Recently I wrote about just how much governance has changed in the past decade or two. Whereas historically governors could turn up to meetings and spend time discussing their golf handicap and enjoying savories, today board members have to be laser focused on a seemingly innumerable variety of different critical tasks.
Health and Safety legislation means that worker safety, once something that was given scant attention, is now a critical task for board members, one that, in the event they get it wrong, they can go to jail for. There’s nothing like the prospect of incarceration to focus ones’ mind on the task at hand.
I’ve been thinking about these emergent tasks for board members of late and one which has been top of mind lately is cybersecurity. It was only few short years ago that board members had little or no cognizance of what cybersecurity is let alone what they needed to do to ensure it was robust – this was very much seen as an operational task for the folks in IT to manage.
Fast forward to today and I’d wager that very few boards don’t talk about cybersecurity at every meeting. Every board that I’m on has cybersecurity as a critical risk in its risk register, and one which they look to continuously mitigate through various means.
And with good cause – over the past year or two we have seen increasing numbers of cyber attacks across almost every sector – from health organizations to insurance companies, from international e-commerce sites to media and entertainment organisations. And while the benefits of being a small island nation in a very big ocean might help us with some problems, it doesn’t help much with cybersecurity – New Zealand has had its own cybersecurity woes.
Kordia, the State Owned Enterprise on whose board I sit, has a big cybersecurity division that every day helps organisations across the country avoid these issues and deal with them when they occur. Organizations big and small and across every sector are exposed to these same risks.
Now I need to reiterate here that cybersecurity is an incredibly difficult thing to get on top of. It really is akin to the game of whack-a-mole where every time a vulnerability is detected and resolved, a new risk is exposed. It’s important we don’t make knee jerk reactions to blame the organisations who fall prey to these nefarious actors. As I said, it’s a hard problem and one that needs constant attention.
Hacks can have some massive impacts on organisations already hit hard with economic and Covid-related woes – imagine the practicalities for an e-commerce store that is forced to take its services offline for a protracted period because of a breach – its revenue is literally shut off in an instant.
In the health sector, hacks can have an even more sobering impacts – the thought of a bad actor getting access to a remote-operated piece of equipment in an operating theatre, or a internet-accessible implanted defibrillator is a horrifying prospect.
There are no easy answers, in much the same way that there are no easy answers in the case of Health and Safety. But for every board member out there, if cybersecurity isn’t a topic of conversation in every board meeting, you should be asking some probing questions.
Ben Kepes is a Canterbury-based entrepreneur and professional board member. He spends rather a lot of time worrying about cybersecurity.
