Evolving Boardrooms strategies in the era of disruptive cyber security risk
Several factors such as gauging corporate culture one needs to pay heed on cultural problems if any. Institutional investors are pushing towards board diversity and the value a director can add to their long- and short-term strategy by maximizing effectiveness.
Innovation by embracing technology, increasing productivity, absorbing market volatility, aligning organizational growth, keeping pace with regulatory requirements are concerns which are being resolved by the evolving board members of any organization.
Although the aforementioned parameters are critical in success of any organization but Cyber Security is the centrepiece of discussion in today’s boardroom’s with very limited awareness and understanding of the issue and almost negligible understanding of incident management to handle severe crisis.
Every organization has critical assets which give them competitive advantage. Cyber criminals are always on the hunt to target these critical assets for various motivation such as financial, espionage, fun, ideology, convenience etc. According to Verizon 2018 Data Breach Investigations Report there were more than 53000+ cyber incidents and 2200+ data breaches that took place across 65 countries. Although the numbers are staggering what’s important is to understand that the issue is not limited to security professionals and there has to be raised awareness amongst staff, senior management and board of directors to respond to such crisis in the future.
Cybercriminals are still finding a great amount of success as we still haven’t learnt from our mistakes. Email is still the largest threat vector as employees fall prey to phishing campaigns. As per the Verizon 2018 DBIR 4% of employees still click on any random phishing campaign. The most astonishing analysis from this data indicates that the more phishing emails someone has clicked, the more likely they are to do so again.
Although in the last year or so Ransomware has taken the limelight as being one the top threats but cyber criminals have notched their game a level up by using cryptomining malware.
A recent report from Kaspersky Labs indicate that Cyber criminals have progressively turned to cryptomining malware as a way to control the processing power of large numbers of computers, smartphones and other electronic devices to help them generate revenue from cryptocurrency mining. A single cryptocurrency mining malware can net cyber criminals more than $30,000 per month. It barely takes few minutes for cyber criminals to get access and take control of a system while it takes months typically for an organization to discover the breach.
Cyber Security is constantly evolving and still board of directors feel their organizations have taken steps to prevent them from such incidents. Although the reality check is when such an incident occurs, there is severe reputational and financial loss to these organizations resulting in major reshuffle of management and board members. With more than 53000 incidents this year the focus for board members is to take preventive actions and are also to get involved with the audit committee which is usually responsible for handling such events.
More organizations are moving towards cloud-based applications, increasingly employees are working from multiple devices with the same credentials. Hence there is an immediate need to address this issue through a multifaceted layered approach. The top brass should consider the organization as fortress that needs to be protected from hackers. The board members should have a war strategy in place which is policy and framework for cyber security in an organization. This should be reasonable, well documented, implementable and should ideally be championed by them to inculcate a risk averse culture within the DNA of the organization.
There are other questions which the board members need ask and be aware of in terms of having a robust strategy for cyber security operations. They need to proactively assign the committee to monitor and manage cyber threats by forming a steering committee wherein there is complete visibility to track regular report on the state of cyber security within the organization. They also need to understand from the committee how well does the organization track digital information, identify key risk indicators and the overall security posture of the organization. Are employees or staff members well informed educated and trained around threats pertaining to their industry and also organization at large.
Lastly to conclude expectations from the board members are increasing and they are embracing the change but they need to listen, ascertain and engage more, respond swiftly and adeptly if they are to address the cyber security risk and stay resilient.