Cybersecurity Is A Boardroom Blind Spot

Is cybersecurity on the agenda in your boardroom? In the most recent Cyber Governance Health Check it was found that 33% of boards have ‘clearly set and understood their appetite for cyber-risk’, up 18% from 2014.

However, on average only 54% of boardrooms ‘hear about cybersecurity twice a year’ – or when there is a cybersecurity incident, showing that not everyone thinks this issue is worthy of discussion at this level.

Is Cybersecurity Just a Job for the IT Department?

While large enterprises attract the headlines when it comes to data breaches and the disruptive consequences of a cyber-attack, SMEs are far from exempt. In fact the latest Government Security Breaches survey paints a very different picture with 74% of SMEs reporting a security breach in the last year, and SMEs being specifically targeted by cyber-criminals.

Encouragingly, we’re seeing more interest from directors and senior business leaders registering for our workshops that address SME vulnerabilities and how to develop a cybersecurity strategy to reduce these risks. However, we still come across the mind-set that security is a job for the IT department, not a business-critical factor that needs a top down approach.

A successful cybersecurity strategy needs buy in from the board to ensure that security policies are implemented across the organization; promoting a culture of awareness and prevention. Your IT department can install security measures to protect systems and information, but as the biggest threats to your business are actually your employees, IT security solutions such as firewalls and anti-virus software are not effective on their own.

Instead your IT team, whether internal or outsourced, needs sponsorship from the board. This means a place at the boardroom table and an understanding of how IT and security play an important role in business operations and strategy. Not addressing security issues effectively could cost your business significantly.

As well as considering the expenses to rectify a cyber-attack; but you must also factor in fines from the regulator if you operate in regulated industries, loss of clients, and stiffer fines from the EU under new data protection laws coming into play in 2018.

While larger businesses may be able to swallow the associated costs of a serious data breach or cyber-attack on their businesses, can you?

How to get buy-in from the Board

The first step to developing a robust cybersecurity policy comes when board members understand the implications of an attack. Again, especially for those in regulated industries, non-compliance is extremely serious for both the organization and individuals, where senior managers can no longer say that they were unaware of security risks.

Understanding how a cyber-attack can impact on an organization and its representatives, certainly focuses the mind! Sadly, this often comes only once an attack has been experienced first-hand.

Secondly, board members need to understand where those vulnerabilities lie so they can support their IT team, trainers and other key people within the organization. The most significant cyber-threat to SMEs is their own staff providing a gateway into the organization’s networks and systems. This may be through inadvertently clicking on a link to malware or sharing passwords and other critical information inappropriately.

Fortunately, this is one area of IT security that doesn’t involve throwing money at the problem only to be thwarted a new emerging threat. Training and awareness exercises for the benefit of all employees, and senior board members, will ensure that everyone within an organization is vigilant and proactive about keeping sensitive, business-critical information safe. However, this can only be achieved with the support of the board – leading by example and making security part of organizational culture.

Regular health checks, risk assessments or audits, formal written cybersecurity policies, as well as business continuity and disaster recovery plans are all important aspects of this, ones that directors and other stakeholders should welcome in the Boardroom.

Sign Up for Cyber Security Intelligence Board Reports

Infosecurity Magazine

« Half UK Employees Have No Cyber Security Training
Companies See Cyber Threats But Can’t Deal With Them »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LRQA

LRQA

LRQA are a leading global assurance provider, bringing together unrivalled expertise in certification, brand assurance, cybersecurity, inspection and training.

Telefonica Tech

Telefonica Tech

Telefónica Cyber Security Tech is focused on the prevention, detection and appropriate response to security incidents aimed at protecting your digital services.

CERT-AM

CERT-AM

CERT-AM is the national Computer Emergency Response Team for Armenia.

AppSec Labs

AppSec Labs

AppSec Labs specialise in application security. Our mission is to raise awareness in the software development world to the importance of integrating software security across the development lifecycle.

Graphus

Graphus

Graphus provides a simple, powerful, automated solution that eliminates 99% of social engineering and spear phishing attacks against G Suite business Gmail users.

Ergon Informatik

Ergon Informatik

Ergon Informatik AG is Switzerland's leading provider of customised software solutions and software products including fraud detection and the Airlock web security suite.

Callsign

Callsign

Callsign’s mission is to seamlessly power the identification of every web, mobile and physical interaction.

Polyrize

Polyrize

The Polyrize continuous authorization platform for SaaS and IaaS stops tomorrow's public cloud cyber threats, today.

VIQU Recruitment

VIQU Recruitment

VIQU Recruitment was formed with the primary focus of providing 'Smarter People Solutions' to the UK’s professional IT & Cyber Security markets.

TechDemocracy

TechDemocracy

TechDemocracy are a trusted, global cyber risk assurance solutions provider whose DNA is rooted in cyber advisory, managed and implementation services.

AirITSystems

AirITSystems

AirITSystems offer companies comprehensive IT security solutions that take all security considerations into account and are tailored to your business.

Hyperion Gray

Hyperion Gray

Hyperion Gray are a small research and development team focused on innovative work in a variety of areas including Software & Security Research, Penetration Testing, Incident Response, and Red Teaming

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Inetum

Inetum

Inetum (formerly Gfi Informatique) is an agile IT services providing digital services and solutions, and a global group that helps companies and institutions to get the most out of digital flow.

J.S. Held

J.S. Held

J.S. Held is a global consulting firm providing technical, scientific, and financial expertise across all assets and value at risk.

OSP Cyber Academy

OSP Cyber Academy

OSP Cyber Academy are a managed service provider of cyber, information security and data protection training.