Cybersecurity – what every board member should know.

T

 

  • his article is written for senior business leaders and as such does not contain technical jargon. It is written with the intention to communicate simply and clearly what every board member and company director needs to know and what questions they should ask to get a better perspective of the cybersecurity risks to their organizations. Any technical aspects that will be discussed will be to give context to the considerable impact board members have on cybersecurity. Too often cyber folks quickly lose the attention of their company leadership with tech speak; therefore, I have concentrated this article on communicating business risk.t be a one off activity, but should adapt to changes in the business, threat landscape, market positioning etc.
What is cybersecurity & why is it important?

Whether you are a new board member or have spent many years on a board, it is crucial that you have a clear idea of what cybersecurity is and the risks it poses to your organization. According to a recent National Association of Corporate Directors (NACD) survey, sixty-one percent of directors report that they would be willing to compromise on cybersecurity to achieve business objectives, while twenty-eight percent prioritize cybersecurity above all else. These are radically opposite views, so naturally the next question is, which group is right?

The difference in responses has to do with how executives view cybersecurity, some perceive it as a business enabler while others see it as an Information Technology (IT) or compliance issue. And others see cybersecurity as something to do with IT and technology and fail to appreciate the integral role cybersecurity plays in ensuring business operations run smoothly. To fully understand cybersecurity risks, we must first define cybersecurity: cybersecurity simply refers to the tools, techniques, and procedures a business uses to protect its data (proprietary, customer, patents etc.), devices (computers, servers, networks, laptops, phones etc.), systems (HR systems, accounting software, manufacturing processes, customized computer systems etc.) and other services. With this definition in mind, it is easy to see the vital role cybersecurity plays in ensuring businesses operate smoothly and successfully.

For organizations to manage cyber risks effectively there needs to be a paradigm shift in the way senior leaders see cybersecurity. Business leaders must understand that cybersecurity goes beyond compliance and IT and is a key component of business strategy in our increasingly digital world. Simply stated: not having an adequate cybersecurity strategy that accounts for a business’s unique risks and ensures the necessary steps are taken to protect the business from bad actors is bad business and can threaten a business’s survival.

Ultimately, company directors have a responsibility to act as advisors, question-askers, problem-solvers, and decision makers in things such as a business’s cybersecurity strategy. As such it is a director’s job to understand at a high level cybersecurity risks.

Ways cyberattacks can impact businesses.

According to the IBM report “How much does a data breach cost in 2022?”, the data breach average cost increased 2.6% from $4.24M in 2021 to $4.35M in 2022. With breach costs trending higher year over year, cyber attackers are getting more organized, investing in R&D, improving their attack mechanisms, and attaining greater levels of sophistication. Businesses in turn must double down on their efforts to address cyber risk at the leadership level as they pursue digital transformation. And to quote Desiderius Erasmus, “prevention is better than cure”.

What is the role of board members regarding cybersecurity?

The role of board members in preventing cyber attacks is splendidly explained in the principles for board governance of cyber risk, which is the result of collaboration between the World Economic Forum, National Association of Corporate Directors (NACD), Internet Security Alliance ( ISA) and a working group of industry professionals, supported by project adviser PwC.

In summary, to achieve a cyber-resilient organization that drives strategic business goals, the board must:

  • Understand cybersecurity as a strategic business enabler
  • Understand the economic drivers and impact of cyber risk
  • Align cyber-risk management with business needs
  • Ensure organizational design supports cybersecurity
  • Incorporate cybersecurity expertise into board governance
  • Encourage systemic resilience and collaboration

The following section will explore board actions that enforce these principles.

How can board members lead the way in cybersecurity?

Contrary to what most may think, board members have a crucial role in leading cybersecurity in the organization. The following are ways a board member can contribute:

 

Include cybersecurity on the board meeting agenda:

According to the NACD, sixty-six percent of companies scheduled cyber risk at least once on their board agenda during the last year. As a new board member, you can differentiate yourself by being a champion of cybersecurity and ensuring it is and stays a discussion topic at every meeting.Understand the consequences of a cyber breach and plan accordingly

 

Understand the consequences of a cyber breach and plan accordingly

Boards must understand that good luck is not a strategy when it comes to cybersecurity and their organizations must plan for an eventual cyber breach. To this end, it is the board’s responsibility to ensure that the organization has a robust cybersecurity Incident Response Plan (IRP) that has a well thought out, tabletop exercises performed by in independent unbiased external party and rehearsed business continuity process that is known by all relevant parties in the organization. This plan will mitigate the financial impact of an attack and ensure the business is able to continue to serve its stakeholders effectively and with minimal downtime.

