Blog

How do boards of directors make informed decisions on cyber risk?

Picture the scene: your name in the papers for all the wrong reasons…

Employee data lost, customer data leaked online, passwords stolen…the number of data breaches increases every day. As the challenges surrounding information security continue to gain the attention of business executives, security and risk professionals need accurate, traceable and actionable data to reduce cyber risk effectively.

You may think you have it covered, but being able to provide accurate analysis and appropriate communication of security metrics to the board of directors is a critical component of the cyber risk reduction process by IT and security executives. 

In a recent survey I was reading in the security news, cyber risks were the highest priority for 26% of board members surveyed, while other risks such as financial, legal, regulatory, and competitive risks were the “highest priority” for no more than 16% to 22% of respondent organisations.

40% of IT and security executives agreed that the information they provide to the board contains actionable information. Eight out of 10 employ manually compiled spreadsheets to report data to the board. And finally, more than one-third of respondents said they did not even know all of the data breaches that occurred within their organisation!

A breach impacts the whole organisation, so all senior executives need to understand the threats and be aware of the risks  – even more so in today’s data-driven world. Data risk is now the primary concern of executives, and if we all agree that a breach is inevitable, the best stance for security teams is to better manage data risk.

With the Global Data Protection Regulation’s (GDPR) imminent implementation introducing major penalties for non-compliance, boards and senior management can no longer ignore this security framework. Businesses will need to take responsibility for the way they collect and process data on European residents (Brexit or no Brexit), and will have to take immediate action to align their business systems with the requirements of the GDPR.

Moreover, the regulation requires that businesses focus on protecting the confidentiality, integrity and availability of the personal data they handle. This means there is strictly no hiding place for organisations that experience a breach of personal data.

Mandatory breach notification rules, common in the US and other countries, are now being introduced into the EU. A company must notify the relevant authorities within 72 hours of discovering the breach. This presents two challenges for organisations: discovering the breach quickly (most breaches are discovered months after they occur; on average140 days after the intrusion succeeded) and managing the reputational fallout after a breach.

Companies need to plan for a breach and have a well thought-out process – not only for the technical remresponse to the breach, but in dealing with regulator, customer and media concerns. How you respond to a security breach can have a long-lasting effect on the reputation of any business and a powerful impact on customer trust. Complete media blackout while an internal investigation takes place probably isn’t an appropriate response.

As we look back on the past year, one thing is true: no location, industry or organisation is immune from an attack. Even with the strongest protection defenses, you can’t count on not being breached. But you can understand how cybersecurity breaches occur, what types of data present the biggest risk and what you can do to reduce the risk, including accurate analysis and appropriate communication of security metrics.