Cybersecurity in governance: what a director needs to know

5 min read
Jul 24, 2024 12:02:32 PM

When it is time to look at the makeup of skills on a board, the one skill everyone looks for is someone with IT/cybersecurity expertise. We assume that this one person is the panacea to all things IT (artificial intelligence, information technology and especially cybersecurity) as many of our eyes glaze over and our minds wander when these topics are discussed, if at all. 

However, as directors, it is our responsibility to understand the basic foundations of the decisions we make and, at the very least, have an enquiring mind and sufficient knowledge to interrogate management and the expert skills we have brought in. We need to understand how all these parts work in our environment, with the risks and compliance challenges and the opportunities they bring. Above all, we need to practice good governance, and risk and compliance plays an important part in this.

We now live in the digital age where everything is connected. We easily collect and use data for many purposes in our organisations to help us make informed decisions and solutions for the communities we serve. The data we keep is valuable to third parties to enable them to resell and reuse or to place a ransom over it, hence the many breaches of data from widely published ones like Medibank and Optus, to small organisations where ransom is very quietly paid. Short of working within a closed system, no organisation is immune irrespective of how secure the IT systems are. 

Keeping data and information secure

Many organisations have personal (and, for some organisations, sensitive) information, including bank and credit card details.

Organisations with an annual turnover of more than $3 million have a legal obligation to keep private and sensitive information secured. It is best practice to secure data even if the Commonwealth Privacy Act 1988 or similar legislation in your jurisdiction does not apply to you.

You may also keep donor information, invoicing details, accreditation information, and information personal to a client.

If you only hold data that you are legally required to hold, require to carry out your purpose, and/or de-identify, you minimise the risk of your organisation and your client's data being available to unscrupulous hackers.

Questions to consider:
  • What data are we holding?
  • Why do we need this data?
  • How long do we need this data?
  • Why are we keeping the data beyond its use period?
  • Is there an alternative way to obtain/use this data? For example, you could use a bank's gateway for payments so that you do not need to hold credit card information.
  • What are our key digital assets and how are they secured?
  • Do we have a data governance policy that sets out who has access and how we use and manage our data? If not, should we have one?

What questions do directors need to ask?

The Australian Information Commissioner recently filed a claim against Medibank for breaches of the Privacy Act. The breach occurred when one of its contractors used his home computer to log in to the Medibank Virtual Private Network. This allowed the hacker to access the sensitive information of 9.7 million individuals. The Australian Information Commission alleged that Medibank did not use multi-factor authentication for its Virtual Private Network which by 2022 was a standard safeguard for large organisations (and used by many organisations utilising a VPN). In addition, Medibank did not appropriately monitor and action security threat alerts.

While most of us do not have the resources of a large organisation, some questions directors can ask are:
  • What is running on, or trying to run on, our networks and systems?
  • Do we have systems in place to identify abnormalities in our environment (eg a breach) and are alerted in a timely way?
  • Do we apply patches/updates in a timely manner?
  • Who has access and to what? Who can make changes to systems and settings?
  • Where and with whom are our key digital assets and data located?
  • What systems do we have in place to check permissions?
  • What does our cybersecurity insurance policy say? If an incident is difficult to attribute, is it still covered? Is the policy commensurate with our risk profile?
  • Do we need a service provider (other than our cybersecurity insurance provider) available to us to provide guidance during a major incident?
  • How do we do reviews of our cybersecurity incident preparedness and their frequency?
  • Do we have an external cybersecurity review that comments on our risk exposure and how often do we do the review?
  • How would you demonstrate your actions to us?
As a weakness in cybersecurity relates to people, further questions to consider are:
  • What are we doing re cybersecurity culture change?
  • What staff training do we offer?
  • How often do we provide this training?
  • What is the level of staff participation?

How to respond to a cybersecurity incident

Ideally, when a cybersecurity incident occurs, your crisis management plan will set out the steps you are required to take. You must respond quickly and effectively to minimise the impact to your organisation and the individuals affected.

A crisis management plan, should have the following:
  • Roles: Who does what and when including contact details. What other assistance do you require?
  • Communication strategy: this should cover not only those directly affected but also internally within your organisation and your stakeholders. You should have a proforma ready to be tailored and used as required.
  • Statutory responses: Is this a notifiable breach? Do you need to notify any other organisations? For example a funding body.
  • Recovery Plan: How do you bring back your systems to business as usual?
  • Insurer contact details: In the event of a ransom, your insurer's cover may include assistance with dealing with the demand and with negotiations.

It's unlikely that you will ever be wholly prepared for a cybersecurity incident. However, as directors you have a duty to ensure that your organisation can deal with it. Reputational damage and actions for regulatory breaches (whether against a director personally and/or the organisation) do not occur simply because you have had a cybersecurity incident. They are more likely because of how you have dealt with prevention, responded and remediated. You can minimise your risk by being thorough with your data hygiene together with reviewing and practicing your response regularly. 

Resources

Office of the Australian Information Commissioner (OAIC)

Cyber Security Handbook for Small Business and NFP Directors

Essential Eight Essential Eight Maturity Model

 

When you're ready here's how BoardPro can help

 

Start a Free Trial — run a whole board meeting cycle for free, no credit card needed. You’ll be able to create board packs in a click, and have all minutes, decisions, actions and interests in one place. Be more effective, save time, and have everyone on the same page!

Book a Demo — see BoardPro in action in this 30-minute demo, and have all your questions answered by a BoardPro specialist. You’ll get an introduction to all of BoardPro’s features — see how to set an agenda, create board packs, and take minutes. 

Attend a Free Governance Webinar — learn from our community of governance experts on subjects such as strategy, understanding board dynamics, reporting, and running effective meetings. You’ll join hundreds of others in these engaging events covering the latest governance topics.

Find a Governance Template — practical documents to make governance easy! Templates cover strategic planning, board evaluation, risk assessment, SWOT analysis, and many other essential governance and business topics to grow your organisation and adopt good governance practices. 

 

Download the Board Software Buyers Guide

Get Email Notifications