 

Ensure that the cybersecurity program aligns with strategic business objectives.

This point relates to our earlier emphasis of cybersecurity being a business problem, not a technical problem. In this regard, board members must have a high-level understanding of the businesses cybersecurity strategy to ensure that it addresses key business risk areas such as compliance (e.g. Payment Card Industry Data Security Standards – PCI-DSS), reporting requirements (e.g., SEC reporting), data assurance, liability, governance, availability etc. Furthermore, it is vital that the board foster cybersecurity as part of its corporate culture, starting at the highest levels with mandatory executive industry specific cybersecurity education and threat briefings.

 

Address the fact that board members lack a cybersecurity background

According to NACD data, board refreshments in the past year continue to neglect members with skills in cybersecurity (less than 2%) in favor of members with experience in executive leadership (60%) and finance (40%). It is time for new and existing board members to prioritize having a cybersecurity expert in their ranks and ensure the right cybersecurity leaders exist in their organization. Having highly qualified cybersecurity leaders with strong technical and business backgrounds as well as the ability to quickly build relationships with senior business leaders is invaluable for companies to make the connection between business risk and cybersecurity risk in the organization.

 

Understand that cybersecurity and compliance go hand in hand

It is crucial for board members to understand that governments are increasingly getting involved in cybersecurity and organizations must make it an integral part of the business’s compliance strategy. In industries like healthcare, government, and finance strict privacy and data protection standards such as the HIPAA, the Homeland Security Act, NIST 800-53, ISO 27001, GDPR etc. have existed for a while. And as reported in Stuart Madnick’ HBR article governments feel the need to do something, and we can look forward to a suite of new regulations and enforcement activities.

 

Understand the roles of the board in the event of an incident

The board must understand what is expected of them in the event of a cyber attack. To fully grasp this it is important to perform tabletop exercises regularly to educate and prepare board members for their responsibilities and roles during a cyber incident.

 

Assess whether business Critical and High-Value Assets (HVA) are adequately protected against cyberattacks

Asking the right questions and ensuring the organization’s most critical and high value assets are protected at a level commensurate with their criticality. This sometimes involves engaging the services of an external party who reports directly to the board to provide an independent assessment in the spirit of trust but verify.

 

Consider whether the spending allocated to cybersecurity is adequate

Is your organization spending enough on cybersecurity considering its size and industry? This can be done by looking at the value of the organization’s critical assets, cost to replace/recover from a disaster and benchmarking that against what other firms of similar size and sophistication are doing. The end goal is to achieve the right balance between spending and level of security that is consistent with the business’s risk appetite.

 

Understanding cyber risk exposure from vendors/third parties

Understanding your organizations exposure to cyber risk from suppliers, vendors, and business partners. Asking if it is time to audit all third parties to understand what sensitive information is shared, review their contracts to ensure cybersecurity requirements are baked in (especially with legacy vendors) and what level of access these third parties have to your data warehouses?

Final thoughts

New board members have a unique opportunity to champion cybersecurity and use their lack of board tenure to ask the right questions about cybersecurity early on. As cybersecurity continues to gain prominence at all levels of business, it is imperative that boards stay engaged and understand the risks lack of adequate cybersecurity poses to their business operations and the unique role only the board can play in making sure their organization has the right cyber governance and strategy in place.

Top 3 cyber-attacks affecting SMBs

S

  • SMBs are more susceptible to cyberattacks due to the lack of adequate cyber personnel, and the budget required to establish and maintain a cyber program. While most SMBs don’t consider themselves prime targets for attack, a new report by Barracuda shows that SMBs are 3 times more likely to be targeted by bad actors. According to the National Cybersecurity Alliance, 60% of SMBs go out of business within 6 months of sustaining a cyber-attack. SMBs must make cybersecurity a top business priority to protect themselves and their customers. More than 80% of SMBs report that they lack a cyber security strategy, and 70% have no plan in the event of a breach. The time is now for leaders in SMBs to get educated about what the risks are a one-off activity, but should adapt to changes in the business, threat landscape, market positioning etc.
Below are the top 3 cyber-attacks affecting SMBs:
  1. Ransomware is by far the most common kind of cyberattack faced by organizations worldwide. Ransomware is a type of malware that once activated encrypts a company’s systems and/or data rendering it inaccessible for business purposes. Once a company has been hit by ransomware the attacker demands a substantial payment (typically in Bitcoin) to decrypt the company’s data for business to continue. To protect themselves SMBs should identify and work with a cybersecurity provider, invest in cyber awareness training and phishing exercises, require strong passwords and preferably Multifactor Authentication (MFA) where appropriate, keep systems updated, and ensure all backup data is encrypted.
  2. Business Email Compromise (BEC) attacks. A BEC scam aims to get the victim to wire money to an account controlled by the scammers. The FBI’s Internet Crime Complaint Center (IC3) reports that $43 billion has been stolen through BEC scams since 2016. Secure Email Gateways (SEGs) are developed to prevent malware, ransomware, and emails displaying classic symptoms of corruption; however, they are not always as effective with numerous BEC emails escaping detection. Attackers are also getting smarter by bypassing conventional safeguards, starting with text-only communications that don’t contain links or attachments. To protect themselves SMBs should identify and work with a cybersecurity provider to select and implement the right solutions and invest in educating their employees on what to look out for.
  3.  Phishing attacks are the most common cyber risks an SMB faces, phishing emails are reasonably easy to produce, & deploy. They aim to launch malware and steal information and are usually how attackers gain a foothold in an SMBs network. Phishing campaigns are very effective and readily scalable, allowing phishers to launch attacks with the click of a button. A phishing email or text is successful when a user clicks on a malicious link, opens an attachment, or submits their credentials. To protect themselves companies should invest in cyber awareness training exercises.

