Seven Cyber Security Questions a Board Needs to Ask!

by Tony Richardson CISSP

So just how many SMBs discuss cyber security at a board level? When was the last time you actually had a meeting with your current service provider around cyber security strategy and controls?

They used to say there are only two certain things, death and taxes — but now there are three. Sooner or later, every business will be targeted by cyber criminals.

Every company should have people responsible for cyber security, whether they’re in house or contracted out, but it’s an area the Board of Directors needs at least to understand. Recent research by Harvard Business Review, however, suggests that nearly one in ten Boards don’t ever discuss cyber security.

If you’re worried that, as a Director, you don’t know enough about your company’s cyber security strategy, what are the questions you need to ask?

1. How Are We Protecting Our Most Important Assets?

It’s impossible to fully protect every aspect of your organisation, so you need to know where it’s most important to target your resources. What are your most vital assets? Is it the company IP? Your customer data? Or is it your systems and operational processes? Once you’ve decided that, you can prioritise where to focus your strongest security.

2. What Layers of Protection Do We Have?

Effective cyber security needs to have multiple layers of risk management to be effective. These might range from actual defences to policies and procedures on how to approach cyber security issues. Designing and implementing these layers should be left to the experts, but the Board should understand what they are.

3. How Do We Detect a Breach?

While preventing breaches is crucial to cyber security, it’s equally important to be able to know as soon as possible if one has happened. Many breaches aren’t detected until some time after they happen, and the longer you leave it to put your procedures into action, the more damage can be done. Do you know how your organisation detects breaches?

4. What Response Plans Are in Place?

If your systems are breached, you need to know what the response plan is and what you as a Board member should do. Or should you simply stay out of the way and leave it to the experts? Who has the responsibility for alerting the authorities and speaking to customers, suppliers and the press? It’s also vital to know whether or not the policy is to pay any ransom demanded.

5. What Part Will the Board Play in an Incident?

In any kind of crisis, it can make all the difference if everyone’s clear on what they need to do. As a Board member, you may need to be available for meetings with the executive officers to make decisions, such as paying a ransom. As with any crisis training, holding exercises can go a long way to ensuring you’re ready as soon as a real incident happens.

6. Are There Business Recovery Plans in Place?

There has to be a range of business recovery plans in the event of a cyber breach, to account for various circumstances. Can your data be recovered easily, or has it been corrupted or destroyed? The Board needs to be clear about what the business recovery plans are and if they’ve been tested against a cyber breach.

7. Have You Invested Enough in Cyber Security?

The last thing you want is to have to wait for a real cyber attack to know whether your investment in cyber security is adequate. The Board will need to investigate whether your company has both the technology and the human expertise needed. The best way of assessing this is by running either penetration/vulnerability tests or simulations of attacks — or both, preferably.

Your job as a Board member isn’t to have the skills to ensure your company’s cyber security is robust, or even to formulate and implement policies and procedures. However, you do have the responsibility to ask the relevant questions to ensure all this is in place.

Get in touch with us to find out more about keeping your company safe from cyber attacks.