How should a company manager talk about cybersecurity in a context of geopolitical tensions?

We have also experienced an increase in cyber-attacks since Russia started the war in Ukraine. This raises the following questions: “How do I know how vulnerable our company is, whether our systems are secure?” and “How do I talk about information security issues in my company?”.

On the first day of the war, 24 February, the Ministry of Defense instructed public authorities to step up security measures and predicted [1] that cyber incidents would increase in both the public and private sectors. For example, Reuters reports [2] that US banks are bracing for a significant increase in attacks following the sanctions, while Bloomberg reports [3] on the targeted use of the ransomware HermeticWiper to infect data networks and delete data from Ukrainian Interior Ministry systems hours before the invasion began [4].

Unfortunately, in organizations in our region, IT competencies are not always represented in senior management teams, so the discussion on information security governance is not on the agenda of every board. But it is as important a topic as capital adequacy or supply chain continuity. Moreover, industry professionals have acknowledged that nowadays it is no longer a question of whether an organization will experience cyber incidents, but rather when it will happen.

In order to help managers of organizations to address and improve their understanding of cyber security and information protection issues, Digital Mind recommends using the Cyber-Risk Oversight Handbook developed by ecoDa and published [5] by the Baltic Institute for Corporate Governance.  It is intended to serve as a cheat sheet for Board and Supervisory Board members to build cyber-awareness and structure the internal conversation. The handbook defines 5 key principles to pay attention to when managing security risks and offers practical tools – questions for discussion with the internal team, self-assessment questionnaires to assess the knowledge of Board and Supervisory Board members, etc.

Principle 1 provides the basis for strategic risk management, while Principles 2 and 3 provide additional guidance in assessing risks and identifying appropriate strategies. Principles 4 and 5 provide guidance on what the board should expect management to do to address cybersecurity as an enterprise-wide risk management issue. More information on these principles and strategies can be found in the electronic handbook.

Written in an easy-to-read and practical format for managers to use in their day-to-day work of communicating and raising awareness of cyber security within the company.