Cyber security has traditionally been seen as an IT issue. That’s a mistake. It must be seen as a strategic risk management issue. Not only are the business implications of a cyber breach worthy of boardroom attention, but execs and board members themselves have become a target. Boardrooms should be developing a business strategy that combats the threats as well as taking extra steps to personally secure their digital activities.
Typically, cyber attackers aim to compromise and exploit a businesses network. However, more attacks are now aiming at the ‘big fish’ in the business, or those who have access to sensitive information. That would be a C-Suite or a board member who not only has better access across the business but also works with a lot of vital business information. For example, in November 2018, US Democratic National Committee email addresses were targeted in a spear phishing attack.
Cyber security awareness must, therefore, be included at the top level, not just amongst the rest of the workforce. And the risk is very real. Not only do businesses face financial losses on an enormous scale, but a significant breach can damage reputations, shatter client relationships, result in legal proceedings and impact business operations.
Potential impacts and implications for boards:
- Intellectual property loss
- Financial penalties, including regulatory and legal fines
- Property losses of stock or information
- Reputational damage
- Loss of time
- Administrative resources
A top-down approach: Get board-level involvement
Today’s C-Suite and board members need to be involved in the cyber discussion. Not only because they are a risk to the business, but because a top-down approach is the best way to ensure cyber security awareness is raised across the wider business teams. Remember, the headlines of a massive nation-led data breach create noise, but the reality is it’s normally a busy exec clicking on a malicious phishing email by a scammer, not a nation-state, that leads to breaches.
Regular security training with all staff is a key element of a businesses cyber defence, but board members and execs are not normally included. Involving board members in all training is a critical step in securing them against the threats.
Cyber security topping business leaders concerns
There is a reason cyber security is seen as a top concern by business leaders. As cyber is regularly seen as an IT issue, a lot of business leaders lack the awareness and understanding required to make informed decisions about it. IT leaders must educate above and beyond the IT department to ensure the boardroom and leadership team have the knowledge to make better decisions and protect themselves.
The Internet has transformed how we live and work, but protecting our critical assets is vital for the competitiveness of businesses today. Adopting a risk management approach, including support from the very top, ensures a risk-aware culture and strong policies and procedures for any cyber attack.
There is a massive difference between investing in the right tools and putting defences in place, and meaningful engagement on cyber matters. Board members need to be constantly reminded of the risks of a cyber breach, including the potential fines following the GDPR and Data Protection Act. Board members also have a duty to understand and mitigate risk. So any cyber security strategy should include the aim to improve board-level engagement. The challenge is in presenting the risks and threats in non-IT language so it is easily understandable at a business-level, not a technology level.
Unfortunately, the percentage of businesses that have a board representative focused on cyber remains low. However, it’s increasing, largely in part to the rising awareness of the implications of a breach and the non-stop press coverage of the latest person or business to get hacked. No board member would want their sensitive emails exposed to the wider world, for example.
Addressing the threat
Addressing the cyber threat is a foundation of risk management, so businesses who do prioritise it will get a competitive advantage. By making cyber security a board-level priority, it will show you mean business when it comes to tackling cyber risks.
If you feel like you aren’t getting enough engagement from the board, here are a few questions for the boardroom:
- Do we understand that board members are likely to be a target?
- Is there a board-level person responsible for cyber security?
- Do any of our supply chain partners put us at risk?
- Do the board have regular contact with the IT leader to get updates on the threat landscape?
- Do the board take an active role in cyber security policies and awareness?
- Have our key data assets been identified?
- Do we understand our vulnerabilities?
- Do we understand our vulnerabilities?
- Are competitors ahead of the game compared to us?
- What processes do we have in place if we get breached?
- Do we have a full picture of what would happen if the business gets hacked? (share price, reputation, etc)
If the information and self-auditing questions above leave you feeling unsure about your cyber security strategy, you may need to seek help from an experienced and professional company to help improve those issues. Speak to us today to find out more about how Mitigate can support your organisation.
Find out more about how we help businesses like yours mitigate cyber security threats