Discussing Cybersecurity in the Boardroom

Cyber warfare is a very real and present danger, with more companies finding themselves on the losing end of the battle. Statistics from security monitoring services show that in a single hour alone, there are about 184,188 recorded cyber security breaches. This should be a wake-up call to key stakeholders, the majority of whom assume that cybersecurity is simply an IT problem and responsibility.Many companies are susceptible to hackers. They are often internationally organized groups who actively try to steal your company data, retrieve your unencrypted files and gain access to your finances through digital devices.In 2014, hackers gained an estimated $53.7 million from stealing Target's customers data. The attack, on a grand scale, cost Target $148 million, and cost financial institutions $200 million. Meanwhile, Home Depot found themselves also vulnerable to cyber attacks and had to pay $62 million to cover the ensuing costs. As of this writing, we don't have a complete estimate of how much the Equifax databreach is going to cost to the economy. But, we know that the repurcussions will be felt for years to come.When your staff is not properly trained in security measures and data protection, it can be an Achilles' heel. All it takes is one weak spot, for example one unsecured server, and data breaches will make your company vulnerable to cyber attackers.

When Corporate Heads Roll

The risks of cyber security breaches have been around for a long time, but only in the last few years have they become significantly damaging to brands. Just look at the repercussions of security breaches at Target, JPMorgan Chase, Home Depot, and Equifax for example.Many times, CIOs and CEOs of major companies have had to take the blame and resign, due to these high-profile attacks resulting in lawsuits and damage to company reputation. So while digital transformation can be a good thing, it also presents these very real threats, which must be dealt with and taken seriously in the boardroom.

Cybersecurity at the Board Level

Tim Campos, Facebook’s CIO, said, “Any company involved in the Internet or storing confidential customer information on their network must include cybersecurity as a priority board focus.”Your board members probably have a general idea about cybersecurity risks, but detecting and responding to a breach may not be at the top of their priorities. But this oversight may have dire consequences. If investors, customers and clients are at the top of your company's priorities, your board should realize how much is at stake with data information and financial risk. To put this into perspective, Lloyd’s of London’s biennial Risk Index ranked cybersecurity in the 12th place on board agendas in 2011. Two years later, cybersecurity had already risen to the 3rd place.

Who Is Accountable When a Cybersecurity Breach Occurs?

While cybersecurity must be everyone's concern, the buck usually stops with the CEO. Data access is likely the responsibility of your IT department and CISO, but the top leadership should always be held ultimately responsible for cybersecurity breaches. This is because it is essentially up to them to tell the IT departments how and what to prioritize. It is up to the leaders to devise strategies to protect important data and to train their staff in cybersecurity awareness. The CISO still manages risks, but they shouldn’t feel alone with the responsibility. As Giles Baxter, CIO at Arthur J. Gallagher states, “Cyber security is a board-level priority ... I can only see cybersecurity continuing to be an increasing focus of my time.”

What Is Your Biggest Fear Regarding Cyber Attacks?

The results of a data survey of companies in 79 countries revealed that the threat of cyber attacks is among the biggest fears of most businesses.“Cyber-attacks and data breaches continue to cost organizations billions of dollars annually, a sum that is only likely to go up with the increasing integration of new pieces of technology into daily operations,” says BCI Executive Director David Thorp.In the case of a serious cyber security breach, how prepared are you to handle it? And what measures can your boardroom put in place to prepare for — and protect from — such attacks? One good start may be facilitating discussions through a separate committee, whose job will be to focus on the cyber risks.Another approach can be hiring a team of third-party cybersecurity experts, who can educate your directors on the importance of preparedness, and assess cyber risk readiness.Atkins Chief Digital Officer Richard Cross said, “Cyber is actively discussed and owned at board level, with our CEO taking the lead. We have a proactive cyber and information security strategy where we assess our readiness and effectiveness and share this with our audit committee.”

Cyber-risk Readiness: Questions to Ask

To assess the cyber-risk readiness of your company, here are three questions you can pose at the next board meeting:

• Are we aware of the current cybersecurity-related risks, and are we evaluating them?
• Of those cybersecurity risks, which are most critical and how can we list them in order of priority?
• What is our current response plan to address cyber threats and how can we upgrade it to better protect our company, clients and reputation?

Seeking answers to the above questions is a productive way to review your current cyber-threat readiness, and to get the discussion going among all board members. Cyber risk readiness should be everyone’s concern. It is also important to have a good balance in delegating the next steps you will take so that the responsibility does not lie solely with one person or one department. All board members should get the feeling that once specific threats are identified, that progress made towards protecting against risks will be a teamwork effort.Follow our blog for more tips on managing security, threat detection and industry trend reports.