From server room to boardroom: Why cybersecurity is everyone's business
When it comes to cybersecurity, even the mightiest can falter if they're not vigilant. This isn't a mere cautionary tale; it's a fact underscored by the recent cyberattacks on two major hotel and casino operators in Las Vegas, and countless more just like them across every industry and every part of the globe. For executives, board members, CISOs, CIOs and risk professionals — for everyone, in fact — the implications of these attacks cannot be overlooked. They illustrate the paramount importance of a robust cybersecurity program.
Before we delve into the broader implications, let's first recall the events in question. Two titans in the hospitality and gaming industries were hit this month by concurrent cyberattacks that brought down their websites, blanked out gaming machines, rendered digital room access inoperable, put gamblers' and guests' personal information at risk, and generally ground operations to a halt. News stories and social media were awash in images of darkened casino marquees, broken slot machines and long lines of hotel guests waiting hours to check in or check out.
Business damage is more than just financial
While financial losses are an obvious concern following a cyberattack, it's the more intangible damages that can be the most devastating and long-lasting. Let’s break it down:
Reputational damage: In a highly competitive market, trust is hard-won and easily lost. Cyberbreaches deter customers and guests for months, and sometimes years, regardless of any discounts or assurances offered.
Operational impact: Breaches wreak havoc on daily operations. From locked-out systems and halted services to resource diversion for damage control, the impact can be immediate and paralyzing.
Legal and regulatory consequences: With regulations like GDPR in Europe and CCPA in California, businesses can face significant fines for not adequately protecting customer data. Moreover, potential lawsuits from affected customers or shareholders can compound financial liabilities. And board members can be held personally liable for not providing the right amount of oversight.
Increased insurance premiums: Following a significant breach, insurance premiums can spike, adding more operational costs for the enterprise.
5 steps for making cybersecurity everyone's business
What can organizations do? For starters, understand that cybersecurity isn't an IT-only concern. It’s a boardroom topic, a C-suite priority and a shared responsibility across the organization. Here are steps to consider:
1. Promote a security-first culture, including in the boardroom.
From the reception desk to the executive suite, everyone should be aware of the best security practices. Regular training and drills can help embed these practices into daily routines. Remember, too, that culture starts at the top. If the board is not up to speed on today's cybersecurity threats, they are not equipped to set the appropriate risk appetite or lead by example with their own cybersecurity practices. And in that case they are certainly not ready to comply with the SEC's recently enacted cyber disclosure regulations. Diligent's Cyber Risk & Strategy Certification is designed to upskill directors in cybersecurity so they can effectively govern cyber risks.
2. Invest in advanced risk-monitoring and risk-mitigating solutions.
Utilize AI and machine learning for real-time threat detection. Embrace technologies that enable you to automate cybersecurity and shift from a reactive approach to a forward-thinking, ready-for-anything program.
3. Collaborate and share intelligence.
Join industry groups and forums where threat intelligence is shared. Additionally, be sure the board has the cybersecurity info they need at their fingertips, so they can make better decisions — and make those decisions more quickly.
4. Spot potential vulnerabilities early.
As the old adage goes, "An ounce of prevention is always worth more than a pound of cure." Leverage best-in-class analytics to provide continuous assurance over your operations, so you can eliminate the gaps where risk resides — before a hacker exploits them.
5. Implement a continuous training program.
Make sure your board, management and staff are all up to date on the latest best practices for cybersecurity with regular, ongoing training that reminds them about their role to play. Be sure to include refreshers on how to avoid phishing, using multi-factor authentication and keeping sensitive data in secure channels.
Learn more about how Diligent can help your organization be better prepared for a cyber attack. Request a meeting today.
