In the midst of the craziness of this week I was researching not for profit organisations when I discovered an anomaly in their annual reports.
The first report I read had no reference to cyber security, information security, business security and data security. I though that that was a little strange, so I read another.
After downloading and reading 15 not for profit organisations annual reports from last year not one of them made any reference to what they were doing to safeguard their clients, users and sponsors information.
Even in the executive summary, protecting the assets was not mentioned.
One of the 15 had 3 pages on their IT infrastructure but this only discussed the number of people, servers and offices that were managed by the organisation and how people connected to the information required by staff to do their jobs.
If there is no information about cyber in an annual report, I have some questions?
Is the board room accountable to the shareholders when it comes to cyber?
The buck stops with you and if you are not taking into account the digital components of your organisation then you have a problem.
How serious is the board about protecting their staff and stake holders?
If they are not discussing it or just giving it lip service then there is going to be a time when the organisation will suffer a cyber event and no one will know what to do.
Business security is all about preparedness. What will happen if this happens. What will be the impact on the organisation in a cyber event.
Has risk management taken into account the unique risks associated with the digital world?
All of the risks in today’s business world have to be addressed.
Of all of the risks that businesses face today, probably 20% are traditional risks. Some of them also have to be looked at with a cyber component. For instance, what happens if you lose power, how are you going to mitigate the impact within the organisation at a digital level.
If risk has not been discussed how safe is the data?
A board not addressing today’s risk at management level shows a profound disrespect for the whole organisation.
A simple error, no matter what it is, can expose the organisation to financial, reputational and personal loss. That loss can be incidental or profound, but if not addressed it will have an impact on the organisation.
Why do they not consider the digital world a risk to the organisation?
A recent discussion, actually about 4 years ago said that although everyone knows computers, not everyone understands the fundamentals of how they work.
Taking this attitude into the board room, everyone knows computers, will have a detrimental effect on business. It will have a bigger impact because technology is changing. The increased reliance on all things cloud based, mobile and social means we have to think outside the box. We have to include all of these items in our understanding of the digital world and the impact on our risk analysis.
What has actually been done to safe guard the data under their control?
In most cases, very little.
We often see – the IT department will handle that!
That is wrong on so many levels.
There is a different skill set, business requirement and technology understanding between making the organisation safe at a digital level than keeping the lights on and the computers operating.
With all of the Compliance and governance in business, how have they got around doing it?
Delegation of duties, without delegating authority, is a regular occurrence.
Yes the ICT team will look after that.
Without the authority to make change, there are going to be large areas within the business that no one has focused on.
Compliance and governance are not a tick in the box process.
It is a complete over haul of business attitude to protect the data that your clients and staff have faith in you protecting.
Break that faith and see what happens to your organisation.
In addition to that governance and compliance are the realms of the board room, delegating it does not mitigate the risk associated with a cyber event.
Ignoring the impact of a cyber event at the board level has already caused a number of high visibility board members to resign or even worse be fired.
Somewhere we are failing.
The message is wrong, the medium is wrong or the people delivering the message are wrong.
No matter how much you slice it, getting people on boards to understand that digital is a thing and protecting data is a thing, is very difficult.
There is an old adage, “to get people to invest in disaster recovery burn down the building next door”.
The same applies in business security.
Getting boards to invest in digital and business security is have something happen.
Organisational wise or personal, an attack on them will get investment in protecting the organisation.
It is no longer a case of investing in insurance, today, digital protection is not insurance, it is an investment in your brand, your reputation, your staff and y