Skip to content

29 January, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • stakeholder governance

      Threat to stakeholder governance from Twitter sale ‘overstated’

      Academics and experts argue stakeholder governance will always come second while the law puts the...

    • Davos resilience News round-up: this week in governance

      Lessons from Davos; companies risk sliding back on ethical practices; economics affects everyone; Sir John...

    • audit reform UK Audit reform in the UK risks ‘losing momentum’

      The Financial Reporting Council still awaits the proposed new statutory powers that would allow it...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • climate litigation

      Climate litigation: how 2022 will shape 2023

      This past year saw a rise in climate litigation, with a focus on the commercial...

    • value whistleblowing

      Why we need to value whistleblowing

      Encouraging staff to speak up and stop harm can reduce legal and reputational risk—both for...

    • HR corporate trust

      HR: How to build employee trust in corporate culture

      The right HR director is essential to lead on a culture that gets the best...

  • Comment
      • View all
    • A week of business moving to the centre of human rights

      A week of events signals the initiatives underway to have companies play a central role...

    • audit reform IIA Why we need audit reform right now

      There is an "urgent need" for reform to the audit landscape as well as internal...

    • climate change energy crisis Sustainability and climate change: the other energy crisis

      The world is addicted to cheap energy. We need to admit this and have the...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

    • Group of investors/shareholders in glass building Climate issues likely to figure prominently at next year’s AGMs

      A recent webinar heard that say-on-climate voting is expected to rise, while ESG remains a...

    • NEDs role NEDs ‘needed more than ever’ in times of uncertainty

      The non-executive director’s role is to both challenge and listen to management, agreed the panel...

  • Careers
      • View all
      • Selection
      • Board Moves
    • NED recruitment News round-up: this week in governance

      Your country needs NEDs; governance does not compute; financial firms get more women on board;...

    • HR corporate trust HR: How to build employee trust in corporate culture

      The right HR director is essential to lead on a culture that gets the best...

    • powerful CEOs Boards want powerful CEOs in tough times

      Single-minded chief executives have greater staying ability when business conditions are uncertain, research finds

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Edelman Trust Barometer 2023

      2023 Edelman Trust Barometer

      The report is the result of the Edelman Trust Institute's research, which sampled more than...

    • Sophos 2023 Threat Report

      Barriers to entry for would-be cybercriminals are lower, with tools and tactics becoming available to...

    • The C-Suite Outlook 2023: On the Edge

      The Conference Board 2023 C-Suite Outlook survey reveals the events that C-suite executives see as...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Why directors should learn to love cybersecurity

by Brainloop Brainloop SPONSORED

It’s time for boards to take control of their organisations’ cybersecurity at a time when the threat to data security has never been so severe.

cybercrime, cybersecurity, data security

Image: Shutterstock

Beyond core company growth and profit, board directors have plenty of competing priorities they “must” attend to, such as regulatory change, the digital economy, culture, diversity, investor relations, political events like Brexit…the list goes on. And cybersecurity should be in there somewhere.

It’s tempting, even logical, to delegate some of these issues, or streamline them into a “tick-box” compliance approach, especially the more technical risks like cybersecurity. But when it comes to information security, that would be a mistake for two reasons: there has been a sudden surge in cybercrime in 2016/17 that requires a C-suite response; and the sobering fact that, year after year, failing to “own” cybersecurity has cost a succession of CEOs their job.

Year after year, failing to “own” cybersecurity has cost a succession of CEOs their job.

That roll-call of resignations grew recently: Richard Smith, CEO of global credit-scoring firm Equifax, quit in September after hackers accessed the personal data of 145 million customers—a disaster for a company whose whole raison d’être is safely managing data.

Smith is not alone. Last year, Walter Stephan was fired after 17 years as CEO of Austrian aerospace parts manufacturer FACC because of an email “phishing” scam that cost his company nearly £40m.

