Is the BOD MIA on Cybersecurity?
It seems barely a week goes by without news of another cyber breach or vulnerability, yet according to PwC’s 2016 Global Economic Crime Survey even with cyber crime surging, many companies remain ill prepared to cope with attacks. This disconnect is particularly glaring at the board of directors (BOD) level. According to PwC though 61 percent of CEOs are concerned about cybersecurity, less than half of board members actually request information about their organization’s state of cyber-readiness.
Though cybersecurity risk directly affects an organization’s future success, which remains the primary responsibility of any board of directors, it remains overlooked at the board level. Often seen as a technological problem, not a risk management issue, boards often fail to require regular review and oversight of their organizations’ security posture. While data breaches may result from technological weaknesses in part, a lack of employee awareness around risky online behaviors or cyber crisis management plan, among other factors, can be any organization’s undoing.
The IT department can no longer be expected to solve the problem of cybersecurity alone. It is essential that BODs ask strategic and thoughtful questions on how well the organizations they oversee are able to handle cybersecurity related issues and planning.
Below are several questions all board members should be asking:
- What is the organization’s most critical data, where is it stored, used and shared and what are the consequences of it being lost?
- What are the top cybersecurity risks when adopting new technology such as cloud computing and mobile?
- How are employees being educated to raise awareness of threats and risky behavior?
- How are existing defenses tested and what were the results of these previous risk assessments?
- How are cybersecurity governance and legal frameworks managed for the territories in which the organization operates and from which data is collected?
- In the event of a breach, what protocols and procedures (communications and crisis plans) have been developed or tested?
- Has the risk of attack and its potential data loss been measured across the organization’s chain of partners, suppliers and customers?
- When was the organization’s last breach and what lessons were learned as a result?
Cybersecurity is a risk management issue, not a technological one. A data breach can expose an organization to a myriad of liabilities including business disruption, civil, criminal and regulatory penalties, litigation and permanent reputational damage. In today’s cyber climate, board members should take the opportunity to receive, review and update the organization’s security posture at every meeting.
For more information, read the Forcepoint white paper What Every Board of Directors Should Know about Managing Risk in their Organization.
 PwC Global Economic Crime Survey 2016, 16