How Can Boardrooms Effectively Manage Cyber Risk?

The frequency and severity of cyber-attacks are on the rise around the world, making it more important than ever for directors to be involved in the fight back. For instance; it is no longer is it acceptable for CFOs to focus purely on numbers, they must help devise and enable strategies that keep the business profitable. 
 
This must include promoting cyber security as the consequence of an attack can be disastrous.
 
Within the financial director’s remit is a responsibility to alert the board on the financial impact of a potential breach, while also ensuring that a budget is allocated for preventing and containing incidents.  As most financially focused attacks directly threaten the company balance sheet, it is vital that CFOs are aware of those strategies which make their organisations resilient to cyber-attack.
 
To give you some perspective on just how prominent cybercrime has become, a 2018 University of Surrey study conservatively estimated that cybercrime carried out on platforms such as Amazon, Facebook and Instagram generated $1.5 trillion for cyber criminals, equivalent to the GDP of Russia.
 
The scale of the problem means that cybercrime is fast becoming a top priority in the boardroom, with the CFO a central part of this. Increasingly, we are seeing boardrooms begin to request a list of non-technical strategies they can use to fight back. 
They want to adopt strategies that are fit for the modern technological age, that they can readily understand and control, rather than just guidance targeted at seasoned tech gurus.
 
For too long, cybersecurity standards and best-practice have been targeted at an audience engaged at tactical and operational levels and made difficult for boards to digest.
 
Yet many financial directors have a responsibility to know that their organisations are adequately protected from a potential attack. To be able to manage budgets effectively they must become well-versed in those foundational strategies which can be used to drive down their business exposure to cybercrime.
 
Analogous to a military hierarchy, whilst a General may need an appreciation of the challenges in the positioning and use of artillery, they may not be best serving the effort if they spend most of their time on the front line when there is a bigger picture to manage.
 
It is essential then that cybersecurity experts begin to adopt a language that is easily understood by all, rather than focusing on technical jargon which is baffling to many. Devising cyber risk management strategies that are easily understood and led by the boardroom will become ever more important in the current digital age. Understanding what has gone before and what does and doesn’t work will help CFOs and other board members to address current and future cyber risk.
 
Explaining the Cyber|Seven Strategies
For years, we have collected key observational data from hundreds of cyber incidents to which we have responded. We have spent time analysing incidents to distil the strategies every organisation needs to adopt to avoid cyber risk.
We call these strategies the Cyber|Seven.
 
The Cyber|Seven strategies are non-technical actions defined in straightforward terms that any competent board will understand and be able to implement.
 
CFOs and their boardroom peers are increasingly realising that effective cyber risk management is not just about technology. Other protections including staff skills, awareness and cyber insurance are also essential considerations.
To enable Boards to ‘self-assess’ their organisations effective implementation of the Cyber|Seven strategies we have built a simple, secure online tool which is free and anonymous at the point of use. Importantly, the questions are designed to be answered by board-level executives. 
 
They are focused on key strategies, so the problems of referral, delegation and feedback that many tactical and operational level assessment systems have do not apply to Cyber|Seven.
 
What are the Cyber|Seven Strategies?
 
The key strategies forming the foundations for effective cyber risk management are:
 
1. Responsibility
Effective cyber risk management needs Ownership: Boards must appoint a “Cyber Champion” who is responsible for oversight of cyber risk management (budget, staffing, SLAs, security protection, cyber incidents, cyber insurance).
2. Information Asset Awareness
Boards must be aware of their intangible (data/info) assets and ideally sort them into broad categories and criticality. The CFO is central to this.
3. Adequate IT Budget
Is your IT budget big enough? Most IT departments are notoriously under-funded by boards. Information is the lifeblood of pretty much all modern organisations and information technology needs adequate funding to ensure resilience.
4. Payment Control
Because many payments systems are now online and almost all cybercrime is simply cyber-enabled fraud, payment controls such as segregation are more important than ever.
5. IT Staff Count Ratio
The ratio of IT staff to end users: Too many organisations are massively understaffed leading to stressed IT teams who make silly mistakes and leave organisations vulnerable to cyber-attack. IT staff and cyber security staffing is a key risk management strategy.
6. IT Skills & Staff Awareness
Most organisations considerably under-invest in on-going training for IT staff; in standard IT, let alone cyber security. They need to support staff and make skills acquisition a prerequisite for career growth and/or good job performance. 
Furthermore, all staff need to be given awareness training to enable them to spot cyber incidents and scams.
7. Technology Versions
The older the technology the longer hackers have had to find vulnerabilities in it. Staying current means keeping the organisation ahead of the attackers. Boards do not need to know the details but do need a strategy which rejects suppliers who do not support the latest technologies.
 
The Cyber|Seven approach is a rapid yet extremely targeted way for business leaders to establish key strategies which form the foundation for effective cyber risk management. 
 
So, what will your business score result look like? Are you a Cyber|Strategist? 
 
For more Cyber-Security Training and Information please contact Cyber Security Intelligence:
 
Financial Director:       Image: Nick Youngson
 
You Might Also Read: 
 
British Government Says Company Directors Must Become Cyber Aware:
 
« New Zealand Reconsiders Mass Surveillance
AI Is The New Route For Both Cyber Attacks And Their Prevention »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Green Hills Software

Green Hills Software

Green Hills Software is the largest independent vendor of embedded secure software solutions for applications including the Internet of Things.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

Ledger

Ledger

Ledger is a leader in security and infrastructure solutions for cryptocurrencies and blockchain applications using its proprietary technology.

CyberForum

CyberForum

CyberForum supports businesses from the IT and high-tech industry in all stages of their development: from startup consulting to professional staffing and even location marketing campaigns.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

SurePassID

SurePassID

SurePassID is a provider of highly secure, highly extensible multi-factor authentication (MFA) solutions.

Tugboat Logic

Tugboat Logic

Tugboat Logic was created to address the skills and expertise gap in the security and compliance industry. Our goal is to simplify and automate information security management for every enterprise.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Zilla Security

Zilla Security

Zilla combines identity governance with cloud security to deliver comprehensive access visibility, reviews, lifecycle management, and policy-based security remediation.

Allure Security

Allure Security

Allure Security AI-driven brand protection scans more of the online world for faster, more accurate detection & removal of spoof websites, social media & mobile apps -- before customers fall victim.

Excite Cyber

Excite Cyber

Excite Technology Services (formerly Cipherpoint) is focused on improving the security posture of our customers.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.

EGUARDIAN

EGUARDIAN

EGUARDIAN serves as a Value-Added Distributor and technology enabler in the APAC region with the aim of further expanding globally and cater to the needs of the demands with the emerging technology.