Make the Board of Directors Your Cybersecurity Ally
When you work from home, every day is casual Friday. During the pandemic, remote workers were quite happy to trade in their typical business attire for sweatpants and pajamas. Unfortunately, too many remote workers took a similarly casual approach to cybersecurity.
Risky behaviors by remote workers have contributed to a startling increase in insider threats. According to research conducted by Forrester Consulting, three-quarters of U.S. companies say insider risk is of greater concern now than before the pandemic. Additionally, 66percent said they experience data leaks due to insiders at least monthly.
These risks are no longer just an IT concern. Because data breaches represent an existential threat to many companies, cybersecurity is increasingly seen as a board-level issue. Gartner predicts that by 2025, 40 percent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member.
That’s a wise choice. Board members have traditionally had little involvement in the specifics of cybersecurity, leaving those matters to chief information security officers (CISOs). But the threat has simply become too great. Global business losses from cybercrime reached nearly $1 trillion in 2020, almost double the loss from the previous year, according to a new report from the Center for Strategic and International Studies.
Although directors may lack a solid understanding of cybersecurity technologies, it is worth the CISO’s time and effort to bring them up to speed. Directors who can intelligently discuss these matters will help ensure that cybersecurity gets the attention it deserves. Additionally, an engaged board can set the tone throughout the organization by creating a culture of security awareness.
When discussing cybersecurity with directors, it is essential to provide solid information that’s free from industry jargon. Board members likely understand the business-critical nature of IT, but that doesn’t make them technology experts. Clear, concise presentations that identify risks and offer solutions will have more impact than highly technical reports describing arcane performance indicators and byzantine architectural descriptions.
Here is some of the basic information that will help keep board members engaged in cybersecurity efforts:
Describe your company’s level of risk. This could be a summary of the organization’s critical information assets, the probability of exposure based on current trends and safeguards, and the potential financial impact of a successful attack or breach. Also try to quantify how a successful attack will affect the company’s reputation, brand and partnerships.
Outline the current risk landscape. Present information on the number and types of attacks that are of greatest concern. For example, as organizations move more workloads into the cloud, the board should be aware of increases in compromised cloud accounts. In addition, you should be able to discuss what measures you are taking or would like to take to reduce the company’s exposure.
Detail your incident-response plan. Describe how IT identifies, contains and eradicates any threats, and your process for recovering any affected systems or data. This should include a discussion of backup, disaster recovery and business continuity plans.
Provide context for cybersecurity spending. Monitoring and evaluating company spending are among the basic responsibilities of the board. Provide ROI data to illustrate how dollars are being spent. Compare and contrast the costs of preventive security measures against the cost of remediation.
Of course, that’s not an exhaustive list, but it should be enough to get a conversation started. With most organizations planning to continue supporting remote work, at least on apart-time basis, directors need to understand that even the most trusted employees can sometimes put the company at risk. Call us to learn more about how to keep the board involved in your efforts to mitigate insider risks and keep the business secure and productive.