January 12, 2022

The Cybersecurity Liability Risk Facing Board Members and Executives: What You Need to Know

Kingsley McGarrigle
General Manager for WA at Data#3 Limited
There’s a saying in legal circles that ignorance is no defence in the eyes of the law. For business leaders and board members, this concept is nothing new. We’ve all seen headlines about individual and corporate liability when workplace health and safety regulations are ignored, building standards are not met, and risk is not managed appropriately.

There is another area where changing risk factors and newly introduced legislation increase exposure for business leaders: cybersecurity. A cybercrime is reported every eight minutes in Australia, and the problem is growing.

Isn’t that the responsibility of the IT manager?

Not entirely. That is not to say every board member must immediately become a cybersecurity expert – it is, after all, a highly specialised area. It does mean that they must have an awareness of risks and compliance requirements, and work with the executive team to put a comprehensive plan in place.

Changing legislation

Mandatory reporting of data breaches was introduced in Australia in 2018, and any organisation doing business with individuals or entities overseas may also be required to meet the rules for those jurisdictions. More recently, changes are planned that will introduce further obligations, including a risk management program for Australian organisations. The obligations will, in some cases, be sector-specific, with critical infrastructure assets a priority in the wake of overseas incidents like the highly publicised ransomware attack on Colonial Pipeline that caused chronic fuel shortages across the USA.

Organisational Culture

Our security practice encounters many an organisation that has invested in technology, only to see their defences breached. Here, too, cybersecurity is comparable to workplace health and safety: no matter what physical measures are put in place, it takes a concerted cultural effort to effectively manage risk.

There is a strong case to treat the two areas of risk in a similar way. Make it a part of staff onboarding, just as you would any other risk area, and provide regular, ongoing training, while actively seeking any knowledge shortfall. Far better to pinpoint individuals or departments where practices increase risk, than to deal with the fallout of a successful cyberattack. It will take a balance of people, process, and technology to make this happen – lose focus on one element, and the others will suffer.

Culture, of course, starts at the top. When senior executives and board members show an interest in cybersecurity and related risk posture, the rest of the business takes notice. This means educating leaders who may be responsible for seemingly unrelated functional areas, and often have limited understanding of cybersecurity.  It means making cybersecurity a frequently discussed topic in board meetings, and it means knowing enough to ask the right questions.

It is important in the cybersecurity culture to make sure everyone, whether they work on reception or in the executive suite, knows what is at stake. When a mine worker or a sales rep logs into your corporate systems, they need to be clear about the value and importance of the data and systems they use, and the impact of their actions. As with workplace safety, the reminders should be visible; just as a hospital may remind staff about infection control protocol via posters positioned around each ward, so any business can use similar strategies to encourage healthy cybersecurity habits.

Protective processes

People are more likely to comply with security rules if clear policies encourage and enforce positive behaviours. Cyber-aware board members and executives, working in conjunction with the IT team, and often external cybersecurity experts, are well positioned to examine where shortfalls may exist.

In an ISO-certified organisation, it is likely that business processes are reviewed regularly, and cybersecurity considerations can form part of this overall scrutiny. There is a lot of sense in viewing annual cybersecurity reviews, broader technology reviews, and business processes together, since each relates so closely to the others. This prevents defensive gaps from emerging each time an operational or administrative process is reviewed.

Asking the right questions

As a starting point to understanding your cybersecurity responsibilities, it is worth asking yourself a few questions. What is the value of my data? Who has access? How is it protected, and where is it stored? Who is responsible for managing the risk and reporting to the board? What plan do we have to respond to any breach? By seeking answers as part of a board-level discussion, you will take a vital step towards reducing risk and becoming a more cyber-savvy leader.

Data#3 for your best defence

Technology, experience and education are all essential in protecting your organisation against cyberattacks. With a comprehensive suite of security solutions, Data#3 will help you understand, monitor and detect risks, protect your systems and information, meet compliance standards, put in place incident response plans and deliver training and assessments.

Reach out to our security team today about designing, implementing and maintaining superior security measures, tailored to protect your organisation.