SMBs can reduce their overall cyber risk exposure by identifying and working with a cybersecurity provider prior to a breach. For those on a tighter budget, there are a number of free resources that are available online:

 

https://www.cisa.gov/publication/stopthinkconnect-small-business-resources

 

https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses

 

https://www.cisa.gov/uscert/home-and-business

 

https://staysafeonline.org/

 

 

 

Cybersecurity Strategy and why your Organization should have one

A

s business, technology and cybersecurity threat landscapes rapidly evolve it is becoming more and more important for businesses to have a well thought through cybersecurity Strategy to help prioritize their activities, focus finite resources, achieve financial discipline on cyber spend and anticipate cyber attacks.

Your cybersecurity strategy:

  • Is key to the effective use of finite organizational resources
  • Should articulate your organizations cybersecurity focus areas, core cyber capabilities and desired future state
  • Should focus on the unique combination of your organizations cyber threat profile, cyber capabilities, people, size & industry
  • Should align with and enable your business create value
  • Should not be a one off activity, but should adapt to changes in the business, threat landscape, market positioning etc.
What is Cybersecurity Strategy?

I define cybersecurity strategy as a coordinated set of cyber activities designed to enable a business, improve its cybersecurity posture and bolster its resilience in the face of evolving market, technology and threat landscapes. The strategy should be unique to the organizations particular cyber capabilities, budget, workforce and industry positioning. It should speak as much to what an organization will do as well as what it will not do from a cybersecurity perspective e.g. build vs buy, outsource etc. And lastly a cybersecurity strategy should set the organizations cybersecurity objectives and priorities.

An effective cybersecurity strategy should be based on an organization’s unique threat profile, critical and high value assets & data as well as other risk factors. Cyber threat profiles quickly articulate threat types, threat actors and organizational risk. The strategy should not be a technical document but should address how the organization aims to use technology to securely enable business functions, increase productivity and reduce costs.

Why you should invest the time in developing a cybersecurity strategy?

A cybersecurity strategy, like a business strategy is the key document that guides an organization’s cyber decision making, focuses its finite resources, prioritizes cyber objectives and tracks cyber performance against those objectives. The fact is that every organization is executing a cybersecurity strategy consciously or unconsciously. Organizations with mature cybersecurity programs have this strategy clearly articulated and documented while those at a lower level of maturity operate in a more ad hoc fashion. Key things to address in a cybersecurity strategy:

  • Governance & Management
  • Budget
  • Personnel (Recruiting & Retention)
  • Technology
  • Cybersecurity capability development
  • Threat Profile
  • Culture
Who should be involved in crafting your Cybersecurity Strategy?

At a minimum organizations should include the following stakeholders to help shape a comprehensive cybersecurity Strategy:

  • Senior leaders
  • Finance
  • Business unit leads
  • Human Resources (HR)
  • Physical Security
How your cybersecurity strategy should evolve.

The last few months have reminded us all that change is the only constant in life and business, and as organizations continue to grapple with shifting priorities, evolving technologies and more sophisticated adversaries there is a heightened need to continue focusing its finite cyber resources on its strategic objectives. To manage change effectively in the Cybersecurity context, organizations should:

  • Understand what assets are critical to its business mission and how those asset classes are evolving
  • Ensure cyber leaders are kept informed of changing business realities
  • Understand its unique threat actors and follow threat actor evolution by monitoring threat sources
  • Understand evolving threat actor Tactics, Techniques and Procedures (TTPs)
  • Anticipate how major shifts in technology use will affect how it secures its assets and people