Cyber Security And Resilience For Boards - A Guide For Directors, Essay.

‘Countering cyber risk presents a significant strategic challenge to leaders across industries and sectors but one that they must surmount in order to take advantage of the opportunities presented by the vast technological advances in networked technology that are currently in their early stages. Over the past decade, we have significantly expanded our understanding of how to build secure and resilient digital networks and connected devices. However, board-level capabilities for strategic thinking and governance in this area have failed to keep pace with both the technological risks and the solutions that new innovations provide.

Boards have a vital governance function, determining overall company behaviour and setting a company’s risk appetite. For boards, action means effectively exercising oversight by asking managers the right questions to ensure that the boards’ strategic objectives are met. This function is no different in the area of cyber resilience. By offering the following principles and tools, the Forum hopes to facilitate useful dialogue between boards and the managers they entrust with the operation of the companies to which they owe their fiduciary obligations.’

Required

Assume you have been employed as a corporate governance consultant by a company listed on the Australian Stock Exchange and ranked within the ASX 200. The Chairman of the company has decided to address the issue of cyber security at the company board level.

Introduction to Cyber Security and Resilience for Boards

Financial scandals are on the rise again and hence it has become a prime concern for the analysts to focus on the ethical policies that have failed miserably. It is essential for the company to organize a committee to monitor affairs related to the security of the company. The companies still possess a fear that their important data or resources could be hacked illegally. Hence, there is an urgent need to strengthen the web security of the company and overcome the flaws related to it. The study also talks about the investigation followed by an assessment of the matter along with a set of recommendations.

a) The concept of cyber security

Cyber security defines the phenomenon where the web-based systems are protected from any manipulation or stealing through cyber attacks. Accessibility to records and important information of a company through illicit means can leave a disastrous effect on the organization. Cyber security is the as broad term that constitutes of several portions, for example, network security, operational security, disaster recovery, application and information security. The technology is always in its way to development. Therefore, the attacks on information technology are also changing and the prevention measures need constant up gradation. As per the views of Bain and Band (2016), the companies are investing capital in protecting their management and employees from any breach in their security.

The greatest challenge for the cyber department of a company is to constantly supervise the technologies in the market, recent trends in the security methods and threat intelligence.  The different ways in which cybercrime exists are- Social engineering, malware, phishing and ransom ware. Social engineering is a kind of cyber attack where human connections are used to bring out the important information that must not be revealed to any external sources (Collins, 2016 p. 52). Malware is a cyber attack where the computer system is affected badly by the introduction of viruses, Trojan horses and worms. Ransom ware is a kind of malware where the person behind the cyber attack uses cyber encryption to lock important files of the user and in return for decryption asks a huge ransom. The last type of cyber attack is phishing where emails resembling emails from prestigious companies are sent to people to obtain knowledge regarding the company. Ransom ware is the most prevalent of all these cyber attacks. The purpose of cyber security is to protect the institution from any data breaches, cyber crimes and also help in recognizing the theft.

The Importance of Cyber Security and Resilience for Boards

b) Major problems in cyber security

Cyber security falls into the department of enterprise risk management of an organization. In order to recover from a cyber attack, it is necessary for Abacus Property Group Private Limited to have a backup plan, for example, disaster recovery mechanisms (Abacus Property Group Limited, 2018). These mechanisms need to be upgraded at regular intervals to ensure that in case of any unwanted scenario of a cyber attack, the company can resolve its business. In case of backdated disaster recovery strategies that companies have to endure the loss of information and resources or pay huge amounts of ransom to the criminals.

The main challenge that the information technology experts face is that the problem is addressed only when it has worsened to a greater extent. Immediate response to crime could help to some level in preventing breaching of the systems.

c) The investigation into the problems

The present situation points to the immediate up gradation of cyber resilience protocols for they are important to safeguard the sensitive information of every company. It is true that the company spends a lot nowadays to create a team from conserving their data and records. Investigations have also revealed that the customers who do not possess the knowledge of a cybercrime are the main target of the cybercriminals (Lawrence, Praks and Järvenpää, 2017). Improper authentication or accessing unsafe web interfaces make the customers more liable to a cyber attack and may affect the organizations that they are associated with.

The evolution of technology along with the kind of cyber attack has left the companies in a worry. According to Mohamad and Toomey (2016), the up gradation of cyber crimes have taken a negative toll on the business of the organizations by decreasing their revenue. It is necessary to limit these actions and take it to a minimum, but unfortunately, they are not decreasing with time. In spite of the increase in crimes, many companies do not approach to the matter in a serious manner.

