Cyber risk and the board 

^22.6.2021

Cyber security is a strategic issue because for cyber criminals, a business is attractive if it has anything valuable. If criminals successfully steal what is strategically valuable to the business, they can demand big ransom for it or damage its value proposition by stealing it while hidden for potentially a long time.  
 
Cyberattacks are on the rise, and the trend was there already before Covid-19. But since Covid-19, there has been almost an exponential increase. Rapid transition to remote work has resulted in weaker controls against cyberattacks, in contrast with what would have been available if people had been in the office. In addition to the number of attacks has increased, the cyber criminals have become more successful in their attempts.   

What are the most common cyber threats in Finland?  

Phishing attacks have increased a lot – it is quite easy to create an email that people would click on. This is how attacker can get through the controls. The quality of phishing emails has improved – you could easily recognise old phishing emails, because of poor grammar and unusual email addresses etc. But now, these are very professional. Even a careful person can be tricked, unfortunately.   
 
Ransomware attacks are also on the rise - criminals get into the system and encrypt it, and then they ask you to pay the ransom. If you pay, they will de-encrypt the system and you can access your data again. But the problem is that they can do it again since the criminals know your system inside out.  And if you decide not to pay the ransom, you will need to build the system from scratch, which is very costly too.    

Would it be fair to assume that ransomware attack happens mainly to larger businesses that can pay a large ransom? 

Ransomware attacks happens to all sizes of businesses and happens also in Finland although people may not hear much about it. Criminals are quite open about whom they are going to target. Businesses are global and well connected today, and criminals would identify where they can get money, and they attack. But companies often do not want to publicise about such incidents: they affect their brands by making businesses look vulnerable to which customers would react negatively.  

Who should take the lead in preventing and responding to attacks within a company? What can the board do to help?  

In many cases, it is the chief information security officers (CISOs) deal with day-to-day cyber security matters. But in the case of a ransomware attack, the response will involve the top management and the board. 
 
The board of directors take a lot of more interest in the topic today and it should be in the board agenda, but the level of involvement differs significantly: some are better prepared for cyber security, which is also discussed by the board, following for example the CISO's report at the quarterly board meeting. On the other hand, there are boards that aren't clear how they might address the issue. 
 
Companies are more likely to approach the cyber security strategically if boards are asking questions about the company's investment in cyber security and development. In Finland, within the last year or two, many companies have moved from having one or two cyber security professionals to building a team around cyber security. This has been a great change.     
 
Most CISOs nowadays regularly do attend the board meetings, and they are better connected with the rest of the executive team which acts on strategy. 

 
Who within the board would look after the cyber and technology related risks?  

Most commonly that’s the audit committee although globally there has been also development that other committees have begun to be involved. There should also be a person or persons who really understand cyber. They don't need to be the technical specialists but need to understand the risks that cyber can bring. Cyber is everywhere, it is not a separate topic from the core of the business.    

What are cyber criminals looking to attack or is it impossible to generalise? 

It depends on who is planning the attack. For example, those who are planning phishing attacks or ransomware attacks, they are generally after money, although in the case of phishing, their target may be more than just money.  
 
But there are other kinds of criminals. For example, those who attack governments, they are interested in data. Others are interested in intellectual property or R&D information because these are valuable. Imagine that your R&D information is stolen prior to your launching a new product. The theft of this type of information can cause businesses a lot of damages. In contrast with a ransomware attack where you will know that your system is under attack, in intellectual property theft cases, criminals would try to stay hidden in the system one or two years, or indeed as long as they can be and all this time valuable information is leaking outside.  
 
Cyber war is also happening all the time. Governments are trying to get access into the systems of strategically important companies, the attackers stay there hidden quietly, and if or when something happens, they would break the energy system or something else. This can also happen to private companies. If you think about a bank, for example, if a major attack is launched at a critical time, it can affect the entire financial system. Similar thing can be said about insurance, energy, or telecommunication companies. So, it is not just government or large companies that are targeted. If you have any interesting information or a strategic role, you are attractive to cyber criminals.    

What should an average board member know about cyber risks? 

They should have a good understanding of cyber risks. It doesn’t mean that they need to be technical and understand available tools, but they need to understand the big picture and to be able to ask right questions. For example, the board may ask the CISO: ‘Do we have a cyber strategy and development roadmap that is linked to business needs?’ or ‘How do we follow and guarantee that security policies are implemented and followed all over in organisation?'

An ordinary board member probably can obtain the level of knowledge from reading newspapers and business journals. But there should be some board members who know more, who have some kind of IT background that they can understand the technical matters. Again, they don’t have to be a deep technical understanding, but they need to stay up to date. Kyberturvallisuuskeskus, the Government hosted website, provides a leaflet specifically addressed to the board on cyber security. This is a good starting point for the board to get the view on the level of understanding required of the board. As Deloitte we also produce material for people to understand the big picture of cyber and cyber risks. 
 
In summary, a board member needs to follow what is happening around you to understand where the world is going. You can find all the information about risks associated with the cloud or other types of developments. Within your organisation, you should have technical experts to address these issues for you.     

On average, how prepared is the board of directors with regards to understanding cyber risks and oversight of the mitigation?  

It is difficult to give you a straightforward answer to that. For example, a company may ask an external consultant such as us, Deloitte, to come and test their cyber resilience. In most cases, we would successfully hack into the system and stay hidden there just like a spyware might do. And this applies to companies with a reasonably robust system. Unfortunately, it is like that – you are in a marathon race, and there is always someone running just ahead of you.     
Because of this reason, it is sensible for every company to conduct a thorough analysis of its cyber security and assess its resilience. It is probably best done by an external consultant, who can give a holistic picture and advise where the weaknesses exist. If done internally, you might end up focusing on the system you have and test it, rather than to identify what you have not covered.