Cybersecurity is a high-stakes topic for every company. You probably heard the wake-up call when an attack against Target cost the company $236 million in breach-related expenses, plus severe reputational damage. Target’s CEO and CIO lost their jobs in the aftermath and Institutional Shareholder Services recommended that investors vote against seven board members for their failure to protect the company. But getting ahead of the problem isn’t easy—attackers shift their tactics at least as fast as companies implement new safeguards.
Despite the enormity of the risks and challenges, you can take steps to ensure that your company is protecting itself. Based on Diligent’s experience supporting Boards around the world, we recommend a set of basic practices to steer hackers away from your systems:
Place cybersecurity high on the agenda… It’s not enough to put cybersecurity on the board’s agenda. This topic also needs higher priority than it often gets today. An NYSE study found that cybersecurity is on most boards’ agendas, with over 80% of respondents saying that they discuss cybersecurity at every meeting or at most meetings. But the same survey found that security risks are second-to-last among directors’ concerns when introducing new technology-based solutions—behind revenue potential, competitive differentiation, and development costs. Cybersecurity doesn’t need to be the first thing on the agenda at every meeting, but if it’s always at the bottom of the list, it won’t get the airtime it deserves.
…But don’t get lost in the weeds. Elevating cybersecurity on the agenda doesn’t mean that you as a board member should immerse yourself in the technical details. Instead, once or twice a year, ask the CIO and/or CISO to update you on the biggest threats facing the company, the processes in place to detect and manage them, and the crisis response plans. Push the information security team to conduct a “pre-mortem” to assess what would have happened if an attack suffered by another company had happened to yours. And make sure they’re screening everybody and everything related to technology, from vendors to apps, for weaknesses that may let attackers into your company. Get briefed by other functional leaders, too. Ask them to report to you about the security threats to their department’s data, whether and how their data is protected, and how they would respond to an attack.
Put human nature to work for you… Remember that people are your biggest risk factor. It’s simply a matter of human nature that they’ll gravitate toward the easiest way to handle documents and data. For example, if they want to work on a spreadsheet on their home computer, they may send it to an unsecured Gmail account if that’s the easiest way to do it. To get human nature working in your favour, make it simple and convenient for people to do the right thing. That means implementing processes and technologies that are not only secure, but also very easy for people to use.
…And lead by example. By role-modelling highly secure practices, you can help get everyone in the organisation rowing in the same direction. One easy way that boards can lead by example is to keep their board materials safe and secure. You’ll be in a much stronger position to demand new protections and governance practices when your own hands are clean!
As a board member you’re required to think about cyber security, but you can’t do it alone. Taking the steps described here gets you part of the way there, but you’ll need to work with your CIO/CISO and the entire management team to make sure a culture of cyber-vigilance emerges in the organisation.
March 30, 2020
Board Diversity in the Middle East: A Push For Progress
Diverse boards pay dividends – often literally. There is a growing body of evidence demonstrating that heterogenous Boards with multiple perspectives generate better business outcomes than their homogenous counterparts. Yet, establishing Board diversity continues to prove a challenge in businesses worldwide. We talked to Dr Ashraf Gamal El Din, CEO…
March 30, 2020
The Corporate Governance Outlook In The Middle East For 2020
The Middle East is a diverse and fascinating region. A century of rapid development built on a foundation of rich history has shaped an attractive entrepreneurial business environment. The fast pace of corporate evolution against a strong cultural backdrop presents unique challenges for corporate governance in the region and there’s…
March 15, 2020
Non-Profit Board Evaluations and Self-assessments
Non-Profit Board Evaluations and Self-assessments in the UK Non-profit organisations in the UK perceive vast benefit from board evaluations. These may take the form of an independent evaluation, or a self-assessment. There is no legal obligation for a non-profit board to evaluate or assess its performance;…