Cyber security advice for boards: Pursue growth in an environment of escalating cyber threats

Cyber security advice for boards is critical, with the cost of cybercrime will surpass $8 trillion. To put this in perspective, cybercrime will cost more than the national GDP of every country except the U.S. and China.

You may be asking: How did we get to this point? Let’s start by looking at a hard truth. Every action you take — from acquiring a new company to launching a new customer portal or hiring a hybrid worker — expands your surface area and adds more entry points for cyber threats and attacks.

Bad actors are taking advantage of this new reality, as evidenced by recent data:

The average cost of a single data breach is now $4.35 million

Cyberattacks in the first half of 2022 rose by 42% compared to 2021

More than 40 billion devices will be connected to the internet by 2025

eBook banner for, IT risk management master class toolkit

Retreating in fear is not the right choice. All enterprises have goals for growth, which means expanding digital infrastructures and connecting to more customers, partners and workers worldwide. This makes cybersecurity more than a preventive measure — it’s a core enabler of growth that must be planned, funded and embedded in every department across the enterprise.

In addition to these escalating threats, boards need to be aware of emerging regulations related to cybersecurity, which will require regulated entities to adopt policies and procedures for responding to cyber incidents. Rules are also tightening worldwide, with the U.K.’s proposed audit reform bill, expanding privacy laws in Australia, and ASEAN regulatory changes focusing on cybersecurity for critical infrastructure.

Compliance with these new rules could become a bit complex, as they will likely include information received from third-party institutions and requirements for reporting cyber incidents to customers and regulators.

Given the importance and ubiquity of cybersecurity, it’s the board’s role to ensure the organization is fully prepared to mitigate threats and respond effectively during a successful attack. This requires a robust strategic plan that can be led by the CIO or CISO but must engage leadership from every part of the organization.

While the technical and operational details of a plan should be owned and executed by cybersecurity professionals in the organization, CEOs and board directors need a level of cybersecurity understanding that allows them to approve plans and budgets dedicated to mitigating risk. Leaders from every department need to leverage modern data collection and reporting tools that paint a clear and concise picture for the board.

In addition to regular reporting, here are six key considerations for your board as they work toward consistent growth while mitigating threats:

1. Prioritize your assets

It’s nearly impossible to protect every element of an enterprise. Most organizations have sprawling digital infrastructures that connect workers, customers, business partners, systems and machines.

It’s up to the board to understand the value of assets across the enterprise and prioritize which ones must be protected. Identifying the “crown jewels” is an essential first step that requires a deep understanding of how the enterprise operates today and what it will need moving forward.

2. Understand your security infrastructure

Selecting security technologies, deploying a tech stack and monitoring its effectiveness are all responsibilities of CIOs, CISOs and IT teams. However, the board needs to understand the strategy behind the technology and the plan for staying resilient in the face of ever-changing hacker technologies and methodologies.

The teams preparing reports for board meetings need modern tools to collect data from these various systems and turn that raw data into meaningful insights. Organizational threats are constantly evolving, and directors need real-time insights to ensure they provide practical guidance.

3. Plan your response to a breach

Boards need to be prepared for successful ransomware attacks and other intrusions because it’s likely one will occur. Does the organization negotiate with hackers? Pay them? How are communications with shareholders, customers, business partners and media managed? Having a detailed plan is essential.

If an incident occurs, you might not follow the script precisely — but it will provide a necessary guide. A crucial part of the plan is defining the board’s role in the event of a breach. Communicating with the most essential stakeholders typically falls to the board.

4. Develop detailed recovery plans

How your business recovers from a cyber incident largely depends on the recovery plans in place. Yet, many executives we’ve interviewed have yet to test their business recovery plans.

Boards want to know who “owns” business recovery, if there is a planned response and if it has been tested for a cyber incident. Start developing a plan, assigning roles and responsibilities, and testing the plan now to minimize the impact of potential incidents.

5. Add a cybersecurity expert to the board

New regulations will require some organizations to designate a cyber expert and disclose that person’s credentials.

To be considered an expert, a director must have clear cyber credentials, such as a special clearance, experience working for a cyber security firm, or completing adequate coursework.

It may be valuable to the board to bring in outside experts, such as cybersecurity forensic firms, outside accounting firms and law firms.

6. Prepare for proxy season

Security and exchange commissions could require regular and periodic updates on cyber processes and policies. When it comes time to do your proxy, it’s advisable to disclose more rather than less.

For example:

  • Describe precisely how your board oversees cyber risk
  • Identify who presents to the board on cyber matters
  • Provide an overview of your IT and cyber organization
  • Explain the current breach protocol and whether the organization has performed tabletop exercises

Explore IT risk management solutions from Diligent

Cybercriminals deploy best-in-class technology to attack your infrastructure. It would be best if you did the same to protect your enterprise.

Diligent IT Risk Management protects against costly data breaches, penalties and reputational damage. Organizations worldwide use our technology to avoid emerging cyber risks and empower their boards and enterprise leaders to make informed risk decisions.

Interested in how the Diligent platform can bring the next level of cybersecurity to your organization? Get in touch.

Contact us banner for getting in touch with one of GRC specialists
Share This