Cyber risk during the crisis: Checklist

Cyber risk during the crisis: Checklist

Questions a Board needs to ask management around home working:

The changing system risks

  • How have the external threats changed for us? eg from phishing and other ways hackers are taking advantage of the situation
  • What is our organisational level of exposure relating to mass home working from unverified systems and software – and from the wider use of devices?
  • What restrictions are being applied on confidential discussions and data transfer through the various media?  Where unrestricted, how are the risks managed?
  • How far are our usual protections coping in response to the change in risks?
  • What constraints/procedures are getting in the way of responding quickly to threats?
  • Are internal systems and resources over-loaded?  Do extra budgets need releasing?

The people and behavioural threats

  • How have we refreshed people’s awareness and explained the new risk levels?
  • What is our assessment of any change in “the people threats”?  How are the risks changing of attack or fraud from disgruntled or stressed employees?
  • How are we adapting controls to take into account the lack of direct physical supervision, monitoring or control?
  • What briefing has been given to employees about working on confidential or personal data when other people are in the home?
  • Have risks such as data or confidentiality breach, accidental insider status etc been considered, and have the related rules and warnings been communicated?
  • What are we doing to maintain GDPR standards when the risks of unauthorised access to personal data have increased?
  • What steps are we taking to strengthen the culture so each staff member working from home takes responsibility and applies strict self-discipline?

Communication and responsibilities

  • Who at senior management level is responsible for managing the various developing risks?  And who is responsible for monitoring and managing the softer behavioural risks?
  • What is the revised cyber communication strategy?  And the CEO’s role in messaging?
  • How is the Board communicating leadership in its own working from home behaviours?

Ready to speak to a board evaluation specialist?

Learn how we help boards to become more effective and have a bigger impact on strategic performance.