Answered: The five most common cybersecurity questions company directors ask

Cybersecurity has moved rapidly from the backrooms of the IT department into the boardroom, meaning company directors must be aware of their obligations when it comes to protecting the systems and data their organisations rely on. The scope is now significantly broader than corporate and customer information; it also includes risks with third party suppliers and an understanding of the threats within the wider landscape businesses operate in.

Boards ask trusted advisors many questions about cybersecurity, although a few keep coming up over and over again. Here are the five most common cybersecurity questions asked regularly by company directors.

The most common questions (and the answers)

1. Should we pay the ransom?

   Senior leaders and boards must have a plan in place to manage and respond to ransomware attacks, and that must include clear guidance and agreement on whether ransoms should be paid. Every organisation must discuss and practice incident response including consideration for what to do in the case of a ransom demand. It’s also important to understand that ransomware has also given rise to attacks where not only has data been encrypted and made inaccessible, but attackers have also stolen data and threatened to expose it on the public domain in order to ‘incentivise’ victims to pay.

   Today, in most cases, it is not illegal to pay a ransom. However, board members must make a decision about whether they will pay and what the threshold for payment is. For example, you may decide not to pay if the workstations compromised can be contained and recovered without affecting customers or data. But you may decide to pay if there is a significant disruption to your business operations or data confidentiality is at risk. There is always the risk that if you do pay, it still may not lead to a full recovery of systems and data.

   It is imperative that all businesses have clear processes, tested in simulations, for what to do in the event of an incident such as a ransomware attack. These conversations must happen long before you are in the face of a crisis.

2. Should we buy cybersecurity insurance?

   Cybersecurity insurance is no different to any other form of insurance in that it aims to transfer the risk of an incident to a third party. However, it is still a relatively new insurance product and there is significant variation in what different policies cover.

   Cyber insurance can provide peace of mind to boards and organisations that there is some financial support to reduce the impact in the wake of a cyber incident, but insurance alone cannot reduce the likelihood or potential long-term trust implications. It is also crucial that company directors understand what a policy covers you for and what it doesn’t.

   When we think about risk, the two key metrics we typically focus on are likelihood and impact. Insurance doesn’t address the likelihood of an attack — it only helps to manage the impact. That means cyber insurance can only form part of a broader, comprehensive cybersecurity strategy for risk treatment and management, but it is not a silver bullet.

3. If we outsource our IT, the managed service picks up the cyber responsibility, right?

   In a word: no.

   Although you can outsource activities, the ultimate responsibility for risk lies with the organisation. When the Red Cross Blood Service suffered a major security issue, it was through the actions of an outsourced service provider. The liability and impact of that incident rested wholly with the management of the Red Cross Blood Service,  who provided a masterclass in managing a major incident.

   Outsourced service providers can carry out activities for you but the risks and requisite mitigations are still the responsibility of boards and the organisations they manage. That means boards must understand the security measures said outsourcers have in place and regularly confirm that service providers are acting in accordance with contract obligations (which should include having appropriate security measures in place).

4. 4. How do we know, as a board, if we are spending enough to be cyber secure?

   A common response to this question is that “we haven’t suffered an attack so we must be spending the right amount of money”. But that may be a result of good fortune rather than sound management. It’s also worth noting that a number of independent researchers have found that the average time between an attack taking place and it being detected is several months. So, not knowing you’ve been attacked is not the same as not being attacked.

   The question boards need to ask is not about the amount they are spending but how it’s being spent. If the vast majority of the security budget is simply spent on technology like end-point protection and firewalls, then the budget is probably not well directed. While those measures are very important, ensuring monitoring systems are invested in, there is a well-funded education program for all staff and that appropriate risk mitigation measures are in place to protect your most important assets are in place is critical.

   Instead of questioning if you are spending the right amount, evaluate if you are spending on the right things.

5. 5. Is the board really responsible for cybersecurity?

   If the business suffers a significant business disruption as the result of a cyber incident, who suffers? The business. Although the IT department might be a vital element in implementing, supporting and managing your cyber defences, they must work with the board to ensure the right information and system assets are well protected.

   Boards must have an understanding of the risks posed by cyber incidents, understand the mitigations they should have in place and then work with technology experts to implement those. But boards should also work with marketing and communications teams to ensure staff are educated in the risks and what they can do to minimise the impact. While an attack may originate with an email, a user opening an attachment or clicking a link in a malicious message may be the root cause of an incident.

   Cybersecurity is not a technical problem. It is a business problem with a technological element. Company directors must take the initiative in leading the organisations they manage when it comes to cyber security. Cybersecurity is just one element — albeit a growing one — in the portfolio of risks they must identify, monitor and manage.