Page 12 - IMDR Journal 2025
P. 12
Research Article
keeping things secure. This system includes things like risk information-based risk identification is an emerging trend in
assessments, rules for who gets access, written security the corporate world and discussions on such identification
procedures, and regular internal checks. should be taken seriously because they may very well be our
saviors in this post-9/11 world. Mandates the board to be
In both the SFO and BA cases, there’s no clear sign that this
system (or anything similar) was being used. ISO 27001 updated regarding risks and the occurrence of cybersecurity
requires companies to look for security risks and fix them incidents. Nevertheless, it is reported that the top
using specific tools listed in the standard. management and the board of directors of BA did not focus
on cyber spending or awareness. Similarly, it appeared that
But SFO and BA didn’t seem to have any solid process to SFO considered cybersecurity routine IT tasks as opposed to
find weak spots. For example, BA didn’t update an old
a board mandate. CISA observes that boards are supposed to
JavaScript file that had known problems. That shows they
empower CISOs and fund them, and that the decisions made
didn’t have a way to manage or fix outdated software. If they on cyber are clear. Executive accountability findings on BA
had followed the ISO 27001 system, they would’ve done indicate the board had overlooked even fundamental
regular checks and cleanup to avoid that kind of risk.
security measures, which ICO attributed to a “profound
● Access Control Policies Annexe A of ISO 27001 involves organisational failure in digital risk management”.
access control policies on users. The access controls are ● Cybersecurity Culture Corporate governance extends to
weak, as demonstrated by the stolen credentials. Neither culture. BA treated compliance (e.g., GDPR) as a box-
SFO nor BA had implemented such policies as least- ticking exercise rather than an imperative. The ICO report
privilege or MFA. ISO 27001 would impose writing the
criticised BA for lacking encryption and strong
rules of access and review regularly, which could have
authentication as if they were optional, reflecting a failure of
avoided the harvesting of passwords as the only tone at the top. In contrast, boards should foster a culture
authentication method.
where managing cyber risk is seen as a core responsibility.
● Occurrence of Risk and Procedure Monitoring. The theme ● Investment and Prioritisation Directors must balance
of the standard is an orientation of treating risks and cybersecurity budgets against other business needs. In these
observing their efficiency. Such a store of some sensitive cases, evidence suggests cybersecurity budgets were
information in plain text was a failed treatment when BA constrained. Good governance would evaluate security
made it a habit to do so. That as an unacceptable risk or spending as an investment in resilience, not just a cost
misconfiguration would have been identified by the
centre. Frameworks like ISO 27001 and NIST CSF should
implementation of ISMS, verification would have happened
be endorsed by the board and integrated into the risk appetite
through the control.
statements.
● On the same point, SFO does not have endpoint security, In summary, corporate governance failures contributed to
meaning they did not treat and test such systems well. these breaches. Neither SFO nor BA had a governance
Overall, ISO/IEC 27001 is supposed to safeguard structure that elevated cyber risk to board agendas. Industry
information resources through applying a comprehensive guidance (e.g. NACD Director’s Handbook co-developed
risk approach evaluation and ongoing improvement. With with CISA) stresses that cyber must be a “fundamental
an established ISMS compliance coupled with ISO 27001, matter of good governance”. The SFO and BA incidents
SFO or BA would have established formal processes to
underscore that neglect at the governance level leaves
determine what is lacking and not there, and implement
organisations vulnerable.
security standards (like encryption and authentication).
Control testing. ● Strategic Implications The SFO and BA breaches have
broad strategic implications for the aviation industry. Key
In other words, a certified ISMS would have ensured lessons and recommended actions include:
proactive security management, whereby the security would
have been managed in advance. With a possible initiative of ● Board-Level Accountability Boards must treat
preventing or reducing such violations. They also did not cybersecurity as a strategic governance issue rather than a
have ISO controls that would make security interventions technical afterthought. Regular reporting on cyber risk,
consistent and responsive. incidents, and compliance should be mandatory. Directors
should insist on cybersecurity metrics alongside financial
Corporate Governance
and safety metrics. This aligns with CISA’s call for boards
Cybersecurity should become a part of corporate and CEOs to “own” cyber risk as an enterprise risk.
governance. Decent governance addresses cyber-hazards as ● Enhanced Security Investments Organisations should
a rational strategic issue and not only a simple problem in IT. invest in modern security infrastructure. Examples include
An advisory issued by CISA highlights the fact that cyber
Security Information and Event Management (SIEM)
risk is presently a business risk under the ownership of
systems to correlate and alert on threats, Endpoint Detection
boards and CEOs. Both plane crash situations had a faulty and Response (EDR) tools for monitoring workstations, and
board-level review.
next-generation firewalls. These tools support the NIST
● Board-Level Oversight Protect and Detect functions by identifying anomalous
In his his article entitled Developing Information-Based activity. As NIST points out, a risk-based approach allows
Risk Assessment in a Post-9/11 World- Incorporation of firms to allocate resources effectively. Despite budget
Serious Discussions, Chris Thompson pointed out that constraints, the cost of breaches (investigations, fines,
3
