Corporate data breaches can be costly for businesses, with Sony’s 2014 data breach costing the firm around $8m just for the settlement deal. Experian, which recently suffered its own data breach, reported that 73 per cent of businesses had developed a data breach response plan in light of the increasing threat of attacks, writes Charlie Horrell, MD EMEA of Diligent.
The Ponemon Institute found that 70 percent of board members were confident that they understood the security risks faced by their organisations. However, only 43 percent of IT security professionals thought that their board were informed about threats. Cyber security issues are often complex and require both training and experience in the sector to understand (something which many board members understandably lack). Yet it can also be hard for those well versed in security risks to communicate those risks in a way that is both meaningful and actionable for board members who ultimately hold responsibility for compliance and security. Both board and IT team need to find a way of meeting the security needs of the organisation, while continuing to focus on and support its overall goals. Successful cyber attacks are costly to the reputation of the organisation, but there are actions that organisations and executives can take to mitigate the risk.
Bridge the gap
Organisations should consider having a member of the board who is well versed in cyber security issues: someone who can bridge the knowledge and communication gap between the board and the organisation’s IT department. Recruiting or training an expert in corporate IT security will help the board identify potential risks, and evaluate the costs of protecting the network compared to the potential costs of a breach. The board may even wish to elect a subcommittee which is dedicated to the analysis and assessment of cyber risks, ensuring that there is always someone trying to balance security with the overall goals of the organisation.
Share knowledge
For board members, time is always a consideration. As much as some individuals may think that they keep informed about the latest cyber security threats, there will be gaps in their knowledge. The IT department should play its part in keeping board members informed of the latest risks. Without this knowledge and understanding, the board cannot be expected to make the decisions that will protect the organisation in the long run. Monthly or quarterly education campaigns can be effective, especially if the organisation isn’t able to appoint a cyber security expert to the board. This will help the board create a culture that’s both willing to ask the tough questions, and to listen to the experts when it comes to IT security risks.
Culture of compliance
Boards that care about security and compliance create policies which make it quick and easy for employees to do the right thing. Creating a culture that celebrates compliance over speed helps to create an environment where security is valued throughout the organisation. The organisation can begin by implementing certified compliant systems to monitor risks, and by setting and enforcing guidelines. That doesn’t mean creating cumbersome processes. Using secure data-sharing software, and allowing employees to collaborate and share sensitive information with ease, can be extremely simple and user-friendly. Creating a culture of compliance promotes a relationship of trust between the board and the IT department – where the IT team knows that the board takes security risks seriously, and the board realises that the IT department is working for the improvement of the organisation as a whole.
Evolving
Technology is always changing. Tablets and smartphones are ubiquitous, and employees are bringing them into the office, as well as various other connected devices that we all now use in our daily lives. As the use of connected devices continues to expand, so does the associated risk to the organisation’s network. While employees may come to expect to have the ability to use their devices for work, the board has a responsibility to ensure best practice guidelines are created and adhered to when deciding whether or not these devices should be permitted to connect to the network.
Boardroom communications don’t exist within a vacuum. The board must develop a relationship of trust and respect with the IT department to ensure that they understand, and are prepared for, evolving security risks. If the organisation is serious about security, this attitude of co-operation has to start at board level to encourage adoption at all levels.
