Sanjay Sidhu, Governor, IIA Malaysia, briefs the Board Audit Committee on the checklist of key steps to take to beef up cyber defences.
By Majella Gomes
Why does cybersecurity matter? Because it can cost your business more than financial losses. Loss of reputation can be just as damaging as investor confidence wanes and shareholders rethink their stakes in your business, warned Sanjay Sidhu, Governor, IIA Malaysia, kicking off his presentation on Combating Cyber Risks: What the Audit Committee needs to know, at the recent Audit Committee Conference 2018.
Take social networking giant Facebook, whose involvement in the Cambridge Analytica scandal caused it to lose billions in value practically overnight. That’s only one high-profile case. Sidhu estimated that cybersecurity attacks have wiped out at least USD52.4 billion in share values in recent years, and global ransomware damage may have crossed the USD5 billion mark in 2017, up from just USD325 million in 2015. As many as 97 out of 100 e-mails are actually phishing attempts which try to get confidential information which can be exploited. Low levels of awareness of those who are already affected, or who are at risk of being phishing targets, further compound the problem. They may not even be aware that they can make reports of these attacks despite the incidents being very minor ones.
EVERY DEVICE IS RISKY
“The threat landscape is huge,” Sidhu said. “Every device (pc, laptop, mobile phone, tablet) represents a threat. You could be hacked by a disgruntled employee. Some people do it for fun. Organised crime conducts attacks to steal data.” Ransomware can even take data hostage, in some cases – and paying a ransom doesn’t always guarantee that the cyber terrorist will allow you to access your data again; both data and ransom payment can be lost.
He cautioned that security needs to be applied equally to the real and virtual worlds. It is as easy for an employee, for instance, to e-mail information out to a third party, as it is for the information to be printed out in hard copy and carried out of the office. Credentials can be seen, and identities stolen; business reputations can be lost when there is a breach, with far-reaching consequences. Breaches will affect networks and systems and stop users from accessing information. Because of all these alarming possibilities, regulations are already in the pipeline that will hopefully mitigate the negative consequences of such events.
REGULATORS TO THE RESCUE
In Malaysia, the Securities Commission is a frontline combatant in cybersecurity warfare and related regulatory compliance. Australia, China and Singapore are also tightening their relevant laws, and the punitive measures of some of these are causing companies to scramble to put systems in place before the laws take effect. One general characteristic of all impending regulations, Sidhu said, was that companies which have had breaches will be fined because such incidents affect public welfare. While this may not seem fair – since the company stands to lose more than just its data when there is a breach, and be fined on top of that – it does put the responsibility for securing data squarely on companies’ doorsteps.
As those responsible for oversight and good governance, Boards and management have to be constantly aware of how data is being handled because cyber risk is now an enterprise-level risk. “Those responsible for enterprise can no longer plead ignorance,” warned Sidhu. Data is a company asset and therefore under the firm’s control. It is the duty of companies to ensure its integrity. This includes knowing what resides where, who has access to it and how it is secured. To enable this, training is imperative; staff needs to be trained to recognise phishing incidents and act accordingly. Awareness at every level cannot be overemphasised; from the Board to the janitor, everyone should be vigilant because “there is no remedy for cyber threat.”
Since cybersecurity wars are relentless and all-encompassing, what do companies need to know? When managing cyber risk, Sidhu recommended:
- Having a clear policy about how it should be managed; it needs to be seen as one of the items on the Board agenda, and not relegated and delegated as “an IT issue.” “Cyber risk is an enterprise-level risk,” he emphasised.
- Determining whose purview it comes under; setting parameters, access and controls.
- Securing Board commitment to the right level of investments in systems and corrective measures.
- Benchmarking against the systems of your peers.
- Creating a culture of cybersecurity and establishing an entire chain of protection.
- Picking proven/reliable vendors/contractors.
He concluded that Audit Committee members do not need to be technical experts but they do need to be prepared. He urged them to “ask the right questions,” to learn and relearn in order to be well equipped for enforcing cybersecurity, and to have the right beliefs and positive mindsets that they can do this.