Cyber Security for Board Members
As a Board member you need to understand enough about cyber security so you can have a fluent conversation with your experts.
Good cyber security is all about managing risks. The process for improving and governing cyber security will be similar to the process you use for other organisational risks. It is a continuous, iterative process.
What is cyber security?
Cyber Security is the protection of devices, services and networks - and the information on them - from theft or damage via electronic means.
What do I need to know about cyber security?
There are three common myths concerning cyber security. Understanding why they're incorrect will help you understand some key aspects of cyber security.
Myth #1: Cyber is complex, I won't understand it.
Reality: You don't need to be a technical expert to make an informed cyber security decision.
We all make security decisions every day (whether to put the alarm on, for example) without necessarily knowing how the alarm works. Boards regularly make financial or risk decisions without needing to know the details of every account or invoice. The Board should rely on its cyber security experts to provide insight, so that the Board can make informed decisions about cyber security.
Myth #2: Cyber attacks are sophisticated, I can't do anything to stop them.
Reality: Taking a methodical approach to cyber security and enacting relatively small changes can greatly reduce the risk to your organisation.
The vast majority of attacks are still based upon well known techniques (such as phishing emails) which can be defended against. Some threats can be very sophisticated, using advanced methods to break into extremely well defended networks, but we normally only see that level of commitment and expertise in attacks by nation states. Most organisations are unlikely to be a target for a sustained effort of this type, and even those that are will find that even the most sophisticated attacker will start with the simplest and cheapest option, so as not to expose their advanced methods.
Myth #3: Cyber attacks are targeted, I'm not at risk.
Reality: Many cyber attacks are opportunistic and any organisation could be impacted by these untargeted attacks.
The majority of cyber attacks are untargeted and opportunistic in nature, with the attacker hoping to take advantage of a weakness (or vulnerability) in a system, without any regard for who that system belongs to. These can be just as damaging as targeted attacks; the impact of WannaCry on global organisations - from shipping to the NHS - being a good example. If you’re connected to the internet then you are exposed to this risk. This trend of untargeted attacks is unlikely to change because every organisation - including yours - will have value to an attacker, even if that is simply the money you might pay in a ransomware attack.
The findings from the Cyber Security Breaches Survey below show just how many organisations are coming under cyber attack and how organisations are responding to this risk. Further information is provided in the full report.
How do cyber attacks work?
A good way to increase your understanding of cyber security is to review examples of how cyber attacks work, and what actions organisations take to mitigate them. Reviewing incidents that have occurred within your organisation is a good place to start.
In general, cyber attacks have 4 stages:
- Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities.
- Delivery - getting to the point in a system where you have an initial foothold in the system.
- Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
- Affect - carrying out activities within a system that achieve the attacker’s goal.
Defending against cyber attacks
The key thing to understand about cyber security defences is that they need to be layered and include a range of measures, from technology solutions to user education to effective policies. The infographic below gives examples of defences that will help your organisation to combat common cyber attacks. Our section on Implementing effective cyber security measures provides further detail and questions that you can use to understand more about your own organisation's defences.
As a Board member, you will be targeted
Senior executives or stakeholders in organisations are often the target of cyber attack, because of their access to valuable assets (usually money and information) and also their influence within the organisation.
Attackers may try and directly target your IT accounts, or they may try and impersonate you by using a convincing looking fake email address, as an example. Once they have the ability to impersonate you, a typical next step is to send requests to transfer money that may not follow due process. These attacks are low cost and often successful as they exploit the reluctance of staff to challenge a non-standard request from someone higher up in the organisation.
Good cyber security awareness throughout your organisation, security policies that are fit for purpose and easy reporting processes will all help to mitigate this risk. It is also critical that Board members understand and follow their organisation's security policies, so that when an impersonator tries to circumvent them, staff can identify that something is unusual.
You should also consider how information about you that is publicly available could assist an attacker who is trying to impersonate you.
Source: Taken from this NCSC article.