Board and Cyber Security

CYBER SECURITY BREAKFAST #001Board and Cyber SecurityLEON FOUCHE22 March 2016

Page 1

CYBER SECURITY Some statistics….

Page 2Board and Cyber Security

CYBER SECURITY

Page 3

WEF - 2016

Board and Cyber Security Source: The Global Risk Report 2016 – World Economic Forum

CYBER SECURITY

CEOs’ fastest-growing concern61% of CEO’s around the globe are concerned about cyber threats

Protecting Intellectual Property and Customer data70% of organisations expressed concern about their inability to protect intellectual property or confidential customer data

Cyber attacks are on the riseThe estimated annual cost of cyber-attacks to the global economy is more than $400 billion

Australia is not immune to cyber attacksIn 2013 cyber attacks affected 5 million Australians at an estimated cost of $1.06 billion

Page 4

Global and Australian statistics

61%

70%

$400bn

$1bn

Board and Cyber Security

Source: Various Internet sources

CYBER SECURITY

Page 5

Data breaches: 2012-2015

Board and Cyber Security

Source: California Data Breach Report – February 2016

CYBER SECURITY

Page 6Board and Cyber Security

CYBER SECURITY

Page 7Board and Cyber Security

Critical assets and risk assessments • Less than a third (32%) of organisations

have identified their critical digital assets (‘crown jewels’)

• Approximately one fifth (19%) are still working on identifying critical assets

• 15% have done no work at identifying critical assets

• Just over a third (34%) of organisations have completed risk assessments of critical assets

• Only 35% of organisations have completed cyber security risk requirement for 3rd parties

• 5% changed 3rd party vendors as a result of cyber security risks

CYBER SECURITY

Page 8Board and Cyber Security

Lacking cyber incident response plans• Majority of organisations (59%)

use internal resources to mitigate cyber risks

• Only 45% have cyber security incident response plans in place

• 34% have no cyber security incident response plans in place

CYBER SECURITY What is expected from the Board

Page 9Board and Cyber Security

CYBER SECURITY

Page 10Board and Cyber Security

Cyber security expectations• What should the Board be responsible for?• What should management be responsible for?• What should practitioners be responsible for?

CYBER SECURITY

Page 11Board and Cyber Security

Questions the Board should be asking themselves • Do we know what our cyber risk profile is – who,

what, why, impact?• Do we know what our critical digital assets (‘crown

jewels’) are?• Have we done proper risk assessments on these? Is

this within our risk appetite?• What are we doing about managing our security

gaps – mitigation (investment) and transfer (cyber insurance)?

• Are we able to respond to a cyber security incident? When was the last time we have tested this?

CYBER SECURITY

Page 12Board and Cyber Security

Cyber resilience checklist