Cybersecurity is a high-stakes topic for every company. You probably heard the wake-up call when an attack against Target cost the company $236 million in breach-related expenses, plus severe reputational damage. Target’s CEO and CIO lost their jobs in the aftermath and Institutional Shareholder Services recommended that investors vote against seven board members for their failure to protect the company. But getting ahead of the problem isn’t easy—attackers shift their tactics at least as fast as companies implement new safeguards.
Despite the enormity of the risks and challenges, you can take steps to ensure that your company is protecting itself. Based on Diligent’s experience supporting Boards around the world, we recommend a set of basic practices to steer hackers away from your systems:
Place cybersecurity high on the agenda… It’s not enough to put cybersecurity on the board’s agenda. This topic also needs higher priority than it often gets today. An NYSE study found that cybersecurity is on most boards’ agendas, with over 80% of respondents saying that they discuss cybersecurity at every meeting or at most meetings. But the same survey found that security risks are second-to-last among directors’ concerns when introducing new technology-based solutions—behind revenue potential, competitive differentiation, and development costs. Cybersecurity doesn’t need to be the first thing on the agenda at every meeting, but if it’s always at the bottom of the list, it won’t get the airtime it deserves.
…But don’t get lost in the weeds. Elevating cybersecurity on the agenda doesn’t mean that you as a board member should immerse yourself in the technical details. Instead, once or twice a year, ask the CIO and/or CISO to update you on the biggest threats facing the company, the processes in place to detect and manage them, and the crisis response plans. Push the information security team to conduct a “pre-mortem” to assess what would have happened if an attack suffered by another company had happened to yours. And make sure they’re screening everybody and everything related to technology, from vendors to apps, for weaknesses that may let attackers into your company. Get briefed by other functional leaders, too. Ask them to report to you about the security threats to their department’s data, whether and how their data is protected, and how they would respond to an attack.
Put human nature to work for you… Remember that people are your biggest risk factor. It’s simply a matter of human nature that they’ll gravitate toward the easiest way to handle documents and data. For example, if they want to work on a spreadsheet on their home computer, they may send it to an unsecured Gmail account if that’s the easiest way to do it. To get human nature working in your favour, make it simple and convenient for people to do the right thing. That means implementing processes and technologies that are not only secure, but also very easy for people to use.
…And lead by example. By role-modelling highly secure practices, you can help get everyone in the organisation rowing in the same direction. One easy way that boards can lead by example is to keep their board materials safe and secure. You’ll be in a much stronger position to demand new protections and governance practices when your own hands are clean!
As a board member you’re required to think about cyber security, but you can’t do it alone. Taking the steps described here gets you part of the way there, but you’ll need to work with your CIO/CISO and the entire management team to make sure a culture of cyber-vigilance emerges in the organisation.
October 16, 2019
Succession Planning and Future-Proofing Your Board
Succession planning cannot be treated as only about the future, because it has a huge impact on the careers of the current leaders who are responsible for its success. Succession planning links today and tomorrow, and this is what drives the emotions involved for…
October 14, 2019
Board Diversity and Board Performance
Are UK Boards Becoming More Diverse? Corporate governance experts strongly recommend greater board diversity on corporate boards, so it is good to see that UK companies are improving in this respect. There is ample evidence that boardroom diversity drives…
October 8, 2019
Business Email Compromise – The Latest UK Cyber Threat
The UK Cyber Security Challenge and Business Email Compromise Businesses in the UK are today suffering a wave of cyberattacks in the form of “Business Email Compromise” (BEC) and it is essential to know how to gear up your board for cyber attacks.