More relevant questions in today’s age are not whether we would be attacked? or how can we prevent a cyber-attack? but when would we be attacked? how can we detect and contain the damage?
Cybersecurity is no more an IT risk. It is a business risk. Cyber-attacks cause mulitfold damage including but not limited to damage to reputation, reduced customer trust, inability to operate for considerable period of time, loss of revenue, legal and contractual implications, cost incurred in response and recovery.
Over the period cyber-attacks have been increasing and abrupt changes in the way companies operate caused due to pandemic has made businesses more vulnerable. To keep going companies were compelled to adopt various untested plans like work from home for which most of the entities were not well prepared and IT practices were never designed with such eventuality in mind. Such shift in working style has created more holes in enterprises defence. While the security posture of businesses weakened, threat attackers became more sophisticated. As per IBM threat report, in 2017 it took an average of 191 days to detect and 66 days to contain a breach, in 2022 it took 207 days to detect and 70 days to contain the breach. Threat actors have become stealthier and smarter.
More time an attacker stays in the system, greater damage it is able to cause.
Cost to recover and respond increases with each passing day. IBM research indicates that global average cost of a breach is US$ 4.35 million. Average cost of breach in India is US$2.32 million. Its lower than global average yet it’s a significant number.
In case of Ransomware attacks companies are often compelled to absorb additional cost in the form of ransom paid.
Cybercrime is now institutionalised; threat actors share information and often collaborate to be more damaging. Malware-as-a-service model is becoming more common making launching attacks easier and defence more complicated.
Hackers adopt many paths to get into company networks, like
- Social engineering
- Accidental loss of device or data
- Stolen or Compromised credentials.
- Business mail compromise
- Malicious insider
- Physical security compromise
Reducing cyber risk for the entity therefore requires multi-pronged approach. Creating multiple layers of security and adopting a holistic approach is important.
Humans are a weak link in the chain. Phishing and business email compromise are the attack vectors which have been successfully exploited by hackers for last many years. Ignorance or negligence causes an employee to click seemingly harmless link to a malicious location. The damage is then done across the enterprise. A study by Stanford University revealed that 88% of the breaches are caused by employee mistake. Tools alone can’t address this. Whole teams need to be sensitised and educated about proper behaviour.
Cybersecurity is not just a IT problem, it is organisational one.
Cyber risk is not just IT risk, it is far greater. It is risk to very existence of business and ability to operate.
Risk of this magnitude has to be under close watch of Board of Directors. A more cyber resilient organisation can be created through enterprise-wide collaborative approach. Cyber security has to be the culture.
Board of Directors are not required to be cybersecurity experts, but they should be aware and vigilant.
Security posture assessment shall be an agenda for frequent discussions with Executive teams.
A Committee or a board member shall have specific responsibility to oversee company’s plans to be better prepared against cyber defence.
Executive team shall be prompted to draw up detailed strategy and Board shall monitor progress and effectiveness of the strategy.
It is important to identify Critical assets in the enterprise. Board must review the way those assets are being protected. It should assess the layers of security being deployed and policies implemented to ensure that they are not rendered less effective due to negligence.
Creating a cybersecurity culture requires continuous commitment and programmes. It is time consuming but extremely important for building a more resilient organisation. Creating this culture should be under close watch of Board. This has to be a top-level initiative. Boards shall regularly monitor the policies implemented, awareness programmes conducted, and trainings imparted. Effectiveness and performances of adopted measures must also be periodically evaluated. Close coordination with Executive team helps in getting better results.
Few questions Boards shall regularly ponder upon,
- What are the critical assets of the organisation and how are they being protected?
- What measures are being taken by the Company to identify a breach promptly.
- What is the response and recovery plan.
- Do we have an adequate a Cybersecurity framework in the Company?
- Does the company have a clear response plan in case of breach?
- How would the company manage external and internal communication in case of breach? What is plan for communication in with Customers and other stake holders during crisis?
- What are the expectations from Board and their role to collaborate well with Executive team on ground in case of a breach?
- Is there a mechanism in place for all the breaches to be reported to the Board?
- Are the breaches being properly analysed? Few breaches may not have caused immediate financial loss, but they may be precursor to a major compromise. Is Board devoting enough attention to the reports in Board meetings?
- What is being done to make cybersecurity the culture of organisation? Is it enough?
Cybers attacks can cause huge damage to enterprises.
Damage to reputation, reduced customer confidence, loss of revenue, contractual liabilities or in some cases question on very existence can be a consequence.
Risk of such magnitude must be under close watch of Board. Board members need not become cybersecurity experts but must be aware of and closely monitor this risk.
Vigilant and more involved boards can create cybersecurity culture. More resilient organisation can be built only through a proactive and holistic approach to cybersecurity. In today’s business environment it’s a necessity rather than a need.
Sources: Certain figures taken from official website of Statista
Citation: This Insight may be cited as InfEneTy ‘Cybersecurity Calls for Board Attention’ 27.01.2022
Tags: Cybersecurity; Cyber attack; Cybercrime; Business risk; Information technology; Technology; Cyber lawAbout InfEneTy
InfEneTy is a knowledge platform which showcases critical news, insights and features on contemporary and topical issues related to Infrastructure, Energy and Technology affecting the economy, industry sectors, business environment. The intent is to enable an association with the evolving scenario and be a catalyst for change. Help make InfEneTy better. Share your comments or connect with us at firstname.lastname@example.org