Cyber Security for Board Members

As a Board member you need to understand enough about cyber security so you can have a fluent conversation with your experts.

Good cyber security is all about managing risks. The process for improving and governing cyber security will be similar to the process you use for other organisational risks. It is a continuous, iterative process.

What is cyber security?

Cyber Security is the protection of devices, services and networks - and the information on them - from theft or damage via electronic means.

What do I need to know about cyber security?

There are three common myths concerning cyber security. Understanding why they're incorrect will help you understand some key aspects of cyber security.

Myth #1: Cyber is complex, I won't understand it.

Reality: You don't need to be a technical expert to make an informed cyber security decision.

We all make security decisions every day (whether to put the alarm on, for example) without necessarily knowing how the alarm works. Boards regularly make financial or risk decisions without needing to know the details of every account or invoice. The Board should rely on its cyber security experts to provide insight, so that the Board can make informed decisions about cyber security.

Myth #2: Cyber attacks are sophisticated, I can't do anything to stop them.

Reality: Taking a methodical approach to cyber security and enacting relatively small changes can greatly reduce the risk to your organisation.

The vast majority of attacks are still based upon well known techniques (such as phishing emails) which can be defended against. Some threats can be very sophisticated, using advanced methods to break into extremely well defended networks, but we normally only see that level of commitment and expertise in attacks by nation states. Most organisations are unlikely to be a target for a sustained effort of this type, and even those that are will find that even the most sophisticated attacker will start with the simplest and cheapest option, so as not to expose their advanced methods.

Myth #3: Cyber attacks are targeted, I'm not at risk.

Reality: Many cyber attacks are opportunistic and any organisation could be impacted by these untargeted attacks.

The majority of cyber attacks are untargeted and opportunistic in nature, with the attacker hoping to take advantage of a weakness (or vulnerability) in a system, without any regard for who that system belongs to. These can be just as damaging as targeted attacks; the impact of WannaCry on global organisations - from shipping to the NHS - being a good example. If you’re connected to the internet then you are exposed to this risk. This trend of untargeted attacks is unlikely to change because every organisation - including yours - will have value to an attacker, even if that is simply the money you might pay in a ransomware attack.

The findings from the Cyber Security Breaches Survey below show just how many organisations are coming under cyber attack and how organisations are responding to this risk. Further information is provided in the full report.

How do cyber attacks work?

A good way to increase your understanding of cyber security is to review examples of how cyber attacks work, and what actions organisations take to mitigate them. Reviewing incidents that have occurred within your organisation is a good place to start.

In general, cyber attacks have 4 stages:

Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities.
Delivery - getting to the point in a system where you have an initial foothold in the system.
Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
Affect - carrying out activities within a system that achieve the attacker’s goal.

Defending against cyber attacks

The key thing to understand about cyber security defences is that they need to be layered and include a range of measures, from technology solutions to user education to effective policies. The infographic below gives examples of defences that will help your organisation to combat common cyber attacks. Our section on Implementing effective cyber security measures provides further detail and questions that you can use to understand more about your own organisation's defences.

As a Board member, you will be targeted

Senior executives or stakeholders in organisations are often the target of cyber attack, because of their access to valuable assets (usually money and information) and also their influence within the organisation.

Attackers may try and directly target your IT accounts, or they may try and impersonate you by using a convincing looking fake email address, as an example. Once they have the ability to impersonate you, a typical next step is to send requests to transfer money that may not follow due process. These attacks are low cost and often successful as they exploit the reluctance of staff to challenge a non-standard request from someone higher up in the organisation.

Good cyber security awareness throughout your organisation, security policies that are fit for purpose and easy reporting processes will all help to mitigate this risk. It is also critical that Board members understand and follow their organisation's security policies, so that when an impersonator tries to circumvent them, staff can identify that something is unusual.

You should also consider how information about you that is publicly available could assist an attacker who is trying to impersonate you.

---
Source: Taken from this NCSC article.

News

Utimaco and CREAPLUS strengthen cooperation to meet NIS 2, DORA and GDPR requirements

Utimaco in CREAPLUS krepita sodelovanje pri izpolnjevanju zahtev NIS 2, DORA in GDPR

Utimaco and CREAPLUS have outlined their cooperation in 2025, which will be marked by new solutions that make it easier for companies to comply with legal requirements in managing cybersecurity and resilience and protecting data.

Mitja Trampuž presents the state of the art in the use of artificial intelligence in cybersecurity

In Budva, the Association of Security Managers of Montenegro organized the conference "Security without compromise", which addressed the current challenges of regional companies in the field of corporate security.

Slovenian organizations get an updated edition of the AI implementation guide

Slovenske organizacije dobile posodobljeno izdajo vodiča za uvajanje umetne inteligence

The Artificial Intelligence for Slovenia AI4SI initiative, which operates within the Association for Informatics and Telecommunications of the Slovenian Chamber of Commerce and Industry, has published an updated "Guide to Deploying Artificial Intelligence in Enterprises".

Mitja Trampuž discovers measures to mitigate the risks of RSA key vulnerabilities

In an article by journalist Daret Hribersek on the portal of the magazine Finance: ICT informant, Mitja Trampuž, CEO of CREAPLUS, sheds light on the problems with RSA cryptographic key cracking and provides best practices for reducing risks and vulnerabilities in this type of data encryption.

CREAPLUS team enhances its expertise to support regional partners in implementing Ascertia's top PKI solutions

CREAPLUS has strengthened its partnership with Ascertia, a global leader in high trust public key infrastructure and remote qualified digital signature solutions.