The whole world is connected together through various means and ways that they hardly have any knowledge about. The Internet of Things assures that all the devices are interconnected with each other (Sandberg, Amin and Johansson, 2015). The networking comes with a lot of advantages but at the same time, it's a casualty for the customers as well as the organizations. Therefore, it is correct to say that along with the convenience of wider accessibility come a lot of threats including cyber crimes.

The Challenges of Cyber Security and Resilience for Boards

The events of cyber attack have also led to the belief that it is of utmost importance to develop the current disaster recovery solutions and strategies. Thus, the company might be able to cope with the risks that any future attacks may hold. The server less apps provides an opportunity to the cybercriminals to manipulate the data and the security of that information. It is because the customer's information is present in the cloud server rather than the user's device (White Johnstone and Peacock, 2017). Therefore, it is in the hands of the user to build their protection from any cyber attack. In a short note, it is the responsibility of the customer to ensure their own protection.

Another risk that adds in the modern times is the use of crypto currencies like Bitcoin, there, litecoin and Bitcoin cash. These crypto currencies have transformed the displacement of money to a whole new level. According to Tricker and Tricker (2015), the organizations use crypto currencies to perform banking transactions effortlessly. The decentralization of the Bitcoin, innovative technology and a safe yet transparent record of the transaction have attracted a lot of customers to apply crypto currencies for their business purposes (Yung, Debar and Granboulan 2017). As mentioned before, the responsibility of the user determines the level of security of the information (Sani et al. 2018). Any careless action could make the data prone to cyber attack and may increase the risk of bringing out the details of the block chain.

One of the major issues that predominated in the investigation is that the technology used by Abacus Property Group Private Limited is backdated compared with the technology used by the cybercriminals. For the development of cyber resilience, it is crucial to bring together an effective team for limiting cybercrime actions (Aguilera, Judge and Terjesen, 2018). The cyber resilience techniques and methodologies is a big hurdle for the business of any institution. It is crucial to design tools and methods to improve the understanding, look for certainty and build transparency in the system. The threat of cybercrime must be taken seriously like any other threat that the company faces and deals with it tactically.

It has been observed that due to backdated cyber resilience techniques, the company has undergone a lot of problems. It has faced a decline in its profits and revenue (Schiehll, Ahmadjian and Filatotchev, 2014). It has also witnessed the loss of personal details of their customers and the stakeholders of Abacus Property Group Private Limited.

Types of Cyber Attacks

d) Analysis of the situation

On the assessment of the case, it is evident that the company of Abacus Property Group Private Limited must develop their committee of security professionals. There are several principles of the board of cyber resilience is not effectively followed by the company's management. In order to win the struggle against the cybercriminals and stay a step forward, it is essential for the company to remove all backdated strategies implemented by the company. As stated by Ding et al. (2018), the leaders of the company have to protect data from any unwanted access by authorizing every worker's identification with the company. The cybercrime has hampered the profits of the company and gathered information from the customers.

The risk of combating the challenges of cyber resilience requires the adoption of a well-planned methodology which Abacus Property Group currently lacks. They also do not possess any artificial intelligence that could help to protect their sensitive information (Foroughi et al. 2016 p.75).

Digitization has many advantages along with its shortcomings. The company tries its best to ensure that the durable connections are presented to everyone in the organization (Honoré, Munari and de La Potterie, 2015). As the number of attacks increases in global and national companies, thousands of data records and information are stolen which may amount to millions of dollars? As per the views of the World Economic Forum (2017), the data could be credit card details or other bank information and data regarding the property of the individual.

Abacus Property Group also has a team that contributes to the assessment of the traditional risks of the company (Abacus Property Group Limited, 2018). Unfortunately, the company falls behind when the risk assessment of cyber crimes is concerned. The possible reasons could be the absence of an advanced software or minimal communication among the employees and the higher authorities. As per the views of Shackelford (2016), the analysis of the case also presented some specific findings like the absolute uncertainty of cyber crimes, unpredictability and the constant metamorphosis of the cyber risks.

Figure 1: Relationship between critical and systemic functionality

(Source: Khader, 2016 p.26)

It is to be noted that the cyber resilience comprises of psychological, social-ecological, organizational and engineering views. Resilience engineering of the company is also on the way to development. It is defined as the capability of the processes and systems to adjust to shocks in the cyber world (Australian Government information security management protocol, 2018). Resilience helps to emphasize the gaps between the different fields and how the systems respond to the cyber attacks and also recover from the situation. As opined by Turel, Liu and Bart (2017), the other competitors have thus had a competitive advantage over the Abacus Property Group. The company has witnessed cyber attacks which have left a negative impact on the stakeholders and its customers.

