Is Your Board Ready for a Cyber Attack?- Part 1July 18, 2016
When was the last time you checked up on your Board? Are they allocating enough resources and time to protect your company against cyber-attacks?
Protecting company assets and customer information is a job that falls directly at the hands of your company’s board members, meaning cybersecurity awareness is a substantial part of the Board’s job. Attacks unfortunately happen far too often, in companies of all shapes and sizes, which have made cyber readiness plans essential for entire companies to be active with, especially senior executives and boards. Though we have written about cybersecurity and readiness tips in the past (Check out our whitepaper, “2019 Cybersecurity Update - Own IT, Secure IT, Protect IT”), it is still VERY important that you conduct a detailed review of whether or not your board is adequately prepared for the unfortunate possibility of a cyber-breach.
How do I know if my board is ready?
The board should have a high-level understanding of the nature of cyber-risks facing the company.
There are several things you should make sure your board has discussed and implemented in order to protect corporate assets, reputation, and goodwill. Something called “The Cybersecurity Framework” follows that all boards must ensure they have:
- Full report of the company’s IT systems- In order to properly manage risk (one of the main functions of the board) your board needs to have a comprehensive report of all current information technology systems. This means knowing the ins and outs of the business’ overall IT strategy. What are the strengths of the system? And the weaknesses? How does the company stand in relation to the industry at large?
- Enough time to discuss cybersecurity issues as part of agenda- Protecting confidential information is a big priority for all boards, so attending to and managing cybersecurity should take up a sizable portion of the board’s agenda. Allocating this time shows the rest of the company and senior management that cyber awareness is vital for the success of the entity. Boards should regularly share information about patterns they notice overtime with cyber security issues. Many companies enlist the help of their Boards to conduct periodic risk assessments; the boards are able to use this information to address the ongoing needs of the organization.
- Access to technological expertise- Even though the board itself might not be technologically inclined, it must be well advised on who has that expertise on the management team. These individuals should be easily accessible, too. Is a specialized committee focused solely on cyber issues necessary for the betterment of the business?
- IT security budgeting- You must ensure sufficient resources are allocated to cybersecurity risk management as well as to the cybersecurity policies you have implemented or need to implement. Boards might need to take certain things into account when creating budgets, too—Does your company need to hire additional personnel, for example? What about IT equipment?
- IT insurance- Consider purchasing cyber insurance, which can be helpful in your prevention efforts. Cyber insurance policies can be purchased to cover costs your company might face due to a breach, including notice of affected clients, standard investigation expenses, public relations expenses and costs associated with credit check protection. By no means is cyber insurance a surefire way to safeguard your business entirely; understand what gaps and challenges still remain even after implementing insurance. Cover all your bases.
These tips are merely a rough guide to what your Board should be doing. Since different forms of attack are emerging daily, it is important for your Board to be flexible and adapt policies as new threats materialize. Stay tuned for tips 6-10 in our upcoming blog.
Contact any member of our Information Security Services Team for more information.