurity authority CERT NZ. They cost New Zealanders a total of $16.9m.

Without strong preventive action, the cost would be significantly higher. Around $70.5m of damage to nationally significant organisations was averted by the National Cyber Security Centre in 2019-20.

New requirements, such as the updated Privacy Act and the Reserve Bank’s guidance for regulated entities, are increasing the pressure on boards to effectively address cyber risks.

No one is immune to cyber attack, but organisations can reduce their vulnerability and strengthen their preparedness. Cyber risk dashboards are an essential tool in elevating boards’ capability to monitor this critical business risk.

Keep it simple and streamlined

Dashboards are an ideal way to provide visibility across the different facets of cybersecurity to support effective monitoring. Accompanied by in-depth discussions, deep dives and ongoing training, they equip boards to ask better questions and focus on key areas for improvement.

 

“Boards don’t need every director to be a qualified accountant, but they should make sure all members are financially literate.”

Develop dashboards for a board audience

Boards don’t need every director to be a qualified accountant, but they should make sure all members are financially literate. The same principle applies to IT.

Making cyber issues more accessible to directors involves increasing their digital understanding along with positioning reporting at the right level.

It’s clear there’s plenty of room for improvement. More than half of New Zealand directors (53%) don’t receive comprehensive reporting from management on data security risks, incidents and actions, the Institute of Directors’ 2020 Director Sentiment Survey revealed.

Using digital solutions can improve insights into digital risks. Online, realtime dashboards enable directors to click through for more information without the need for management to update manual reports.

Set quantifiable measures

Using consistent, clearly-defined KPIs and basing reporting on verifiable facts rather than subjective opinions improves the value of dashboards.

It’s important to select a range of metrics that span the full breadth of the risk framework from identification and analysis to defence, response and remediation.

At an early stage, that might include yes/no questions such as whether there is a security policy or if the organisation has cyber risk insurance. As maturity develops, more nuanced measures become relevant, such as the time taken to identify a breach after it’s occurred.

Consider the bigger picture

Context is everything when it comes to board reporting. It’s impossible to consider the implications of an individual risk without reference to the wider organisation and its environment.

Two important things to ensure are communicated to the board are whether the organisation’s cybersecurity is improving and how it compares to good practice.

“An organisation’s own systems aren’t the only source of cyber risk. Incidents affecting thirdparty providers are a growing issue as digital integration increases and organisations become more interconnected.”

Look outside the boundaries

An organisation’s own systems aren’t the only source of cyber risk. Incidents affecting third-party providers are a growing issue as digital integration increases and organisations become more interconnected.

The reputational, financial and regulatory damage can be severe, as demonstrated by the Reserve Bank incident which is expected to cost in the order of $3 million.

Dashboards should consider cyber risk across the supply chain, including the significance of data held by third parties and the extent of external access to the organisation’s systems.

Does your dashboard include:

  • the percentage of vendor risk assessments completed
  • the number of vendors with low risk management maturity
  • third party data breaches?

Compare your performance

Evaluating cybersecurity isn’t a simple pass or fail outcome. Increasing cyber risk maturity involves continuous review and improvement to mitigate new threats.

Even organisations with sophisticated systems and robust risk management can fall victim to an attack. However, the risk is far greater for those who haven’t yet put baseline measures in place.

Organisations with the lowest cybersecurity rating are 7.7 times more likely to have a data breach occur than their counterparts with the highest rating level, according to analysis by SecurityScorecard and Diligent.

Does your dashboard include:

  • benchmarking against industry, peers and best practice
  • highlighting changes in performance and compliance
  • external trends in data breach notifications and cybersecurity incidents?

Connect oversight to action

Dashboards can give boards the insight to manage cyber risk more effectively.

Adding it to the meeting agenda is just the first step, next is to explore what the information reveals and oversee a structured improvement plan.

That includes allocating appropriate resources to cybersecurity, something that’s a struggle for many smaller organisations. More than six in 10 small businesses (61%) say their investment in cybersecurity isn’t adequate, according to a 2020 CERT NZ survey.

Identify the gaps

It’s important to have realistic expectations about what cyber risk dashboards reveal. Rather than a row of green lights that indicate everything’s under control, dashboards reveal the vulnerabilities that need to be fixed.

One of the potential gaps boards can directly influence is their own capability. Around two-thirds of directors (65%) don’t believe their board has the right mix of digital skills, according to the Institute of Directors’ 2020 Director Sentiment Survey.

Use dashboard reporting as a catalyst for deeper discussions

Having a complete picture of the organisation’s cyber risk profile supports more informed discussion and decision making by boards and management, including: investing resources based on priorities and risk weightings; expanding internal capability, including IT and digital expertise at board level; and engaging specialists for targeted training, action plans and assessments.

Does your dashboard include:

  • staff understanding and engagement on cybersecurity
  • spending on cybersecurity, including improvement vs remediation
  • delays in implementing actions and recommendations?