How Can Boardrooms Effectively Manage Cyber Risk?

The frequency and severity of cyber-attacks are on the rise around the world, making it more important than ever for directors to be involved in the fight back. For instance; it is no longer is it acceptable for CFOs to focus purely on numbers, they must help devise and enable strategies that keep the business profitable. 
 
This must include promoting cyber security as the consequence of an attack can be disastrous.
 
Within the financial director’s remit is a responsibility to alert the board on the financial impact of a potential breach, while also ensuring that a budget is allocated for preventing and containing incidents.  As most financially focused attacks directly threaten the company balance sheet, it is vital that CFOs are aware of those strategies which make their organisations resilient to cyber-attack.
 
To give you some perspective on just how prominent cybercrime has become, a 2018 University of Surrey study conservatively estimated that cybercrime carried out on platforms such as Amazon, Facebook and Instagram generated $1.5 trillion for cyber criminals, equivalent to the GDP of Russia.
 
The scale of the problem means that cybercrime is fast becoming a top priority in the boardroom, with the CFO a central part of this. Increasingly, we are seeing boardrooms begin to request a list of non-technical strategies they can use to fight back. 
They want to adopt strategies that are fit for the modern technological age, that they can readily understand and control, rather than just guidance targeted at seasoned tech gurus.
 
For too long, cybersecurity standards and best-practice have been targeted at an audience engaged at tactical and operational levels and made difficult for boards to digest.
 
Yet many financial directors have a responsibility to know that their organisations are adequately protected from a potential attack. To be able to manage budgets effectively they must become well-versed in those foundational strategies which can be used to drive down their business exposure to cybercrime.
 
Analogous to a military hierarchy, whilst a General may need an appreciation of the challenges in the positioning and use of artillery, they may not be best serving the effort if they spend most of their time on the front line when there is a bigger picture to manage.
 
It is essential then that cybersecurity experts begin to adopt a language that is easily understood by all, rather than focusing on technical jargon which is baffling to many. Devising cyber risk management strategies that are easily understood and led by the boardroom will become ever more important in the current digital age. Understanding what has gone before and what does and doesn’t work will help CFOs and other board members to address current and future cyber risk.
 
Explaining the Cyber|Seven Strategies
For years, we have collected key observational data from hundreds of cyber incidents to which we have responded. We have spent time analysing incidents to distil the strategies every organisation needs to adopt to avoid cyber risk.
We call these strategies the Cyber|Seven.
 
The Cyber|Seven strategies are non-technical actions defined in straightforward terms that any competent board will understand and be able to implement.
 
CFOs and their boardroom peers are increasingly realising that effective cyber risk management is not just about technology. Other protections including staff skills, awareness and cyber insurance are also essential considerations.
To enable Boards to ‘self-assess’ their organisations effective implementation of the Cyber|Seven strategies we have built a simple, secure online tool which is free and anonymous at the point of use. Importantly, the questions are designed to be answered by board-level executives. 
 
They are focused on key strategies, so the problems of referral, delegation and feedback that many tactical and operational level assessment systems have do not apply to Cyber|Seven.
 
What are the Cyber|Seven Strategies?
 
The key strategies forming the foundations for effective cyber risk management are:
 
1. Responsibility
Effective cyber risk management needs Ownership: Boards must appoint a “Cyber Champion” who is responsible for oversight of cyber risk management (budget, staffing, SLAs, security protection, cyber incidents, cyber insurance).
2. Information Asset Awareness
Boards must be aware of their intangible (data/info) assets and ideally sort them into broad categories and criticality. The CFO is central to this.
3. Adequate IT Budget
Is your IT budget big enough? Most IT departments are notoriously under-funded by boards. Information is the lifeblood of pretty much all modern organisations and information technology needs adequate funding to ensure resilience.
4. Payment Control
Because many payments systems are now online and almost all cybercrime is simply cyber-enabled fraud, payment controls such as segregation are more important than ever.
5. IT Staff Count Ratio
The ratio of IT staff to end users: Too many organisations are massively understaffed leading to stressed IT teams who make silly mistakes and leave organisations vulnerable to cyber-attack. IT staff and cyber security staffing is a key risk management strategy.
6. IT Skills & Staff Awareness
Most organisations considerably under-invest in on-going training for IT staff; in standard IT, let alone cyber security. They need to support staff and make skills acquisition a prerequisite for career growth and/or good job performance. 
Furthermore, all staff need to be given awareness training to enable them to spot cyber incidents and scams.
7. Technology Versions
The older the technology the longer hackers have had to find vulnerabilities in it. Staying current means keeping the organisation ahead of the attackers. Boards do not need to know the details but do need a strategy which rejects suppliers who do not support the latest technologies.
 
The Cyber|Seven approach is a rapid yet extremely targeted way for business leaders to establish key strategies which form the foundation for effective cyber risk management. 
 
So, what will your business score result look like? Are you a Cyber|Strategist? 
 
For more Cyber-Security Training and Information please contact Cyber Security Intelligence:
 
Financial Director:       Image: Nick Youngson
 
You Might Also Read: 
 
British Government Says Company Directors Must Become Cyber Aware:
 
« New Zealand Reconsiders Mass Surveillance
AI Is The New Route For Both Cyber Attacks And Their Prevention »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

European Defence Agency (EDA)

European Defence Agency (EDA)

EDAs mission is to improve European defence capabilities. Programme areas include Cyber Defence.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

TUV Rheinland Group

TUV Rheinland Group

TUV Rheinland Group is a testing services company with nearly 145 years of technological experience. We help you to protect your systems comprehensively, proactively and permanently.

APT Search

APT Search

APT Search is a recruitment company specialising within the Legal Technology, Cybersecurity and Privacy sectors.

BluBracket

BluBracket

BluBracket is the first comprehensive security solution that makes code safe—so developers can innovate and collaborate, and security teams can sleep at night.

Thomsen Trampedach

Thomsen Trampedach

Thomsen Trampedach offers a tailored-made brand protection solution to each customer using a proprietary enforcement automation and reporting tool and a multilingual enforcement team.

NINJIO

NINJIO

NINJIO is a leader in cybersecurity awareness training. View IT Security Awareness through a different lens - entertain and educate your users through storytelling.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

Patriot Cyber Defense

Patriot Cyber Defense

Patriot Cyber Defense is a Cyber Security and Management Consulting professional services firm.

Salt Cybersecurity

Salt Cybersecurity

Salt Cybersecurity offer a four-pronged approach to information security that includes Custom Security Policy, Vulnerability Assessment, Threat Detection, and Security Awareness Training.

Toka Group

Toka Group

Toka empowers government agencies with critical and previously out-of-reach digital forensics, force protection and Intelligence capabilities, tackling the fields' most pressing challenges.

RKVST

RKVST

RKVST is a powerful tool that builds trust in multi-party processes when it’s critical to have high assurance in data for confident decisions.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.

Ventum Consulting

Ventum Consulting

Ventum Consulting stands for digitalization, networking and agilization. We take this up on the strategic, professional and technical side and support our customers in the digital transformation.

Apex

Apex

We aspire to make the AI revolution run faster, securely, for the benefit of all. We are purposely built for the new AI era and are creating capabilities to safely enable AI.