Cybersecurity Is A Boardroom Blind Spot

Uploaded on 2016-08-04 in NEWS-Cybersecurity News, FREE TO VIEW

Is cybersecurity on the agenda in your boardroom? In the most recent Cyber Governance Health Check it was found that 33% of boards have ‘clearly set and understood their appetite for cyber-risk’, up 18% from 2014.

However, on average only 54% of boardrooms ‘hear about cybersecurity twice a year’ – or when there is a cybersecurity incident, showing that not everyone thinks this issue is worthy of discussion at this level.

Is Cybersecurity Just a Job for the IT Department?

While large enterprises attract the headlines when it comes to data breaches and the disruptive consequences of a cyber-attack, SMEs are far from exempt. In fact the latest Government Security Breaches survey paints a very different picture with 74% of SMEs reporting a security breach in the last year, and SMEs being specifically targeted by cyber-criminals.

Encouragingly, we’re seeing more interest from directors and senior business leaders registering for our workshops that address SME vulnerabilities and how to develop a cybersecurity strategy to reduce these risks. However, we still come across the mind-set that security is a job for the IT department, not a business-critical factor that needs a top down approach.

A successful cybersecurity strategy needs buy in from the board to ensure that security policies are implemented across the organization; promoting a culture of awareness and prevention. Your IT department can install security measures to protect systems and information, but as the biggest threats to your business are actually your employees, IT security solutions such as firewalls and anti-virus software are not effective on their own.

Instead your IT team, whether internal or outsourced, needs sponsorship from the board. This means a place at the boardroom table and an understanding of how IT and security play an important role in business operations and strategy. Not addressing security issues effectively could cost your business significantly.

As well as considering the expenses to rectify a cyber-attack; but you must also factor in fines from the regulator if you operate in regulated industries, loss of clients, and stiffer fines from the EU under new data protection laws coming into play in 2018.

While larger businesses may be able to swallow the associated costs of a serious data breach or cyber-attack on their businesses, can you?

How to get buy-in from the Board

The first step to developing a robust cybersecurity policy comes when board members understand the implications of an attack. Again, especially for those in regulated industries, non-compliance is extremely serious for both the organization and individuals, where senior managers can no longer say that they were unaware of security risks.

Understanding how a cyber-attack can impact on an organization and its representatives, certainly focuses the mind! Sadly, this often comes only once an attack has been experienced first-hand.

Secondly, board members need to understand where those vulnerabilities lie so they can support their IT team, trainers and other key people within the organization. The most significant cyber-threat to SMEs is their own staff providing a gateway into the organization’s networks and systems. This may be through inadvertently clicking on a link to malware or sharing passwords and other critical information inappropriately.

Fortunately, this is one area of IT security that doesn’t involve throwing money at the problem only to be thwarted a new emerging threat. Training and awareness exercises for the benefit of all employees, and senior board members, will ensure that everyone within an organization is vigilant and proactive about keeping sensitive, business-critical information safe. However, this can only be achieved with the support of the board – leading by example and making security part of organizational culture.

Regular health checks, risk assessments or audits, formal written cybersecurity policies, as well as business continuity and disaster recovery plans are all important aspects of this, ones that directors and other stakeholders should welcome in the Boardroom.

Sign Up for Cyber Security Intelligence Board Reports

Infosecurity Magazine

« Half UK Employees Have No Cyber Security Training
Companies See Cyber Threats But Can’t Deal With Them »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Celestix Networks

Celestix Networks

Celestix is a global provider of secure network solutions that enable the simple deployment of secure remote access connectivity.

Morgan Lewis Law

Morgan Lewis Law

Morgan Lewis is an international law firm with offices in North America, Europe, Asia, and the Middle East. Practice areas include Privacy and Cybersecurity.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

Trend Micro

Trend Micro

Trend Micro is a leader in hybrid cloud, endpoint, and network security solutions.

CyberSift

CyberSift

CyberSift is a cyber security provider. We develop threat detection software which needs no infrastructure changes as it integrates with almost any security tool.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

The main objective of the Hub is to bring cybersecurity and other advanced technologies closer to companies and as a result help to increase their performance as Industry 4.0.

DAkkS

DAkkS

DAkkS is the national accreditation body for Germany. The directory of members provides details of organisations offering certification services for ISO 27001.

OriginalMy

OriginalMy

OriginalMy is a cybersecurity startup, focussed on digital governance and information authentication. Its mission is to prove authenticity using state-of-the-art cryptography and blockchain technology

Grayshift

Grayshift

Grayshift is the leading provider of mobile device digital forensics, specializing in lawful access and extraction.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

Fifosys

Fifosys

Fifosys is a professional technology infrastructure specialist, delivering a broad portfolio of high quality technical and strategic managed services.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Deepware

Deepware

Deepware is an emerging AI research company dedicated to exploring the potential of GenAI in both generation and detection.

IT Voice

IT Voice

IT Voice specializes in Managed IT and VoIP solutions. Our focus is simplifying the technology so our customers can stay focused on what they do best.

CovertSwarm

CovertSwarm

Since 2020 CovertSwarm have been radically redefining how enterprise security risks are discovered. We outpace the cyber threats faced by our clients using a constant cyber attack methodology.