Board Awareness and Responsibility

Dont get caught out like Talk Talk

Whilst the TalkTalk story rumbles on with new twists everyday there is a basic theme which stands out from the communications they have given so far. The CEO, the person ultimately responsible, was ill informed of the facts and did not appear to be Cyber Security aware. In fact, 2 pieces of advice offered by her were incorrect and would lead to further issues if blindly followed by their customers.

It is unforgivable that the Board of an organisation of their size doesn't truly understand the risks and is, therefore, unable to oversee implementation of adequate safeguards to protect all of its stakeholders. Organisation size should not be seen as the main driver though and protection of stakeholders should be considered paramount by any Board.

Across the Channel Islands we see a great deal of trust being placed upon service providers and external support companies to do the right thing with data. This isn't sufficient and doesn't meet best practice requirements for a Board to ensure that their business maintains a sound system of internal control and risk management that ensures they operate to within their agreed risk appetite and secure the future of their company.

ISACA the international organisation for IT assurance and controls has recently issued guidance for Cyber Security and what the Board of Directors need to be asking of their management, including IT and Security teams, to ensure they are comfortable that the risks are being managed.

The guiding principles emanating from this guidance are:

• Directors need to understand and approach Cyber Security as an enterprise-wide risk management issue, not just an IT issue.
• Directors should understand the legal implications of cyber risks as they relate to their company's specific circumstances
• Boards should have adequate access to Cyber Security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
• Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget
• Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach

With these responsibilities in mind the Board should be asking the following questions:

• Do we have a security framework in place?
• Have we performed a risk assessment to identify the key cyber risks? And what are our 5 key risks?
• Have we educated our staff to understand their role related to Cyber Security?
• Have we performed security assessments to identify technical risks?
• How is security governance managed and is it adequate?
• Do we have an incident response plan in place to manage any serious breach?

Over the coming weeks we shall explore each of these themes in more detail to provide you with a greater understanding of what you should be asking. Of course we are here to help you with those discussions.

Act without delay, call us for an initial consultation: +44 (0)1481 753467