Here are my slides on "Board and Cyber Security" that I presented at the Just People Information Security breakfast this morning. Thanks Adam for arranging the breakfast and those who attended.
3. CYBER SECURITY
Page 3
WEF - 2016
Board and Cyber Security Source: The Global Risk Report 2016 – World Economic Forum
4. CYBER SECURITY
CEOs’ fastest-growing concern
61% of CEO’s around the globe are concerned about cyber threats
Protecting Intellectual Property and Customer data
70% of organisations expressed concern about their inability to protect intellectual property or
confidential customer data
Cyber attacks are on the rise
The estimated annual cost of cyber-attacks to the global economy is more than $400 billion
Australia is not immune to cyber attacks
In 2013 cyber attacks affected 5 million Australians at an estimated cost of $1.06 billion
Page 4
Global and Australian statistics
61%
70%
$400bn
$1bn
Board and Cyber Security
Source: Various Internet sources
5. CYBER SECURITY
Page 5
Data breaches: 2012-2015
Board and Cyber Security
Source: California Data Breach Report – February 2016
7. CYBER SECURITY
Page 7
Board and Cyber Security
Critical assets and risk assessments
• Less than a third (32%) of organisations have
identified their critical digital assets (‘crown
jewels’)
• Approximately one fifth (19%) are still
working on identifying critical assets
• 15% have done no work at identifying critical
assets
• Just over a third (34%) of organisations have
completed risk assessments of critical assets
• Only 35% of organisations have completed
cyber security risk requirement for 3rd parties
• 5% changed 3rd party vendors as a result of
cyber security risks
8. CYBER SECURITY
Page 8
Board and Cyber Security
Lacking cyber incident response plans
• Majority of organisations (59%) use
internal resources to mitigate cyber
risks
• Only 45% have cyber security incident
response plans in place
• 34% have no cyber security incident
response plans in place
10. CYBER SECURITY
Page 10
Board and Cyber Security
Cyber security expectations
• What should the Board be responsible for?
• What should management be responsible for?
• What should practitioners be responsible for?
11. CYBER SECURITY
Page 11
Board and Cyber Security
Questions the Board should be asking themselves
• Do we know what our cyber risk profile is – who, what,
why, impact?
• Do we know what our critical digital assets (‘crown
jewels’) are?
• Have we done proper risk assessments on these? Is this
within our risk appetite?
• What are we doing about managing our security gaps –
mitigation (investment) and transfer (cyber insurance)?
• Are we able to respond to a cyber security incident? When
was the last time we have tested this?