PUBLISHED: 29 Mar 2012 00:09:30 | UPDATED: 29 Mar 2012 10:11:18
Peter Deegan and Nick Ellsmore
If your fear of hacking extends even to some suppliers of IT systems, are you paranoid or are you prudent? Sadly, it’s the latter.
Whether excluding Huawei from the national broadband network tender is right or wrong or whether there is any substance to the latest allegations against former News Corp subsidiary NDS, makes no difference. The fact is that cyber-spying is now so pervasive that it is routinely referred to as “an advanced and persistent threat”.
The targets are not just governments. The cost of cyber-theft to corporations is impossible to quantify, but it surely runs to many billions of dollars a year. Yet most cyber-crime goes unreported, partly because much of it is undetected.
While it was never safe to park cyber risk at the door of your chief information officer, this is now evident to everyone, not least shareholders and regulators.
Directors of public companies should first try to understand the risks their company faces and what it is doing to mitigate them. They should ensure their board regularly monitors its risk mitigation systems. And if the risk is price sensitive, they should disclose it.
Companies typically use standard anti-virus software, strive for inter-operability across their IT systems and give their people easy access to their network. But generic controls mean that they have the same lock as everyone else, which hackers have long since learned how to pick. And, providing “anytime-anywhere” access is an invitation to hackers to come and go as they please.
“Detection” is the first of the three Ds of the new cyber-security architecture. Many companies need a “cyber detective”, someone dedicated to searching for evidence of infiltration. They also need to search for exfiltration – the outflow of data. But data is amorphous, even to a cyber detective. So an analyst is needed to track the flow of data and look for irregularities.
“Diversity” is the second of the three Ds. While a homogeneous system may be the most convenient, risk is concentrated in the hands of one or two IT suppliers.
Diversity also plays a part in outsourcing IT services. Following the pack to the same cloud is cost effective – until it rains.
The last of the three Ds is “deception”. Network architecture should look less like Manhattan and more like the Forbidden City. There should be a few blind alleys.
A good first step for many businesses might be to engage a cyber-security expert to hack their IT system and tell them what needs to be fixed. Boards need to consider how they can monitor and oversee the steps their executives are taking to manage cyber risk.
Although governance architecture is important, assurance to the board about cyber security is not just about how governance systems are designed, it’s about how they work in practice.
To delegate effectively, directors must know what data is most sensitive and what are the consequences of its compromise. The board cannot treat cyber-risk as a “black box” to be handed off gingerly to experts. Board members need to feel they are well informed.
This means they need to be comfortable with the qualifications and impartiality of those who inform them, as well as those to whom they delegate and from whom they receive assurance. The board also needs to know that the systems for mitigating cyber risk actually operate and that they are tested regularly according to best practice.
The United States Securities and Exchange Commission issued a disclosure guidance last October that said: “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”
The SEC went on to say it expected companies to review their disclosures regularly and comment on the effectiveness of internal controls and procedures, while not providing a roadmap for hackers.
The Australian Securities and Investments Commission has not issued similar guidelines, but the Australian rules relating to continuous disclosure are not so different. Cyber risk is something to keep in mind when considering what to disclose to investors and the regulator.
Peter Deegan is a senior adviser with L’Estrange Group. Nick Ellsmore is an executive consultant with BAE Systems Stratsec.
Leave a Reply
You must be logged in to post a comment.