BOARDROOM BEST PRACTICES

Poor Security Practices Leave Boards Unguarded Against Cyber Security Attacks

A majority of UK businesses and charities are unprepared for cyber security attacks. Poor security practices have left them vulnerable, a survey by Forrester shows. Diligent’s Governance Cloud can fill this gap with state-of-the-art communications and security technology.

Poor-Security-Practices-Leave-Boards-Unguarded-Against-Cyber- Security- Attacks-Forrester-Report-Diligents-Governance-Cloud

UK boards of directors are unprepared for cyber security attacks

Poor security practices at the board of directors’ level have left UK companies unprepared for cyber security attacks.Less than three in ten businesses (27 per cent, according to the survey) and two in ten charities (21 per cent) have a formal cyber security policy or policies, according to a recent government poll.

“Cyber security is now a mainstream business risk,” explains Ciaran Martin, CEO of the National Cyber Security Centre. “Corporate leaders need to understand what threats are out there and what the most effective ways are of managing the risks. To have the plain English, business-focused discussions at board level, board members need to get a little bit technical. They need to understand cyber risk in the same way they understand financial risk or health and safety risk.”

Poor cyber security practices are the result of boards not taking action swiftly enough, and not asking the right questions so that they can gain a sufficient understanding of cybersecurity,” Martin adds. “There’s really no such thing as a foolish question in cyber security. The foolish act is walking away without understanding the answer because that means you don’t understand how you’re handling this core business risk.”

Want to learn more about how board management software can allow your board to better respond to a crisis?

Download the Forrester Report and see how your board could improve their communication practices.

Cyber security attacks call for preparation

The overwhelming majority of businesses and charities are reliant on online services, which exposes them to cyber security risks, the survey shows.

“Virtually all UK businesses (98 per cent) and charities (93 per cent) represented in the survey rely on some form of digital communication or services, such as staff email addresses, websites, online banking and the ability for customers to shop online. More businesses had websites or social media pages in the 2018 survey than in 2017.”

Charities are exposed to further online risks. Around three in ten enable people to donate online (31 per cent) and just under three in ten allow beneficiaries to access their services online (27 per cent). This is especially true of larger charities — 53 per cent of charities with an income of £500,000 (US$659,120) or more let people donate online, and 49 per cent enable beneficiaries to access services online.

Given all of this exposure, one would expect organisations of all sizes, and a substantive majority of large businesses and charities, to take the necessary precautions. Yet poor cyber security practices continue to be prevalent, the survey shows, and those with more potential risk factors are also among the most likely to experience cyber security breaches or attacks.

The result of this poor cyber security practice: More than four in ten businesses (43 per cent) and two in ten charities (19 per cent) have experienced cyber security breaches or attacks in the last 12 months. This rises to seven in ten (72 per cent) among large businesses, and a similar proportion (73 per cent) among the largest charities, those with incomes of £5 million or more, according to the survey.

Poor cyber security practice in communication

One of the key areas in which boards are failing to adhere to good cyber security practice is that of communication. According to a recent study by Forrester Research and Diligent“Behind the Curve: Poor Governance Practices Risk Organisational Security and Visibility,” board members and governance professionals don’t associate their own communication practices with the company’s cyber security practices. Those same boards rely on technology to help them increase their visibility across the organisation, but most have yet to successfully implement an enterprise governance management (EGM) solution that enables effective oversight into critical areas such as cyber risk and crisis communication.

The Forrester report finds that over half of sensitive internal board communiques happen over personal email. Fifty-six percent of board members are using personal email (not business-regulated email) to communicate about board matters. This type of poor cyber security practices leaves boards vulnerable to potential cyber security attacks, breaches and inadvertent data leaks.

While just over a third of boards rely on closed-loop secure communication channels, the rest are risking potential material loss by using unsecured communication methods — a very dangerous cyber security practice.

“Many boards fail to leverage technology to gain visibility and surface new insights. Integrated technology helps boards to better understand their areas of greatest risk, to view scorecards of governance categories, and to gain insight on company operations. End-to-end governance technology allows boards to identify areas of potential risk faster and more comprehensively, and then work with management to tackle [the] firm’s vulnerabilities, yet few boards currently use this technology,” the report shows.

Boards should take advantage of the protection from cyber security attacks afforded by high-quality collaborative software. Diligent Governance Cloud offers unparalleled security, assured by a team of international experts.

Diligent makes sure you are ready for all threats

“Carefully protected internal communication services centred on security and privacy are the safest way to conduct internal communication,” the study noted. Diligent, as the long-standing market leader for high-level corporate communications and governance software, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent clients gain a strategic partner that truly puts security first.

All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to thwart all of the most sophisticated attack techniques.

Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cyber security framework is based on NIST standards.

Diligent Boards data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel only and verified by two-factor authentication.

Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle security incidents. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data

 WANT TO LEARN MORE?

Learn how your board can improve their governance and rely on Diligent’s dedication to customer performance. Request a demo today

Featured Blog