Imagine if a band of marauders stood outside your corporate headquarters 24 hours a day, throwing rocks, firing projectiles and pretty much trying to cause as much as possible to your business. Would a board ignore the consequences with inaction? It turns out marauders did most likely are taking aim at your business around the clock-you just do not see them. And if they have not already done so, someday they’ll break inside the wall. These are hackers. And many of today’s boards seem to show a shocking indifference to their presence.
Surveys show that only about half of US companies have comprehensive policies and procedures in place to address cybersecurity. Outside the US, the percentages are even lower. These companies leave it to the CIO to keep the castle protected, and that’s a mistake.
Cybersecurity is not just a technical problem to be solved. Too much is at stake. Your website conveys critical branding and advertising messages to consumers, and probably gives you an opportunity to buy your product. Internally, technology is what keeps your company operating and communicating efficiently. Transaction systems keep flowing on the customer-facing side of your enterprise while the financials are reconciled on the back end. The non-technological consequences of poor computer security.
Board members do not have to become technical experts-that can be left to IT. But they have to manage risk and allocate resources. Cybersecurity Policies, Processes and Protocols need to be set at the level and driven down as an organizational priority.
Here are five ways board members can start the ball rolling:
1. Elevate IT security to the board level. Home internally with an IT or CIO presentation that outlines what safeguards are in place, associated policies and procedures, and examples of actual attacks that have taken place on your systems. So, bring in third-party board advisers, who can guide you through a cybersecurity policy review.
2. Change the security mindset. The thing is, it’s not if attack wants to be successful, but when . Response is every bit as important as prevention. The metaphor of cybersecurity as a moat around the castle is often used-if the barbarians breach the moate, story over. But that’s not really the case anymore. A digital intruder is in the place where it is detected and contains the fallout. If you can not do any damage, you have to be careful about what you are doing.
3. Get the after-attack protocols right. Part of that preparation we just talked about is planning ahead of time Who wants to speak to the media? To stakeholders? To shareholders? What do they say? These are board-level decisions that need to be made, communicated and rehearsed.
4. Security starts at home. By being internally compromised. The EVP who leaves her smartphone back at the restaurant. The administrator who drops a memory stick jammed with credit card numbers or identifiable customer account info. The shop floor manager who opens to unbidden e-mail. The cybersecurity is a top priority. Have you considered starting with yourself? What are the board and leadership team setting for the rest of the organization?
5. Set the resource allocation appropriately. Strategy and tactics planning, and equipment deployment. The board must not only make security an organizational priority, but resource it appropriately.
In the end, cybersecurity is a risk issue, a business issue and, most importantly, a leadership issue. The good news is that more and more companies see the growing threat. The bad news: far too many of them are not taking The Necessary actions to protect Their businesses, love especially in the boardroom.