"Cyber security has become a vitally important matter in the last few years. It impacts individuals, organisations and countries, and with the growing sophistication of cyber attacks, the impact can be truly devastating."
Governments are now deeply concerned about cyber attacks, and protection of critical infrastructure from such attacks is getting a great deal of attention. Organisations have been the subject of cyber attacks for some time. From de-facing websites and denial-of-service attacks, these have moved to data theft and false transactions; organisation servers are used as conduits to access and steal personal data of individual customers; worms and trojans are implanted and can cause havoc.
Kiran Sharadchandra Karnik served as the President of NASSCOM from 2001-08. Mr Karnik has 20 years of experience with the Indian Space Research Organisation. Previously, he was also the MD of Discovery Channel in India. Mr Karnik holds an Honours degree in Physics from Bombay University and a postgraduation from Indian Institute of Management, Ahmedabad.
So far, most organisations have sought to shore up their defences through firewalls, anti-virus software, education of users and limiting access to critical information. These and other protective measures are generally left to the IT department, to the Chief Security/Information Officer or outsourced. While the dangers and potential impact of a cyber attack have vastly increased, action by organisations has been slow and limited.
Yet, one serious data theft can shake customer confidence and cause untold losses to the organisation – both from direct loss and from lawsuits, besides the long-term impact of reputational risk. A bug or worm can disrupt operations for many hours, with very serious consequences in industries like power, airlines, chemicals, banking, etc. Given the seriousness of the threat, organisation need to take organisation-wide countermeasures. It is now certainly time for cyber security to be an issue for the Board.
Organisation Board agendas now include governance, strategy, succession planning and HR. Apart from audit and compensation, many Boards have committees for governance and nomination (of new Board members). There is need to have a specific committee on risk or security: issues that must be monitored, discussed, and planned for at the level of the Board. While financial risks are generally examined by the audit committee and discussed by the Board, risks arising from problems related to IT are rarely discussed. Yet, IT is now a key element and a platform for practically all activities of a major organisation. Its vulnerability to any disruption in IT is very large. Therefore, Board oversight on it is as important as monitoring the financial health of an organisation.
The Board must put in place policies related to IT security, review them regularly, monitor their implementation and ensure anticipatory actions to forestall problems. A periodic IT risk assessment or audit must be entrusted to an external agency, and the Board must review the findings. The human element is critical; training in cyber security and background checks of employees (through the NASSCOM NSR, for example) are essential.
In the light of escalating threats and the magnitude of potential risk–not only for organisations but, consequentially, for the economy as a whole-it may be necessary that the setting up of a cyber security committee at the Board level be made mandatory. Meanwhile, it would be in the enlightened self-interest of organisations (this, it needs to be emphasised, is for all organisations, not just those in the IT sector), to set up such a committee and ensure their cyber security.