[BreachExchange] Board responsibilities must evolve in the face of increasing cyber threats
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jul 13 18:59:43 EDT 2017
http://www.cbronline.com/news/cybersecurity/protection/
board-responsibilities-must-evolve-face-increasing-cyber-threats/
While the advent of new technologies such as automation, Artificial
Intelligence and machine learning are helping propel businesses forward,
they’re also opening up organisations to growing security risks.
Huge advances are being made in genomics, and manufacturing technologies,
with machines closing in on human abilities with astonishing speed. Yet,
cybercrime represents the dark side of digitisation, and is the mastermind
of increasingly sophisticated individuals. We’re now facing the most
significant cybersecurity threat to date.
Last month, the WannaCry ransomware attack affected thousands of businesses
worldwide and new types of attack are emerging all the time. It’s therefore
more important than ever before for board executives to take these threats
seriously and batten down the hatches to protect their organisations,
employees and customers.
Why board executives’ responsibilities must evolve
The digital warfare is intensifying, and cyber criminals are becoming ever
more sophisticated and creative in their approach to attack. In response,
the role of the board has moved from being 90% focused on fiduciary
responsibility to 75% focused on strategy and risk management. Of all the
risks that the board oversees, cyber security has emerged as a central
theme across all large and mid-sized corporations, with businesses expected
to spend $101.6bn on cyber security software, services and hardware by
2020, according to IDC. The board should no longer focus solely on
mitigation strategies but also ensure that processes are in place to cover
liability.
On top of IP and data loss, the board must look at how it can prevent
reputational damage to its brand. We’ve seen a number of examples in the
press recently where businesses have been left red-faced due to security
scandals – from Barclays’ CEO falling victim to an email prankster to
Yahoo’s acquisition price being slashed after suffering several data
breaches. Reputation is one of the most valuable and fragile assets of an
organisation. According to the World Economic Forum, more than 25% of a
company’s market value can be attributed to its reputation, which
demonstrates the importance of getting this right. A good reputation built
through years of dedicated effort can be destroyed almost overnight,
especially in today’s world where an organisation’s customers, operations,
supply chains and internal and external stakeholders are scatted globally
and connected via technology.
New technologies significantly increase an organisation’s exposure to cyber
theft
As the threat of cybercrime intensifies, it’s not a case of ‘if’ but ‘when’
hackers will strike each and every business. Exploit kits are increasingly
being sold on the dark web and paid for with bitcoins, making it easier for
anyone with an agenda to do so to buy low cost tools and remain relatively
unnoticed.
This means that the window for responding is narrowing and organisations
have to demonstrate that they have taken control of a breach very quickly
if they are to protect their data and reputation. That said, board
executives should take care over exactly how the breach is communicated to
their customers, stakeholders and the media – TalkTalk’s CEO, Dido Harding,
was heavily criticised for her handling of a major hack attack in 2015.
What board executives must do in response
Today, just 7% of organisations claim to have a robust incident response
programme in place and nearly half of UK businesses have no cyber security
plan whatsoever. To address this, the emphasis for boards must now be on
making sure that critical security infrastructure is in place, enhancing
crisis response and strategies that emphasise a good balance of
preventative and responsive tactics.
Technology is blurring the lines between industries and people are spending
more time connected to the internet than any other medium of communication,
providing increasing opportunities for attacker models. While understanding
the future impact of technologies should be the responsibility of the
business’ managers, it is the board executives’ responsibility to ask
management for their perspective on how the organisation is handling the
strategic risks related to digital disruption today.
Some organisations are creating new technology forums, building the
expertise of corporate directors and strengthening IT governance. This is
all with the aim of empowering boards to guide managers by asking the right
questions about technology and its impact, and pushing cyber security
issues to the top of the agenda.
Technology is advancing at an astonishing pace, with developments in
robotics and cognitivetechnologies pushing the boundaries of what’s
possible. While I am very optimising about our connected future, C-level
executives need to ensure they’re asking all the right questions to deal
with the risks arising from the digital era and ensure they’re don’t fall
victim to the next cyber-attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170713/06c7d239/attachment.html>
More information about the BreachExchange
mailing list