Cyber risk questions the Board needs to ask about COVID-19

Assuming that good practices and training for working from home have previously been in place. This is highly unlikely.  It might have been the case for regular homeworkers in organisations with top class IT security functions.  But how far is that covering all those many, many others who have found themselves with no choice but to use what they have?  And even with good controls and a strong risk awareness, new risks need new levels of caution.  This isn’t a time to be taking things for granted.  To understand how far things are under control, you’ll probably need to get the Chief Security Officer or CTO into the room.

Assuming that the pre-crisis cyber risk response is still adequate to meet the new threat levels.  For example, your staff might know to avoid phishing emails, but hackers are seeing great opportunities as people are tempted to open emails providing news and guidance on COVID-19.  Even the tightest of organisations needs to refresh its people’s awareness, simply because hackers are quickly detecting new ways in, raising the potential scale of attacks.

Allowing management to carry on managing resources in the same old way even though the game’s changed.  In the same way the government has had to open the financial floodgates to manage the risk, boards might need to make sure that management is not putting the organisation at major risk by allowing constraints or unwieldy approval procedures to get in the way.  Sometimes there isn’t much that can be done.  But be sure you aren’t managing relatively minor risks at the expense of much bigger ones.

Failing to think through the human consequences of where we are and how these have changed the cyber risks.  The threat from insiders is an old one – but from a tiny number who were previously constrained by internal security measures and physical oversight.  Now the numbers have changed – whether it’s intended actions from the disgruntled, or misguided behaviour from those suffering emotional anguish.  Boards need to understand how management is assessing the behavioural angle and not just assume that the old methods of control remain sufficient.

Thinking narrowly. Yes, the systems are important, but the required solutions are known (patching, two-factor authentication, VPN use, etc) and can be policed remotely. It’s the physical ones that are tough to tackle – they will be near-impossible to police remotely. More than anything else, it requires individual staff members to take responsibility by acting in a very disciplined way. It will often come down to culture – and that’s certainly an area boards should be asking about.

Assuming this all falls to the CTO and IT department. They may understand that it’s up to them to tackle the systems-related risks. But what about the softer behavioural and working-from-home risks? Accountabilities need to be clear. This means that the CEO needs to set out for the Board who is responsible for what, and this needs to be aligned with the updated risk profile.

Just relying on assurances that things are covered by the IT Policy. That’s something everybody is supposed to have received and read – but as we all know, that doesn’t necessarily get us very far… Even if it is easy to find (quite a big if), it almost certainly won’t do justice to the new state of affairs. The Board Audit/Risk Committee can’t avoid getting into the detail on this one – they need to take a look to make sure management has covered the ground and communicated in a clear and understandable way. If the NEDs can’t understand what’s required, what chance does everyone else have?

Going silent at the top level.  It’s obvious that, in a time of crisis, very visible leadership from the top is essential.  Most of the time, of course, that’s up to the Executive.  But in some areas – ethics, cyber security, confidentiality – some visible leadership from the directors can help hammer the message home.