In this digital age, technology yields the power to open new business avenues for companies, but also presents new challenges for cybersecurity protection. With so much of today’s markets being dominated by digital assets, managing cyber risk has become an increasingly important and tricky topic for boards to navigate.
Boards play an indisputable oversight role and must be well-equipped with the right tools to guide management on developing a cohesive cyber risk framework. This begins with learning the language and acquiring the technological skills necessary to ask the right questions and set the tone that cybersecurity is a key issue to the entire enterprise, not just the IT department.
Understanding the Importance of Cybersecurity
Cyber breaches are one of the greatest risks a company faces today that can be detrimental to a firm’s productivity, reputation, and competitive insights. In fact, according to IBM Security, the average cost of a data breach in the U.S. totaled to 3.2 billion USD in 2019. Thus, the board must prioritize data protection when it comes to risk management and ensure that the entire company is on the same page about the importance of cybersecurity.
This begins with tone at the top. Setting the right tone is a critical first step that many companies neglect to take. It is one of the most important things boards should do to develop a cohesive risk program and align their goals with the management team. Each board member is responsible for understanding what controls and protection measures the company has in place in case of a technological breach.
These measures should be frequently discussed and integrated into meetings concerning risk management in an attempt to consistently improve upon them. Technology is inextricably intertwined with risk management; thus, learning to initiate and prioritize discussions about cyber security is a beneficial measure that will help the company better protect their intellectual property, data records, and customer information.
Boards who send this message out across all internal branches of the company ingrain cybersecurity into the main pillars of their company’s principles, as well as develop a stronger brand image that is reflected to its consumers. Consumers, in turn, gain a stronger sense of trust in the company and can worry less about their sensitive information getting leaked.
How Boards can Improve Cyber Risk Oversight
Build cyber resiliency from the beginning:
As the technological landscape continually evolves, so does the cyber risk landscape. Therefore, companies must incorporate building cyber resiliency into the foundation of any new initiative or company change. Whenever a new app or software is put in place, whenever a new M&A is being reviewed, whenever a new product is developed, boards should identify the cyber risks that accompany it and bring it to the C-Suite’s attention. All too often, executives direct major company changes without addressing how the cyber security framework should adapt with these changes due to lack of time, resources, or a fear of lost efficiency. Addressing any redesigns in cyber security implementations at the forefront will eliminate the issue of running into business slowdowns later on.
Prioritize the most important assets:
Boards should focus their attention on protecting the company’s greatest assets by dollar value and know where to invest in risk mitigation. It is good practice for boards to create an inventory of all of the company’s assets that are susceptible to cyber risks, and rank them in terms of importance. Not all assets can be protected equally due to resource constraints, so it is the board’s responsibility to optimize between resource allocation and cyber protection.
Have various crisis response plans ready:
The best boards can only mitigate, rather than eliminate, cyber risk. Therefore, developing a strong crisis response agenda is an indispensable step for boards to take. Companies will always be susceptible to data breaches or losses due to technological issues, so they must be well prepared to tackle these cases with emergency measures in order to minimize losses and recover damages quickly. In creating crisis response plans, boards should consider how various cyber breaches might affect company brand, external partners, competitor advantages, and ransomware policy.
Strengthen communication platforms:
Moving forward into 2020, companies should no longer be using email to communicate any sensitive documents. Emails are notorious for falling victim to phishing attempts, and are one of the main sources of successful company hacks. For this reason, board members and C-Suite executives should exclusively use encrypted messaging platforms for all communications. While some companies may consider this a costly measure, investing in the right cloud platform will save the company millions in legal fees and data recovery costs down the road.