The way Dido Harding has been held to account in the wake of the TalkTalk data breach – which is reported to have cost the company up to £80 million and 100,000 customers – has shown just how important it is that the overall responsibility for an organisation’s security sits with the board, not just with the IT department.
In the UK, the Government’s national cyber security strategy identifies security as a board level responsibility, citing the importance of improving cyber awareness and risk management among businesses.
Everyone in a business has a role in keeping the company secure. Security should run through a company’s DNA. All applications and platforms should be built with security top of mind, and training given to employees so they understand the importance of things like password control, secure access to data, and so on. But it is the board that will set the example.
Board members deal daily with highly confidential information, making strategic decisions that impact, for example, share price and reputation. But it is often information shared with the board that poses the biggest security risk to the business. Board members routinely handle documents that set out the strategy of the business: M&A information, negotiation details, senior executive remuneration, and financial and customer data. And yet it is not uncommon for them to be excluded from day-to-day security rules, sitting above the rest of the organisation’s standards.
It is still common for business-critical documents to be sent to board members over unsecured email, to be printed off at home and carried to meetings (often across international borders), or for paper packs to be couriered to them ahead of meetings.
The first step to mitigating risk is education. There should not be a board in the country who isn’t concerned about the threat of a data leak or breach. If the board understands its role in securing the business, it will go some way to reducing the threat. It’s good practice to have a security expert on the board, who can promote a culture of information security, and ensure that all board members practice good information security themselves. Security should be on the agenda regularly at board meetings. This will send a clear message to the rest of the business – security is a top priority.
Board level information should be subject to the same rigorous security checks as all other corporate data. It should never be shared on paper, but accessed digitally through a board portal – a platform that allows business information to be compiled, accessed and communicated to board members securely. Data can be encrypted (both in transit and at rest), and accessed with a digital key. Those keys should be controlled centrally, with a clear protocol for changing access rights if a password or device is lost or stolen. There should be clarity on and control over who has access to what level of information.
Security is one of the biggest concerns facing boards today. A breach has unlimited ability to damage a corporate reputation and its financial success. The process of securing a company should start right at the top.