But perhaps the biggest victim of all was Gregg Steinhafel, who stepped down in 2014 as CEO of giant US discount retailer Target, after a massive hack attack exposed the credit card or other data of up to 110 million customers.

Learning the lessons

It’s vital that board directors learn from these failings, at a time when the cyber-threat has never been more severe. Hackers used to target single companies, but now they have gone global. The WannaCry ransomware attack in May hit roughly 200,000 organisations in 150 countries, including much of Britain’s NHS, while follow-up malware NotPetya affected 60 countries.

This prompted a warning in September from Rob Wainwright, head of European police agency, Europol: “The global impact of huge cybersecurity events such as WannaCry has taken the threat from cybercrime to another level. Major businesses are now targeted on a scale not seen before.”

Indeed, Lloyd’s of London recently calculated the cost of a likely future global cyberattack at a staggering $53bn—about equal to the damage caused by Hurricane Sandy in 2012, putting cyber-risk on a par with a full-blown natural disaster.

So how can board directors respond? Some core advice comes from one CEO who actually held on to her job despite the hackers’ best efforts. In 2015 Dido Harding survived as head of UK telecoms company Talk Talk after 150,000 customers’ bank details were stolen, because she learned one key lesson: “Business leaders want to abdicate responsibility for cybersecurity, but they can’t. And I learned that in the heat of battle.”

Her message, echoed by cybersecurity experts, is that most boards are still not taking cybersecurity seriously enough. Instead, directors should lead by example. How exactly? This can be summed up in three actions:

1. Get involved

The most important thing a director can do is to take information risk seriously in their own job. Don’t delegate: set an example on security and the rest of the business can follow.

Take core information like board packs. How many directors still access this data via unsecured private email accounts (despite the hugely damaging controversy surrounding Hillary Clinton’s use of her private email for official business)? Or worse still, on paper? And how many directors still store sensitive information in more vulnerable external systems like OneDrive, Google Drive, Dropbox or Box.com?

Board directors who embrace cyber best practice set a standard that starts at the top and filters all the way down. Lead by example.

There are digital products available, like Brainloop, that enable management teams to securely store and share documents, internally and with auditors and other outside parties.

As Brainloop MD Mark Edge explains: “Brainloop builds in security from the ground up to protect an organisation’s most sensitive information, including best practices like encrypting the data being distributed, and functionality tailored to the permissions that each employee, business partner or board member has been given.”

Emma Sloan, deputy company secretary at Brainloop customer Thames Water, confirms: “With the Brainloop Board Portal, we are able to securely build and manage board packs from home or any other location or device. And this is a huge benefit.”

It is all about behaviour and culture: board directors who embrace cyber best practice set a standard that starts at the top and filters all the way down. Lead by example.

2. Get informed

Learn about the growing cyber-threat and respond to it in a practical, targeted way. For example, people are a key security risk for companies, and making sure employees act in the right way is just as vital as any technical response to cyber-risk. It’s known as “securing the human”, and board directors can play a key role in ensuring this happens.

Crucially, phishing scams are still the root cause of most data breaches, where staff are fooled by plausible emails into opening malware-laden documents that infect their computer, then the whole corporate network. Or employees are conned by email scams, like the one that lost FACC CEO Walter Stephan his job. (In his case it was a “whaling” not phishing email because it hooked a bigger fish.)

So, train your staff in being cyber-aware. Make sure your IT team runs regular tests across the business, to alert employees to the risk. Ensure IT knows where all your data, servers and devices are, who has access to them and how are they protected. And that they “patch” all software regularly, because most attacks are preventable. Security firm Verizon estimates that 85% of successful cyberattacks are caused by just ten known bugs that any organisation could readily patch and protect themselves from.

3. Get innovative

It’s virtually impossible to be immune to cyberattacks. Directors must simply manage the risk involved as best they can. So challenge your tech team to see what more they can do. Look back at any past breaches or attacks: what can you learn?

Test your cyber-defences with “red teaming”, where outside security experts mount live hack attacks on your network to expose weaknesses.

