All companies, including yours, collect data to increase productivity and efficiency for the business. As a result, cyber criminals target businesses and organizations because they hold a great amount of valuable information. By breaching an organization’s security, cyber criminals affect your organization’s productivity, negatively impacting the organization’s profits and thus affecting the board members’ actions.
In the Global Board Risk Survey conducted by Ernst & Young LLP (EY US), 80% of directors in the financial services sector felt prepared to combat the risks and threats to their network. However, in the IBM Security Cost of a Data Breach Report, the financial sector’s cost per breach is second only to the healthcare industry. The cost per breach is also nearly 1.5 times more than the public sector. Furthermore, Business Insider also claims that cyberattacks are 300 times more likely to target financial firms.
Board members think their company is prepared for a cyber breach. However, in reality, their confidence is the result of not being fully informed of their organizations’ cybersecurity system. Furthermore, they are not receiving enough information on their company’s cybersecurity progress. And so, board members are not truly prepared for a cyber breach and thus are penalized for cyberattacks on their company.
Cybersecurity risk is not limited to the financial services sector, and according to the Gartner 2020 Board of Directors Survey, cybersecurity risk is the second-highest source of risk for enterprises. Unlike board members in the financial sector however, only 21% of board members feel that their company is properly prepared to face a cyberattack (McWilliams). As a result, board members must take action to emphasize the importance of cybersecurity.
What is Cybersecurity?
Cybersecurity involves having systems, people, and technology in place to protect and safeguard an organization’s sensitive data. These systems prevent information from being accessed, manipulated, destroyed, or stolen by attackers who do not have the organization’s best interest in mind. These cyber attacks negatively affect the organization’s normal functions, which is why businesses lean on to cybersecurity to protect their organization’s information.
Why Are Board Members Concerned About Cyber Security?
With the advancement of technology, corporations have become digitalized. Most, if not all, business processes are done on digital media, and the number of devices in an organization exceed the number of people. With this level of digitalization, the board of director must implement cybersecurity to protect the organization from digital attacks.
While large corporations like Google, Apple, or Target are unlikely to close because of a cybersecurity breach, small and medium-sized companies face the threat of bankruptcy and going out of business because of a cyber breach. However, board members of larger companies should still be cautious of cyber breaches. These cyber breaches result in massive discontent in the organization’s clients, which is why the CEO and CIO of Equifax and Target left after the cyber breaches on their company.
After a cyber breach, the company can face dire consequences including regulatory investigations, loss of intellectual property, financial loss and risk from fraudulent transactions. As a board member, you are responsible for establishing your organization’s mission and managing your organization’s resources. Therefore, placing importance into cybersecurity will help you protect your organization from cyber threats, and thus maximize the efficiency of your company’s resources.
Furthermore, board members should be aware that cybersecurity does not solely impact the IT department. A cyber breach will result in the inefficient use of resources. The following diagram explains some impacts that occur if your organization incorrectly implements its cybersecurity strategy.
How Can Board Members Protect the Organization from Cyber Attacks?
Cybersecurity does not require you to be an expert in IT or other technology. Rather, boards can implement simple steps and show employees how to mitigate cyber risks. However, to create a company culture that implements an effective cybersecurity strategy, board members need to show that they are also implementing safe cybersecurity practices. To change the security culture of your organization, you must lead by example because the board of directors is in charge of setting “the tone and direction for an institution’s use of IT” (FFIEC).
As a board member, you are one of the leaders of your organization. Your employees look up to you to see what they should do to effectively run the organization. Therefore, board members must practice cybersecurity measures and implement themselves to prove the importance of cybersecurity.
According to the Corporate Finance Institute, leaders who learn the organization’s activities build trust with their employees. Staff members look to their superiors to find how they should deliver the organization’s goals. This is because leaders set an unspoken standard on what is appropriate to do within an organization. Therefore, with board members practicing the cybersecurity rules created, employees are more inclined to implement the cybersecurity measures put in place.
People often say, “Show, don’t tell.” This is also the case for implementing cybersecurity rules. And so, to have an effective cybersecurity culture in your institution, use the following tips to show the board’s concern regarding your institution’s cybersecurity policies.
