Cyber Security and the Audit Committee
What are the common reasons for the issues and challenges related to strategy, risk management, dialog with stakeholders on IT governance issues, related to cyber security?
Copenhagen Compliance conference provides the appropriate forum to discuss corporate governance and management issues of the audit committee. In this newsletter, we focus on Cyber Security threats are real and not just spin.
The audit committee must stress the importance of incorporating cyber security into the company's enterprise risk management (ERM) framework and processes to understand the risks, assess their impact and calibrate the appropriate mitigation.
The hype around cyber security is fully justified because companies face a number of cloud challenges. Companies must meet these new IT security issues both in relation to governance, risk management, compliance, system, network and IT security backdrop. Boards need to focus more on cyber security, asking intelligent questions from the IT managers, management and using outside experts.
The urgency and seriousness of cyber risks
The Internet plays an increasingly vital role both in all aspects of corporate profile including the infrastructure for communication and commerce. The security risks associated with cyberspace are cyclical; however the main focus is on confidentiality, integrity and availability of sensitive information.
In-depth defense is required to be on the safe guard from cyber attacks. The seriousness of the audit committee effort, depends on the nature and character of problem, issue or business that must be safeguarded. The board of directors, in their scenario planning exercises, must take into account a possibility that an adversary can be capable of targeting physical assets, data warehouses and hacker related activities. The attackers use a variety of techniques to assess objectives such as stealing competitive intelligence and intellectual property, siphoning off bills, resources or disrupting operations.
Threats must be balanced against objectives
In performing the, scenario planning, the committee must understand that attackers will harm business networks, even if the IT limits defenses are tough as often claimed by the supplier.
Companies should establish comprehensive, in-depth defenses that include prioritizing protection of the most vital information and implementing real-time monitoring to recognize and respond to intrusions, along with a lot of other measures to prevent the business from being an easy target. At the same time, cyber security measures must be balanced against other company objectives, such as production or collaboration across enterprise boundaries.
Audit committees are now getting more engaged on cyber security issues and are only beginning to address the problem like other material risks. The committee must also seek input from internal and outside experts to address the unbalanced opportunities of the Internet.
Confidentiality. A compliance issue related to data protection. Attackers can find and exploit sensitive information, such as personal information about employees or customers, or company information about products, analysis or strategies.
Integrity. A Governance, risk management and compliance issue because the attackers can manipulate data so that it is no longer accurate and reliable. Software codes can also be altered, changing the behavior of critical applications.
Availability. IT security issue where attackers can destroy data or terminate access to it. They can delete data in databases or just bring down a server with a denial-of-service attack.
The impact of such attacks can be harmful. A leading London listed company estimates that it incurred revenue losses of some £800m as a result of a hostile cyber attack due to loss of intellectual property and commercial disadvantages in contractual negotiations.
Hackers may penetrate industrial control processes and manipulate them to harming machines or systems, including critical infrastructures.
Let's not underscored the reality of the cyber security threat: It happens almost daily.