Welcome to the new Energy Central โ€” same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
ย ยทย Posted in Intelligent Utility

Questions Board Members Must Ask About Cyber Risk Management

Emphasis is being placed on Board Members to become more savvy at understanding Cyber Risk, but many members are not cybersecurity experts and don't know what questions to ask their Business Executives and IT Directors and Managers. Lawsuits are piling up and personal liability is a real risk for BoD members and C-Suite Executives. This message is intended to help BoD members know which questions to ask,

Keep one thought in mind as you read this article: "The hackers only need to be lucky once". All cyber-risk is business risk that can have devastating impacts, regardless of which domain it affects IT or OT..

The three most common attack paths used by cyber criminals are:

1. People

2. Software

3. Supply Chain

It is imperative for BoD members to know that Company Executives and Business Managers are aware of these 3 attack paths and have taken reasonable (good faith) proactive and reactive steps to prevent cyber criminals from committing cyber-crimes and inflicting harm using any/all 3 of these paths.

People Questions to ask:

  • What steps are we taking to educate employees about the risks, tactics and techniques used by cyber criminals to exploit their trust

  • What controls are in place to prevent our employees from being exploited by cyber-criminals

  • What procedures are in place to detect and respond toย a cyber attack on people

Software Questions to ask:

  • What processes are in place to procure and use only trustworthy software

  • What processes are used to detect and monitor for software cyber risks 24x7

  • What procedures are in place to detect and respond to a cyber attack on our software ecosystems

Supply Chain Questions to ask:

  • What processes and procedures are used to identify and engage with only trustworthy suppliers

  • What processes are used to monitor for supplier risk

  • What processes are in place to protect our business from cyber-crimes emanating from our supply chains

  • What processes and procedures are in place to detect and respond to a cyber attack emanating from our supply chains

Final Question:

  • What steps have we taken to respond to and recover from a successful cyber-crime to resume normal business operation and how much time will be needed to recover (what is the recovery time objective - RTO)

ย 

ย 

ย 

1