Cyber Security and Resilience Measures

Figure 2: Cyber resilience domains

(Source: Kopp, Kaffenberger and Jenkinson 2017 p.50)

The company, Abacus Property Group, can integrate a proper and advanced artificial intelligence system. As it is a one-time investment, it can benefit the company in a lot of ways. The additional protection that artificial intelligence would provide along with the efficiency cannot match that of any human’s. They do not require payment, work for free and can work punctually like no human. As the timing of protection of data is the most important criterion for the governance board, artificial intelligence systems can deliver a lot of benefits. The block chain in case of crypto currencies is a decentralized system as well as transparent. It can help to reveal any discrepancy in the system or unwanted banking transactions that might have happened without the knowledge of the user. The various board principles from cyber resilience are as follows.

The board must be completely accountable for all the actions and protocols that have been taken against cyber crimes. It is recommended that the board of Abacus Property Group holds relevant discussions regarding the matters of cyber resilience. The establishment of a committee can also help to control the cyber attacks efficiently. The committee must consist of members who have complete knowledge of the nature of cyber crimes and what measures can help to guard the sensitive information of the company.

It is recommended that the board members have experience on how the designing of cyber resilience must be incurred in the systems of Abacus Property Group. Continuous assessment of the approach of cyber resilience must be done and checked with the nature of upcoming cyber threats.

A corporate officer can help to summarize the events of cyber resilience in the company. The officer can also help to guide the board for achieving the goals of cyber resilience. The corporate office must completely be informed about the responsibilities and roles that the individual had been hired for.

The resources and cyber threats must be integrated into the management to help evaluate whether the current risk management strategy is suitable to eradicate the former.

Abacus Property Group must also ensure that the cyber resilience strategy helps to maintain the balance between corporate methodologies and risk appetite.  It must also be addressed by the board of the impact of cyber resilience on the business of the company like the quality of services or products.

The Responsibility of Companies and Customers in Cyber Security

A briefing of the management of cyber resilience systems must be presented to the leaders of the board for regular assessment.

The officer in charge of the formulation of strategies must supervise whether the planning of the resilience strategies is in synchronization with Abacus Property Group.

The company also motivates the collaboration with different stakeholders from sustaining the discipline of cyber resilience.

It is advised that reviews of the formulated methodologies are as important as their enforcement. In order to maintain a well planned cyber resilience system, the company must critically look into the details that the reviewers provide.

Conclusion

From the above case study, it can be stated that the cyber resilience has grown to be an important sector in the present times. The study has also reflected on how the cyber attacks take place and the different kinds of attack. Ransomware, phishing and malware are some of the kinds of cyber attack. The cybercriminals ask for a huge ransom from the companies to prevent leaking of their data. The world is continuously witnessing a development in the technology and the cyber world which has increased the importance of the need for a board of cyber resilience. It is also necessary that the board of cyber resilience in Abacus Property Group undergoes development on the above-stated recommendations. The recommendations include recruiting a corporate officer, adoption of responsibilities of the board and the integration of cyber resilience.  The board must use their knowledge on cyber crimes and formulate techniques to prevent them from causing harm to the organization of Abacus Property Group.

Reference List

Books

Bain, N. and Band, D., (2016). Winning ways through corporate governance. USA: Springer. Available at https://scholar.google.co.in/scholar?as_ylo=2014&q=board-level+capabilities+for+strategic+thinking+and+governance+in+this+area+have+failed+to+keep+pace+with+both+the+technological+risks+&hl=en&as_sdt=0,5 [Accessed 26^th August 2018]

Collins, A., (2016). Contemporary security studies. London: Oxford university press. Available at https://scholar.google.co.in/scholar?as_ylo=2014&q=Countering+cyber+risk+presents+a+significant+strategic+challenge&hl=en&as_sdt=0,5 [Accessed 27^th August 2018]

Foroughi, P., Marcus, A.J., Nguyen, V. and Tehranian, H., (2016). Peer effects in corporate governance practices: Evidence from universal demand laws. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=corporate+governance+practices&oq=corporate+governance [Accessed 28^th August 2018]

Khader, M. ed., (2016). Combating violent extremism and radicalization in the digital era. Pennsylvania: IGI Global. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=Countering+cyber+risk+i+australia&btnG= [Accessed 27^th August 2018]

Kopp, E., Kaffenberger, L. and Jenkinson, N., (2017). Cyber risk, market failures, and financial stability. USA: International Monetary Fund. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=Countering+cyber+risk+i+australia&btnG= [Accessed 28^th August 2018]

