13 Questions for boards to ask about cyber security by Australian Cyber Security Centre – ACSC

Cybercriminals and state-sponsored actors are using sophisticated techniques to compromise Australian organisations. The ACSC responds to attacks against Australian organisations every day, with the biggest threats including:
 ransomware
 exploitation of security vulnerabilities
 software supply chain compromises
 business email compromise.

Simply installing the latest technology in your business is not sufficient. Failing to invest in your organisation’s cyber security could lead to costly attacks, interruptions to operations, reputational damage, legal liabilities and more.

Understanding and managing cyber security risks within your organisation – as with any other business risk – is a key responsibility to protect your organisation and shareholders.
Why should boards be concerned about cyber security?

If exploited by malicious actors, cyber security vulnerabilities have the potential to significantly disrupt your business operations, incur significant incident response costs, damage your organisation’s brand and reputation, and depending on the response of the board, may be a cause of shareholder or regulatory action.

Managing this risk requires strong leadership from the board working in concert with executives and technical teams to understand an organisations exposure and take actions as appropriate to individual organisations. Encouraging an organisational design and culture that supports cybersecurity is important and supporting technical experts and IT departments is essential.

What is the organisation’s threat and risk environment?

Understanding what IT Systems are critical to your core business and how could they be exposed is integral to managing cyber risks. In order to respond effectively, boards need to have an understanding of the risks facing by their organisations before they can respond effectively.
Do boards understand the organisation’s threat and risk environment?

Boards should proactively build an understanding of their organisation’s specific cyber threat and risk environment. Understanding and managing cyber security risk within the organisation, as with any other business risk, is a key responsibility to protect the company and its shareholders and an important aspect of fulfilling your duties and obligations as directors. The board should seek to understand as much as possible about cyber security risks with a view to understanding what information technology systems are critical for the organisation’s core business, how they could be exposed to cyber threats and what mitigations are in place to control risks to those systems.

Leave a Reply

Your email address will not be published. Required fields are marked *