May 15 — The role of the CISO has never been more central to the success of an organization. However, cyber security no longer falls under the purview of technology professionals alone. Because cyber risk is a key driver of business growth, business opportunities, and business setbacks, senior executives and board members are expected to weigh in on cyber risk management.
In the past year, 20% of organizations experienced cyber breaches. Only 38% of organizations say that they’re prepared to handle a sophisticated cyber attack. Thousands of cyber attacks occur each day and large cyber incidents continue to make headlines regularly.
Are those numbers extant in-part because many boards still struggle to understand cyber risk and where greater oversight is needed? Board members should be sure to know about these key threats, as they can quickly undermine individuals and an organization as a whole:
- Phishing and spear phishing attacks. Because board members are often high net worth individuals, board members are attractive targets for cyber criminals. Attackers may attempt to directly target a board members’ email account, may send phony text messages impersonating other individuals, or may attempt to impersonate the board member.To combat this, board members should ensure that computers and phones have security software on them, that email spam filters are in-use, that passwords are kept secure, and that supplementary measures are taken to protect digital identities.
- Ransomware and extortion. Ransomware attacks continue to make headlines on a daily basis, yet organizations often see them as a distant possibility instead of as an impending reality. Ransomware attacks can translate to short-term pandemonium, productivity stoppages, financial losses, insurance claims and other serious challenges.Boards should ensure that organizations leverage the 3-2-1 data backup methodology. In addition, boards are advised to review the organization’s incident response plan on an annual basis.
- Third-party risks. Many organizations are proud to be allied with external entities. These groups include supply-side partners, service providers, vendors, consortium and investors. However, successful business partnerships rely on controlling security threats and maintenance of positive reputations all-around.Corporate boards need to consider annual cyber security audits of third-party groups. Third-party vendors must adhere to corporate security policies, as to ensure that a ‘domino effect’ attack does not put a series of connected organizations out of commission.
There are many areas of cyber risk oversight for boards to consider. The aforementioned ones should be addressed sooner, rather than later. For more insights into how the board should be involved with cyber risk governance, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.