Cybersecurity is a high-stakes topic for every company. You probably heard the wake-up call when an attack against Target cost the company $236 million in breach-related expenses, plus severe reputational damage. Target’s CEO and CIO lost their jobs in the aftermath and Institutional Shareholder Services recommended that investors vote against seven board members for their failure to protect the company. But getting ahead of the problem isn’t easy—attackers shift their tactics at least as fast as companies implement new safeguards.
Despite the enormity of the risks and challenges, you can take steps to ensure that your company is protecting itself. Based on Diligent’s experience supporting Boards around the world, we recommend a set of basic practices to steer hackers away from your systems:
Place cybersecurity high on the agenda… It’s not enough to put cybersecurity on the board’s agenda. This topic also needs higher priority than it often gets today. An NYSE study found that cybersecurity is on most boards’ agendas, with over 80% of respondents saying that they discuss cybersecurity at every meeting or at most meetings. But the same survey found that security risks are second-to-last among directors’ concerns when introducing new technology-based solutions—behind revenue potential, competitive differentiation, and development costs. Cybersecurity doesn’t need to be the first thing on the agenda at every meeting, but if it’s always at the bottom of the list, it won’t get the airtime it deserves.
…But don’t get lost in the weeds. Elevating cybersecurity on the agenda doesn’t mean that you as a board member should immerse yourself in the technical details. Instead, once or twice a year, ask the CIO and/or CISO to update you on the biggest threats facing the company, the processes in place to detect and manage them, and the crisis response plans. Push the information security team to conduct a “pre-mortem” to assess what would have happened if an attack suffered by another company had happened to yours. And make sure they’re screening everybody and everything related to technology, from vendors to apps, for weaknesses that may let attackers into your company. Get briefed by other functional leaders, too. Ask them to report to you about the security threats to their department’s data, whether and how their data is protected, and how they would respond to an attack.
Put human nature to work for you… Remember that people are your biggest risk factor. It’s simply a matter of human nature that they’ll gravitate toward the easiest way to handle documents and data. For example, if they want to work on a spreadsheet on their home computer, they may send it to an unsecured Gmail account if that’s the easiest way to do it. To get human nature working in your favour, make it simple and convenient for people to do the right thing. That means implementing processes and technologies that are not only secure, but also very easy for people to use.
…And lead by example. By role-modelling highly secure practices, you can help get everyone in the organisation rowing in the same direction. One easy way that boards can lead by example is to keep their board materials safe and secure. You’ll be in a much stronger position to demand new protections and governance practices when your own hands are clean!
As a board member you’re required to think about cyber security, but you can’t do it alone. Taking the steps described here gets you part of the way there, but you’ll need to work with your CIO/CISO and the entire management team to make sure a culture of cyber-vigilance emerges in the organisation.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…