How confident are you that your board is covering all the right bases related to cybersecurity? A brief look at the statistics should urge board directors to start asking questions about where the oversight of cybersecurity is lacking. Here are some figures to get your board talking about cybersecurity:
- The FBI lists 41 criminals on the cybercrime list.
- Rise in viruses in smartphones and mobile devices: 54% increase in 2017.
- 9% of mobile malware stems from third-party app stores.
- Identity theft is up from 15 million in 2017 to 60 million in 2018.
- Cybercriminals make the S. their #1 target.
- The S. will account for half the data breaches by 2023.
- The average cost of a data breach in the U.S. is $7.91 million.
- It takes an average of 196 days to identify a data breach.
- Cybercriminals see new opportunities as devices and systems become more interconnected.
Risk governance is the identification, assessment, management and communication of risks. Boards have a fiduciary responsibility to take a determined approach in overseeing all aspects of risk governance. The board’s responsibility extends to information security, including protecting the confidentiality of data, preserving the integrity of data and managing the authorized use of data.
5 Cybersecurity Mistakes for Boards to Avoid
Despite the focus on cybercrime, take a look at these five cybersecurity mistakes boards are making.
1. Skipping Cyber Risk 101
The National Association of Corporate Directors (NACD) reports that one out of every five board directors aren’t happy with the quality of cyber risk data they get from management. In addition, NACD reports that 42% of board directors felt their companies were properly secured against a cyberattack in 2016 and the percentage dropped to 37% in 2016.
These statistics indicate that boards need a better understanding of the cyber risk landscape. On the whole, board discussions about cyber risk are too vague. This is, in part, because boards don’t understand the correct terms related to cybersecurity to effectively oversee cyber risk. Board directors, especially executive committees, need to be able to identify their company’s vulnerabilities and assess their security capabilities with them in mind.
Specifically, boards need to know what they need to be protecting, who the potential attackers are, and they need to have plans in place to defend against attacks.
2. Failing to Prioritize the Most Valuable Assets
Cyber risk is a complex and far-reaching problem. Barring a major financial investment in cybersecurity plans, it’s impractical for boards to safeguard all identified risks equally. That said, boards need to build their strongest defenses around most valuable assets.
Boards need to take risk governance approach to cybersecurity planning that includes:
- Reviewing the potential effects of cyber risks and cybersecurity on their short- and long-term goals.
- Evaluating security policies, protocols, procedures and policies that could be affected by a cybercrime.
- Prioritizing assets in relation to potential threats and vulnerabilities.
- Identifying physical protections for computing and network components.
- Assessing security devices, remote access systems and network device management systems and comparing them against business and network requirements.
- Evaluating the company’s culture around training for employees in security awareness.
- Reviewing contracts and agreements with vendors and contractors related to cybersecurity.
3. Overlooking the Human Factor
Most cybersecurity experts are keenly aware of a risk that boards are missing that happens to be right under their nose — the human factor. A data breach is much more likely to originate from the inside of a company than from an outside hacker. In fact, 91% of breaches occur as a result of an employee that clicks on an enticing phishing email.
It makes perfect sense because employees and people working inside a company have access to sensitive information on a regular basis. Certain types of industries are especially prone to insider-generated data breaches.
There are many ways that employees can accidentally leak information. They can attach the wrong file to an email, overshare information on social media, or accidentally lose their laptop or USB drive. Selfish employees may believe that it’s harder for insiders to get caught and take the risk of intentionally leaving a laptop in a crowded area such as a bus station, train station or airport so that a criminal can pick it up.
It’s a mistake for boards to allow their employees to get complacent around cybersecurity by failing to provide the proper culture and training.
4. Falling Victim Without a Crisis Plan
It takes just one look at the statistics in the introductory paragraph to know that it’s not “if” a data breach will happen, it’s “when.” With that in mind, all boards need to assemble an internal team that’s charged with implementing a crisis response plan.
A crisis team should be composed of forensic experts, legal experts, public relations personnel, insurance brokers and operations managers. The team should work on creating an action item checklist and determine who will be responsible for various parts of the cyber crisis plan. Crisis teams will need to differentiate the severity and extent of breaches and be flexible enough to gear their response to the type of breach that occurred. Part of the team’s duties should include having a plan to address legal rights, obligations and deadlines. Finally, crisis management teams will need to review and update the crisis plans on a regular basis because technology-related problems are continuing to evolve.
5. Siloing the Cyber Risk Discussion
Board discussions surrounding cyber risk protection require complete confidentiality. This gives boards the chance to practice what they preach and ensure that they have processes and systems in place to protect board collaborations and communications as they plan for appropriate cybersecurity.
Cybersecurity starts at the top with a modern approach to board governance. It’s a necessity for boards to be using a highly secure board management software system by Diligent Corporation.
The risk of using non-secure personal or business email platforms is simply too high to protect sensitive board communications. Diligent Messenger allows board directors to send electronic messages securely across electronic devices. Directors can set their retention controls so that there’s no risk of discoverability. They can also set the program to get alerts when messages are sent, delivered and read, as well as notifications for unread messages and announcements.
It’s also risky to share documents via email and public-use file-sharing apps that lack security. Diligent’s Secure Meeting Workflow was built on the Diligent Secure File Sharing program so that directors can collate, distribute and manage board materials. Both programs integrate fully and securely with Diligent’s market-leading Boards platform for the highest level of security possible.
Governance in the modern world requires boards to correct the mistakes they’ve been making in the area of cybersecurity. Boards need to educate themselves, prioritize cybersecurity plans, address employee training and culture, set up a crisis plan and set a good example by securing board communication channels. Diligent Boards and Governance Cloud are the modern solutions to board cybersecurity issues.