Resources designed to encourage essential cyber security discussions between the Board and their technical experts.**
The National Cyber Security Centre (NCSC) Board Toolkit offers a selection of resources and best practice guidance developed to raise awareness of cyber risks and encourage necessary discussions between the Board and technical experts. The Toolkit highlights the importance of cyber resilience and why it should be a priority on the Board agenda and breaks it down into the following sections:
This section of the Toolkit defines cyber security, highlights the risks both firms and individual board members face and the importance of board level awareness and engagement.
The NCSC encourages boards to integrate cyber security into organisations objectives, risk management and decision making. This section of the Toolkit provides guidance as to how Boards can better consider cyber resilience by effectively integrating cyber risk with business risk.
The results of the Global Information Security Workforce study estimates that Europe will experience a shortfall of approximately 350,000 appropriately trained and experienced cyber security professionals by 2022.
The NCSC provides guidance on organisational planning and strategies to ensure firms attract, develop and retain the right kind of expertise.
To raise awareness of cyber risk and encourage good practice it is important that Boards lead by example to create a healthy security culture. This section details how Boards can set the tone for good behaviour throughout the organisation by shaping and following effective security policies and processes.
In order to protect assets critical to your organisation’s objectives Boards must first understand key technical assets and any associated vulnerabilities. Boards should have awareness of technical assets and prioritise the ‘crown jewels’ that are key to critical business objectives in order to apply appropriate controls and inform incident response planning.
Threats vary across different organisations. It is important that investment management firms understand the nature of the threats their services and operations face. Firms are encouraged to share information and collaborate in order to better assess and act to address cyber risks.
Cyber risk should be managed as any other key business risk. The NCSC encourages Boards to incorporate cyber risks into existing risk registers and management processes. This will allow Boards to understand the potential impacts associated with cyber risks and help inform the decision making process.
The NCSC encourages firms to first implement basic security measures in line with their 10 Steps to Cyber Security. In order to implement this successfully, Board members are encouraged to develop their cyber knowledge in order to understand defences, ask the right questions and appropriately challenge technical experts.
Third party risk should be a key concern for Boards as they are still accountable for cyber security failures of their suppliers. Boards should identify the full range of third party suppliers and ensure they are receiving appropriate assurance regarding security measures. Firms should also consider third party risk and impact with regards to incident response.
All Boards should have an incident management plan. It is recommended that these plans are regularly tested and updated accordingly to ensure they are up to date and as effective as possible. The NCSC provides guidance as to how firms should go about developing such plans.
Appendices provide firms with guidance on current relevant regulation and what to do in the event of a cyber incident.
.
The set of recommended questions highlights the 5 key areas of cyber risk that boards should look at and how they should look to address them. The NCSC provides an overview of these risks and how they could impact your organisation. Possible solutions and the importance of these solutions are also detailed.
Five Questions for your Board’s Agenda:
1. How do we defend our organisation against phishing attacks?
2. How does our organisation control the use of privileged IT accounts?
3. How do we ensure that our software and devices are up to date?
4. How do we make sure our partners and suppliers protect the information we share with them?
5. What authentication methods are used to control access to systems and data?
