Is cyber security on the agenda in your boardroom? In the most recent Cyber Governance Health Check it was found that 33% of boards have ‘clearly set and understood their appetite for cyber risk’, up 18% from 2014.
However, on average only 54% of boardrooms ‘hear about cyber security twice a year’ – or when there is a cyber security incident, showing that not everyone thinks this issue is worthy of discussion at this level.
Is Cyber Security Just A Job For The IT Department?
While large enterprises attract the headlines when it comes to data breaches and the disruptive consequences of a cyber attack, SMEs are far from exempt. In fact the latest Government Security Breaches survey paints a very different picture with 74% of SMEs reporting a security breach in the last year, and SMEs being specifically targeted by cyber criminals.
Encouragingly, we’re seeing more interest from directors and senior business leaders registering for our workshops that address SME vulnerabilities and how to develop a cyber security strategy to reduce these risks. However, we still come across the mind-set that security is a job for the IT department, not a business-critical factor that needs a top down approach.
A successful cyber security strategy needs buy in from the board to ensure that security policies are implemented across the organisation; promoting a culture of awareness and prevention. Your IT department can install security measures to protect systems and information, but as the biggest threats to your business are actually your employees, IT security solutions such as firewalls and anti-virus software are not effective on their own.
Instead your IT team, whether internal or outsourced, needs sponsorship from the board. This means a place at the boardroom table and an understanding of how IT and security play an important role in business operations and strategy. Not addressing security issues effectively could cost your business significantly. We’ve explored before in this blog the cost of a data breach in terms of downtime, loss of productivity, and the expenses to rectify a cyber attack; but you must also factor in fines from the regulator if you operate in regulated industries, loss of clients, and stiffer fines from the EU under new data protection laws coming into play in 2018.
While larger businesses may be able to swallow the associated costs of a serious data breach or cyber attack on their businesses, can you?
How To Get Buy In From The Board
The first step to developing a robust cyber security policy comes when board members understand the implications of an attack. Again, especially for those in regulated industries, non-compliance is extremely serious for both the organisation and individuals, where senior managers can no longer say that they were unaware of security risks. Understanding how a cyber attack can impact on an organisation and its representatives, certainly focuses the mind! Sadly this often comes only once an attack has been experienced first-hand..
Secondly, board members need to understand where those vulnerabilities lie so they can support their IT team, trainers and other key people within the organisation. The most significant cyber threat to SMEs is their own staff providing a gateway into the organisation’s networks and systems. This may be through inadvertently clicking on a link to malware or sharing passwords and other critical information inappropriately.
Fortunately, this is one area of IT security that doesn’t involve throwing money at the problem only to be thwarted a new cyber emerging threat. Training and awareness exercises for the benefit of all employees, and senior board members, will ensure that everyone within an organisation is vigilant and proactive about keeping sensitive, business-critical information safe. However, this can only be achieved with the support of the board – leading by example and making security part of organisational culture.
Regular health checks, risk assessments or audits, formal written cyber security policies, as well as business continuity and disaster recovery plans are all important aspects of this, ones that directors and other stakeholders should welcome in the boardroom.
For more details about our cyber security workshops designed specifically for directors and senior executives click here.
You may also like to read…What Is The Biggest IT Security Risk In Your Business?