Tricker, R.B. and Tricker, R.I., (2015). Corporate governance: Principles, policies, and practices. London: Oxford University Press. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=corporate+governance+practices+in+Australia&btnG= [Accessed 25^th August 2018]

Journals

Aguilera, R.V., Judge, W.Q. and Terjesen, S.A., (2018). Corporate governance deviance. Academy of Management Review, 43(1), pp.87-109. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=corporate+governance+practices&oq=corporate+governance [Accessed 27^th August 2018]

Ding, D., Han, Q.L., Xiang, Y., Ge, X. and Zhang, X.M., (2018). A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing, 275, pp.1674-1683. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=cyber+security+and+resilience+protocols+in+Australia&btnG= [Accessed 27^th August 2018]

Honoré, F., Munari, F. and de La Potterie, B.V.P., (2015). Corporate governance practices and companies’ R&D intensity: Evidence from European countries. Research policy, 44(2), pp.533-543. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=corporate+governance+practices&oq=corporate+governance [Accessed 30^th August 2018]

Lawrence, T., Praks, H. and Järvenpää, P., (2017). Building Capacity for the Global Strategy: Companion Report. Available at https://scholar.google.co.in/scholar?as_ylo=2014&q=Countering+cyber+risk+presents+a+significant+strategic+challenge&hl=en&as_sdt=0,5 [Accessed 28^th August 2018]

Mohamad, S. and Toomey, M., (2016). A survey of information technology governance capability in five jurisdictions using the ISO 38500: 2008 framework. International Journal of Disclosure and Governance, 13(1), pp.53-74. Available at https://scholar.google.co.in/scholar?as_ylo=2014&q=board-level+capabilities+for+strategic+thinking+and+governance+in+this+area+have+failed+to+keep+pace+with+both+the+technological+risks+&hl=en&as_sdt=0,5 [Accessed 28^th August 2018]

Sandberg, H., Amin, S. and Johansson, K.H., (2015). Cyberphysical security in networked control systems: An introduction to the issue. IEEE Control Systems, 35(1), pp.20-23. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=cyber+security+and+resilience+protocols+&btnG= [Accessed 26^th August 2018]

Sani, A.S., Yuan, D., Jin, J., Gao, L., Yu, S. and Dong, Z.Y., (2018). Cyber security framework for Internet of Things-based Energy Internet. Future Generation Computer Systems. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=cyber+security+and+resilience+protocols+&btnG= [Accessed 28^th August 2018]

Schiehll, E., Ahmadjian, C. and Filatotchev, I., (2014). National governance bundles perspective: Understanding the diversity of corporate governance practices at the firm and country levels. Corporate Governance: An International Review, 22(3), pp.179-184. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=corporate+governance+practices&oq=corporate+governance [Accessed 26^th August 2018]

Shackelford, S.J., (2016). Protecting intellectual property and privacy in the digital age: The use of national cybersecurity strategies to mitigate cyber risk. Chap. L. Rev., 19, p.445. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=Countering+cyber+risk+i+australia&btnG= [Accessed 30^th August 2018]

Turel, O., Liu, P. and Bart, C., (2017). Board-level information technology governance effects on organizational performance: The roles of strategic alignment and authoritarian governance style. Information Systems Management, 34(2), pp.117-136. Available at https://scholar.google.co.in/scholar?as_ylo=2014&q=board-level+capabilities+for+strategic+thinking+and+governance+in+this+area+have+failed+to+keep+pace+with+both+the+technological+risks+&hl=en&as_sdt=0,5 [Accessed 29^th August 2018]

White, T., Johnstone, M.N. and Peacock, M., (2017). An investigation into some security issues in the DDS messaging protocol. 29^th August, pp.50-100. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=cyber+security+and+resilience+protocols+in+Australia&btnG= [Accessed 29^th August 2018]

Yung, J., Debar, H. and Granboulan, L., (2017). Security of cyber-physical systems: an old idea. Available at https://scholar.google.co.in/scholar?hl=en&as_sdt=0%2C5&as_ylo=2014&q=cyber+security+and+resilience+protocols+&btnG [Accessed 29^th August 2018]

Website

Abacus Property Group Limited (2018) Company website Available from https://www.abacusproperty.com.au/ [Accessed on 29^th August 2018]

Australian Government information security management protocol (2018) Company website Available from https://www.protectivesecurity.gov.au/informationsecurity/Pages/Australian-Government-information-security-management-protocol.aspx [Accessed 27th August 2018]

World Economic Forum (2017) Company website Available from https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf [Accessed 27th August 2016]