Cybersecurity is a high-stakes topic for every company. You probably heard the wake-up call when an attack against Target cost the company $236 million in breach-related expenses, plus severe reputational damage. Target’s CEO and CIO lost their jobs in the aftermath and Institutional Shareholder Services recommended that investors vote against seven board members for their failure to protect the company. But getting ahead of the problem isn’t easy—attackers shift their tactics at least as fast as companies implement new safeguards.
Despite the enormity of the risks and challenges, you can take steps to ensure that your company is protecting itself. Based on Diligent’s experience supporting Boards around the world, we recommend a set of basic practices to steer hackers away from your systems:
Place cybersecurity high on the agenda… It’s not enough to put cybersecurity on the board’s agenda. This topic also needs higher priority than it often gets today. An NYSE study found that cybersecurity is on most boards’ agendas, with over 80% of respondents saying that they discuss cybersecurity at every meeting or at most meetings. But the same survey found that security risks are second-to-last among directors’ concerns when introducing new technology-based solutions—behind revenue potential, competitive differentiation, and development costs. Cybersecurity doesn’t need to be the first thing on the agenda at every meeting, but if it’s always at the bottom of the list, it won’t get the airtime it deserves.
…But don’t get lost in the weeds. Elevating cybersecurity on the agenda doesn’t mean that you as a board member should immerse yourself in the technical details. Instead, once or twice a year, ask the CIO and/or CISO to update you on the biggest threats facing the company, the processes in place to detect and manage them, and the crisis response plans. Push the information security team to conduct a “pre-mortem” to assess what would have happened if an attack suffered by another company had happened to yours. And make sure they’re screening everybody and everything related to technology, from vendors to apps, for weaknesses that may let attackers into your company. Get briefed by other functional leaders, too. Ask them to report to you about the security threats to their department’s data, whether and how their data is protected, and how they would respond to an attack.
Put human nature to work for you… Remember that people are your biggest risk factor. It’s simply a matter of human nature that they’ll gravitate toward the easiest way to handle documents and data. For example, if they want to work on a spreadsheet on their home computer, they may send it to an unsecured Gmail account if that’s the easiest way to do it. To get human nature working in your favour, make it simple and convenient for people to do the right thing. That means implementing processes and technologies that are not only secure, but also very easy for people to use.
…And lead by example. By role-modelling highly secure practices, you can help get everyone in the organisation rowing in the same direction. One easy way that boards can lead by example is to keep their board materials safe and secure. You’ll be in a much stronger position to demand new protections and governance practices when your own hands are clean!
As a board member you’re required to think about cyber security, but you can’t do it alone. Taking the steps described here gets you part of the way there, but you’ll need to work with your CIO/CISO and the entire management team to make sure a culture of cyber-vigilance emerges in the organisation.
1. Source: “How much has Target’s data breach cost the retailer?”, Internet Retailer, August 5, 2014.
2. Source: “Cybersecurity in the Boardroom,” NYSE Governance Services and Veracode, 2015.
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…
January 30, 2020
Voice Assistants in the Boardroom: The Pro’s and Con’s
Australians are going crazy for voice assistants – they are selling faster there than in the US, according to Voicebot.ai, and 5.7 million Aussies already have them. They are becoming popular in New Zealand too, reportedly, although there has been some scarcity…