1. Hold regular security briefings.
In a 2012 survey by the Federal Trade Commission, less than 40% of corporate boards regularly received repots on data privacy and security, while 26% rarely or never got that information. Another survey conducted in 2018 suggested that there was not much progress or improvement on relaying cybersecurity reports to board members. Additionally, only 37% of board members felt “confident” or “very confident” that their company was properly prepared for a cyberattack.
However, these surveys only indicate a single moment in time and does not reflect the progress of cybersecurity plans. Cybersecurity constantly evolves and thus requires board members to be regularly informed and updated on the system. Regular briefings ensure the board members can carry out their responsibility to oversee and navigate the security strategy for their organization.
2. Include security executives in board meetings.
Most companies keep their security team away from product development, only involving them after selling the product or finding a flaw. This mistake can be seen with how the creation of the Internet.
Developers built the internet without the thought of adding security into its base code/network. As a result, the internet is a vulnerable place where hackers attack the system every 39 seconds. Companies and board members must learn from this and realize the importance of incorporating security protocols while building a new product or service.
By including security executives in board meetings, the board can consider and plan around the budget needed to maintain the cybersecurity of the company’s new product or service. This will also help avoid heavy costs in trying to fix the product after its release. Furthermore, the security specialist on the board can help explain the company’s cybersecurity defense.
3. Create an IT management or steering committee.
With an IT committee, the board member with the most IT experience can oversee the decisions made by committee members. The IT committee will identify and create cybersecurity plans and standards for your organization to follow.
The steering committee compiles a comprehensive report on your institution’s cybersecurity situation and report it to the board of directors. This ensures that you receive a through report on your organization’s cybersecurity measures.
The IT committee will also help align the cybersecurity network with your organization’s business goals and objectives. This will better protect your company from cyber hackers, and thus prevent the government from penalizing you.
4. Put equal focus on building the organization’s culture and technology.
Many organizations tend to focus on building their technology and avoid addressing other important and hidden issues. This is especially the case with cybersecurity. While companies can implement cybersecurity automations, companies must inform the employees of the change. They also need to modify the company culture to ensure employees are employing safe cybersecurity practices.
To have an effective cybersecurity strategy, board members must emphasize to employees that the company’s security does not solely rely on IT and security professionals. Everyone – from the CEO to the accounting manager to even the janitor – must take responsibility for the company’s security strategy.
5. Make a contingency plan.
Regardless of how many precautions companies have in place, there is always a threat looming of their shoulders. Having multiple plans and multiple layers of security is crucial to maintain the safety of the company’s networks.
Additionally, the IT committee will also plan ahead and create an incident-response plan. The plan must include public relations, risk mitigation, and decision making to lessen human errors that further negatively impacts the organization. This will help board members in implementing cyber security measures, while leaving the specific security details to the professionals.
Furthermore, this plan must cover the entire organization – not just IT and security professionals. By including other departments such as the marketing team for PR response, the company can minimize the negative reputation that a cyber breach will bring to the organization.
Board Members Supporting Cybersecurity Practices
Their cybersecurity committee will include a board member who specializes in IT security. This will help boost the credibility of implementing the cybersecurity committee. Even so, the responsibility of cybersecurity should not solely belong to the CISO or other IT security professionals. This is because everyone within an organization is responsible for the company’s network security. Therefore, board members should create rules, policies, and practices that the entire organization will follow and adopt.
These rules and practices will influence the company’s security culture, ensuring that everyone will keep the company’s security in mind. By emphasizing the importance of cybersecurity, the organization’s sensitive information and assets will be safe from external hackers.
- Federal Financial Institutions Examination Council. (2015). FFIEC Information Technology Examination Handbook Management. In IT Governance (pp. 4–9). https://ithandbook.ffiec.gov/media/274809/ffiec_itbooklet_management.pdf
- McWilliams, L. (2020, April 20). Nearly 80% of Board Members Felt Unprepared for a Major Risk Event Like COVID-19: EY survey. EY – US. https://www.ey.com/en_us/news/2020/04/nearly-80-percent-of-board-members-felt-unprepared-for-a-major-risk-event-like-covid-19-ey-survey
If you found this blog useful, please share with others: