In a noisy room at London’s Tobacco Dock this week, a team of German computer geeks outdid 16 other teams of tech whizz kids to be crowned winners of the European Cyber Security Challenge.
It’s as well that young cybersecurity experts are being groomed. This week also saw an IT not-for-profit, (ISC)², release research claiming that the global cybersecurity skills shortage now stands at almost three million. It also said 62% of businesses lack the skills to keep online threats at bay.
But how are boards confronting the cyber challenge? In its latest annual survey BDO, a professional services firm, took a close look at US boardrooms and found growing involvement.
In fact, 72% of respondents say their boards are more involved than they were 12 months ago, while 79% say their organisations have avoided a data breach or cyber incident in the past two years. Three-quarters of those polled said their companies boosted their investment in cybersecurity measures in the past 12 months, the fifth year an uptick has been recorded.
All well and good. But the numbers suggest that in places, boards are not quite confronting cybersecurity matters head-on. While many companies shelled out more for better cybersecurity, at least one-quarter had not, despite the rising threat level. Almost one in ten (9%) says their boards are not briefed on cybersecurity at all, while 54% say they are updated only once a year. Just a third (32%) say they are briefed every quarter.
Data breaches
According to Gregory Garrett, BDO’s head of international cybersecurity, data breaches are an “inevitability” in the current environment and clients, investors and law enforcement agencies have high expectations of what organisations should be doing to keep cyber-criminals at bay.
“The board should think of cybersecurity not only as a matter of compliance, but a matter of corporate ethics and trust,” he says.
–Kamal Bechkoum, University of Gloucestershire
Kamal Bechkoum, head of business and technology at the University of Gloucestershire, says companies are paying more attention, in the UK at least, for a number of reasons. There is more regulation, which requires compliance, and businesses have become increasingly aware of the potential financial cost of a breach. But the biggest concern is the potential for reputation damage.
Other factors, he argues, will continue to focus minds on cyber issues, including a growing interest in the topic at government level. But there is also a dawning awareness among corporate leaders that business is becoming ever more dependent on networked systems and the internet. The introduction of 5G mobile technology is expected to massively expand global reliance on web-based business models and transactions.
For Bechkoum it remains a worry that in many places cybersecurity is still regarded as a siloed IT issue, instead of a strategic matter for the board’s regular consideration.
He also points to the presence of stubborn complacency. “There is an element of, ‘Yes, the threat is growing but perhaps it won’t happen to me,” he says. “But that’s lazy intellectual risk-taking.”
Risk to investors
Board members should be wary if that is their approach. Investors have focused their attention on cybersecurity, not least because of the risk to investment portfolios. A study by IT consultants CGI and think-tank Oxford Economics found that severe data breaches cause share prices to fall by an average of 1.8% on a permanent basis.
PRI, a body that campaigns for responsible investment by fund managers, is now coordinating a project among 53 investors—with $12trn under management—to engage with multinationals in the healthcare, financial IT and telecommunications sectors on cybersecurity issues.
In an article for Board Agenda, PRI’s managing director, Fiona Reynolds, wrote: “Questions raised with companies will enable dialogue on whether there is sufficient board oversight on cyber issues, and whether they have sufficient access to internal or external expertise and are taking adequate measures to manage cybersecurity risks.”
That may make for uncomfortable conversations for board members still in denial. Perhaps they should find themselves a champion cyber-geek to spell out the dangers.