[BreachExchange] Cybersecurity - A Boardroom Blindspot

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 11 19:18:57 EDT 2016


http://www.infosecurity-magazine.com/blogs/cybersecurity-a-boardroom-blindspot/

Is cybersecurity on the agenda in your boardroom? In the most recent Cyber
Governance Health Check it was found that 33% of boards have ‘clearly set
and understood their appetite for cyber-risk’, up 18% from 2014.

However, on average only 54% of boardrooms ‘hear about cybersecurity twice
a year’ – or when there is a cybersecurity incident, showing that not
everyone thinks this issue is worthy of discussion at this level.

Is Cybersecurity Just a Job for the IT Department?

While large enterprises attract the headlines when it comes to data
breaches and the disruptive consequences of a cyber-attack, SMEs are far
from exempt. In fact the latest Government Security Breaches survey paints
a very different picture with 74% of SMEs reporting a security breach in
the last year, and SMEs being specifically targeted by cyber-criminals.

Encouragingly, we’re seeing more interest from directors and senior
business leaders registering for our workshops that address SME
vulnerabilities and how to develop a cybersecurity strategy to reduce these
risks. However, we still come across the mind-set that security is a job
for the IT department, not a business-critical factor that needs a top down
approach.

A successful cybersecurity strategy needs buy in from the board to ensure
that security policies are implemented across the organization; promoting a
culture of awareness and prevention. Your IT department can install
security measures to protect systems and information, but as the biggest
threats to your business are actually your employees, IT security solutions
such as firewalls and anti-virus software are not effective on their own.

Instead your IT team, whether internal or outsourced, needs sponsorship
from the board. This means a place at the boardroom table and an
understanding of how IT and security play an important role in business
operations and strategy. Not addressing security issues effectively could
cost your business significantly.

As well as considering the expenses to rectify a cyber-attack; but you must
also factor in fines from the regulator if you operate in regulated
industries, loss of clients, and stiffer fines from the EU under new data
protection laws coming into play in 2018.

While larger businesses may be able to swallow the associated costs of a
serious data breach or cyber-attack on their businesses, can you?

How to get buy-in from the board

The first step to developing a robust cybersecurity policy comes when board
members understand the implications of an attack. Again, especially for
those in regulated industries, non-compliance is extremely serious for both
the organization and individuals, where senior managers can no longer say
that they were unaware of security risks.

Understanding how a cyber-attack can impact on an organization and its
representatives, certainly focuses the mind! Sadly this often comes only
once an attack has been experienced first-hand.

Secondly, board members need to understand where those vulnerabilities lie
so they can support their IT team, trainers and other key people within the
organization. The most significant cyber-threat to SMEs is their own staff
providing a gateway into the organization’s networks and systems. This may
be through inadvertently clicking on a link to malware or sharing passwords
and other critical information inappropriately.

Fortunately, this is one area of IT security that doesn’t involve throwing
money at the problem only to be thwarted a new emerging threat. Training
and awareness exercises for the benefit of all employees, and senior board
members, will ensure that everyone within an organization is vigilant and
proactive about keeping sensitive, business-critical information safe.
However, this can only be achieved with the support of the board – leading
by example and making security part of organizational culture.

Regular health checks, risk assessments or audits, formal written
cybersecurity policies, as well as business continuity and disaster
recovery plans are all important aspects of this, ones that directors and
other stakeholders should welcome in the boardroom.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160711/e4a7ad42/attachment.html>


More information about the BreachExchange mailing list