Board members and top company executives are responsible for ensuring the value of their brand— and today that value is closely tied to security, namely, cybersecurity.
But less than a quarter of board members are “quite confident” in management’s ability to respond to a cyber security threat according to a special report “Managing Cyber Risk: Are Companies Safeguarding their Assets?” by NYSE Governance Security magazine. And it’s not a conversation had in boardrooms often enough, experts say.
Not that the risks aren’t known: The cost of cybercrime to the global economy reached $455 billion per year in 2014, and is expected to grow, according to a MacAfee study, “Net Losses: Estimating the Global Cost of Cybercrime.” The true cost of failed cybersecurity, however, goes beyond direct financial losses: out of 189 firms that suffered a cyberattack, 79% of executives reported a drop in external reputation, 78% reported a drop in production and 75% reported loss of employee confidence, according to a 2015 survey by Deloitte and Symantec, “Winning the Cyberwar: Enabling UK Business Now and in the Future.”
“Every organisation, commercial or other, holds information that is valuable to an outside entity, whether it be a competitor or criminal organisation. And where there’s value, there’s an incentive for hackers to put their hands on your information. You need to assume that you are under constant attack,” said Ayal Vogel, president of AMID Strategies, a physical and cyber security consultancy. “And yet, if cybersecurity is ever discussed at a board level, it’s usually about securing customer information, not internal communications and intellectual property.”
According to NYSE special report, some 48 percent of board members “worry they don’t know enough to ask the right questions,
Publicity often focuses on the news, which often involves stories of credit card theft, exposed celebrity photos, or political leaks. More common are cases of product-related data theft and other intellectual property, employee and market data.
“Technology is changing at a faster and faster pace and companies are trying hard to keep up,” the NYSE report says. “Corporate directors may well feel as if bulletproof oversight of cyber risk is impossible.”
But according to NYSE, email creates security risks: there’s no control over the content of a sent email. Messages can be forwarded to the wrong person. Attachments can be duplicated. Users have no control over the servers where email is stored, or passes through.
Additionally, IT managers in charge of the company’s cybersecurity are often reluctant to share concerns about the company’s data security with the board. The Deloitte and Symantec report shows that in 70 percent of the firms surveyed, IT decision-makers did not feel comfortable with their firm’s data security plan.
But employees in charge of data security may not feel comfortable monitoring board members’ adherence to company guidelines — two-thirds told NYSE that their senior IT report to the board only “occasionally.” That’s why only a quarter of directors are “quite confident” in dealing with a cyber attack.
Securing board information
Board data should ideally be stored in a known location, segregated from the organisation’s other data. A hosted board portal may offer a better solution than a commercial cloud storage. Document sharing to a hosted board portal that can be accessed only by users authorised by the system administrator for different roles and rights (e.g. read-only, edit, share) can limit the risk of losing control of emailed attachments. Using a board portal with a strict authorisation scheme means the administrator won’t lose control over documents, even if a user’s access password has been stolen; in such a case the system administrator can simply deny access for that user.
The administrator can also block access to the portal or specific documents on an ad hoc basis, for example when an executive is traveling abroad and the administrator has reason to believe that the network connection to the portal, from that locale, might be compromised. Staff in charge of the board portal can halt the executive’s access to the portal awhile he is in that risky area.
The administrator can also block access to the portal or specific documents on an ad hoc basis. Say an executive is traveling abroad and the administrator has reason to believe that the network connection to the portal, from that locale, might be compromised. Staff in charge of the board portal can halt access while the board member is in that risky area.
“The tried-and-true methods of sharing sensitive documents may place your data at risk,” Vogel of AMID Strategies explains. “Even small- and medium-sized organisation need to rethink the way they store data, and how that data is shared internally and with external users. The board needs to lead the way.”
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…
January 30, 2020
Voice Assistants in the Boardroom: The Pro’s and Con’s
Australians are going crazy for voice assistants – they are selling faster there than in the US, according to Voicebot.ai, and 5.7 million Aussies already have them. They are becoming popular in New Zealand too, reportedly, although there has been some scarcity…