Test your cyber-defences with “red teaming”, where outside security experts mount live hack attacks on your network to expose weaknesses. This will help you and your cyber team understand the threats to your networks, and actively protect against them. But you also need to ensure that you are prepared for what to do after a breach.

As governance expert Lee Edge, director at GRC Edge Consulting, advises: “Deny-ability is too easy. The board should understand the key first actions required in the event of a breach and should have carried out a test. Engaging with contacts within your legal department, insurance and law enforcement should form part of your disaster-recovery testing. Know who you will be reaching out to!”

Bigger threat

The cyber-risk is growing, and current business trends mean it will only get worse. More data is being moved outside organisations: into cloud storage; shared with customers and global supply chain partners; or held on mobile devices used by staff outside the corporate perimeter.

And there are whole new levels of risk and vulnerability from the digitisation of business: Gartner predicts there will be 20 billion “connected” devices worldwide by 2020, as e-commerce and online information sharing become ever more widespread.

All this means that organisations are increasingly vulnerable to hackers infiltrating them via an attack on one of their partner companies or customers, as happened to Target in the US. As Lee Edge warns: “Boards need to be aware of the impact of not only cybercrime against themselves but also their third parties. Third-party risk management teams should ensure they have carried out cyber due-diligence where possible.”

What is more, the cost of neglecting cybersecurity is rising, as new data protection regulations, such as Europe’s forthcoming GDPR (General Data Protection Regulation) law, come into force. From April 2018, GDPR will levy fines of €20m or up to 4% of annual turnover on businesses that fail to follow data privacy and protection best practice.

Perhaps even more significantly, it mandates reporting of breaches. So it is no longer an option to sweep this under the rug.

Yet in the face of this, fewer than half of boards are involved in their cybersecurity strategy, according to PwC. Communication is vital, with staff, IT and customers. Directors can demonstrate their leadership by “owning” cybersecurity themselves, and demand that others do the same.

This article has been prepared in collaboration with Brainloop, a supporter of Board Agenda.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Directors need to ‘up their game’ on ESG strategy
    April 4, 2022
    Board members looking at corporate reports

    Study says 70% of board directors say they are “not at all” or only “moderately“ effective at integrating ESG concerns into company strategy.

  • EuropeanIssuers calls for EU law to apply to 'third country' companies
    December 17, 2021
    EU flag

    The proposal raises the possibility of the Corporate Sustainability Reporting Directive being applied to UK firms trading online in the EU.

  • New Zealand parliament to debate reform to directors’ duties
    October 6, 2021
    New Zealand parliament buildings in Wellington

    MPs in Wellington will examine a bill that would allow New Zealand’s directors to consider ESG issues as part of their company obligations.

  • IoD calls for voluntary code of conduct for board directors
    June 20, 2022
    Pen signing an agreement

    Institute of Directors says a voluntary code would "articulate standards for directors" without adding to the "burden" of regulation.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

Autumn 2017, cyber-risk, cybersecurity, data security, General Data Protection Regulation, information security, Technology

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • Audit reform in the UK risks ‘losing momentum’
  • Activist investor campaigns rise back up to pre-Covid levels
  • How to ensure stakeholders trust your sustainability reporting
  • Elon Musk weighs in against ISS and Glass Lewis
  • Climate litigation: how 2022 will shape 2023
 

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

2022 AGM Season Forecast: An Eye on The Horizon

To help prepare for AGMs in 2022, Equiniti (EQ) hi...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Creativity in a Crisis: a Boardroom Map for Innovation

Creativity in a Crisis: a Boardroom Map for Innovation

In the uncertain times at the height of any crisis...
Board Directors Guide to D&O Liability Insurance - November 2020 - AIG & Board Agenda

Board Directors' Guide to D&O Liability Insurance

Directors face liability over a range of new threa...
Leadership-in-Risk-Management-Board-Report

Leadership in Risk Management: Board Report

Board Agenda, in association with Mazars and INSEA...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...

 


 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|