The Boards of Directors (BODs) have a fiduciary responsibility to shareholders and must take an active role in managing business risk, which involves asking the right questions. A survey was conducted by Harvard Business Review to understand how boards deal with cybersecurity. It found that only 68% of respondents discussed cybersecurity regularly or constantly, while 9% did not discuss it at all. Regarding the board’s role in cybersecurity, responses varied. 50% mentioned discussions about the board’s role, but there was no consensus on what that role should be. What’s more concerning is that 23% stated that there was no board plan or strategy in place.
It is essential for BODs to include cybersecurity in their enterprise risk management process. Cybersecurity should be evaluated and managed in the same way as other business risks. Rather than focusing on returns on investment, the question should be about the potential loss if cybersecurity measures are not implemented effectively. For example, Hilton faced a $700k fine due to a data breach, but with the introduction of the GDPR, the fine could go up to $420 million, not including damage to reputation and other expenses. In short, compromising on cybersecurity is not a viable option.
Cybersecurity Readiness Questions and Checklist
Below is a list of the crucial cybersecurity questions that every organization should be asking.How exposed to risk are you?
Cyber security risk is typically measured by assessing how vulnerable your company and its third-party service providers are to attacks or breaches. It is important to find a balance between your willingness to take risks and your level of vulnerability, and take appropriate action based on this balance. If you feel that you are facing more risk than you are comfortable with, it is important to implement additional measures to mitigate cyber security risks.
How are you keeping up-to-speed with new threats?
It is essential to have a clear understanding of your organization’s ability to defend itself against emerging vulnerabilities and exploits. Incorporating threat monitoring into your cybersecurity measures will enable you to effectively trace and address emerging cyber threats.
Are you aware of both the digital and physical security threats?
With the digitization of processes and operations, connection of industrial complexes to remote management systems, and linking of supply chains with automatic ordering and fulfillment processes, cybersecurity has become even more important. Poor oversight can result in more than just fines for inadequate data protection. Directors must understand the full extent of both physical and digital threats that their organization is faced with.
Are you aware of the available risk management frameworks?
There are multiple risk management frameworks available for assessing your risk profile and the effectiveness of your cybersecurity strategy. One option is the National Institute of Standards and Technology’s Cybersecurity Framework, which provides best practices for detecting, responding to, and preventing cyberattacks, as well as recovering after an attack. Other frameworks include the United States Computer Emergency Readiness Team’s Cybersecurity Framework and guidelines from organizations like the Cloud Security Alliance, the Open Web Application Security Project, ISACA, and the Federal Financial Institutions Examination Council. These frameworks serve as roadmaps to ensure comprehensive implementation of cybersecurity measures and can aid in achieving compliance.
Are the BODs and the security team communicating effectively?
The goals of cybersecurity professionals and board of directors differ, with cybersecurity professionals focusing on confidentiality, integrity, and availability of systems and data, and the board focusing on risk, reputation, and business continuity. The language used in each field can create a disconnect in understanding, making it harder to address cyber risks. Asking informed questions can help to bridge this gap. The goal is to align both parties towards keeping the organization safe and ensuring operational continuity. Notes that C-suite executives and managers should have active involvement in cybersecurity, not just those in IT. It is insufficient to inform executive management about cybersecurity practices once a year.
Are you focusing enough attention on insider threats?
While external cybersecurity threats are well-known and widely discussed, it is equally important to focus on cybersecurity threats that come from within your organization. Such threats arise when individuals with authorized access to networks, systems, or data misuse that access for whatever reason. The significance of addressing insider threats lies in the fact that insiders possess knowledge of an organization’s infrastructure, operations, and sensitive information. Whether intentional or unintentional, their actions can result in significant financial losses, brand damage, compromised data, or even disruption of critical services. By prioritizing the identification and mitigation of insider threats, organizations can enhance their overall security posture and maintain the trust of their stakeholders.
Are you providing adequate training to your employees?
The majority of cybersecurity issues are caused by employee mistakes, according to a study from Stanford University. Therefore, it is crucial for all employees, not just the cybersecurity team, to be educated about cybersecurity threats and best practices. This requires creating a cybersecurity culture, where employees understand and prioritize good cybersecurity hygiene. This does not mean that every employee should become an expert, but rather that they are made accountable for recognizing and reporting any behavior that could be exploited by hackers. Leaders, including the board of directors, play a crucial role in setting the tone and prioritizing cybersecurity within the organization.
Have you tried to think like a hacker?
To effectively protect your company, it is important to understand the tactics used by those attempting to breach its security. This requires a shift in mindset from simply fulfilling security requirements to thinking about security in a comprehensive manner. By adopting the perspective of a cybercriminal, you can identify areas of inadequate protection within your network.
Have you considered the worst-case scenario?
One crucial cybersecurity question relates to the worst possible outcome of a cyber attack. Avoid providing a simple answer like “losing all our data” and think about the implications. For instance, imagine if the attacker exposes sensitive information, leading to hefty fines for the organization. Reflecting on worst-case scenarios and their impact on the business, customers, and partners will aid in identifying necessary safeguards.
Does complying with regulations give you a false sense of security?
Regulatory mandates like HIPAA and PCI prioritize cybersecurity, but compliance does not guarantee true safety. For example, many healthcare organizations that suffered data breaches were still compliant with HIPAA regulations. Compliance should be seen as the minimum requirement, and organizations should go above and beyond to secure their IT assets.
How often do you review, test and update your incident response plan?
You must ensure that your incident response plan covers various attack scenarios, including common cyberattacks, and outlines appropriate responses for each situation. Consider determining when to involve law enforcement, how to notify users and the public in the event of a breach, ways to mitigate damage during a cyberattack, and the specific roles and responsibilities of each responder. It is important to remember that your incident response plan is not a one-time document. You will need to continuously test and update your plan to account for emerging threats and changes in business operations
Are you assessing the security of your vendors and other third parties?
When collaborating with external companies, it is important to consider the sensitivity of the information you share and the level of access you grant them. To mitigate security risks, it is advisable to partner with vendors who hold appropriate security certifications such as ISO27001 or SOC2.
How do you rank when it comes to cybersecurity preparedness compared to other companies?
Thieves, both offline and online, seek easy targets. If your competitors have better security measures, chances are you will be their first choice. Implementing strong cybersecurity policies will make your company less appealing to attackers.
If you’d like to see how the Lepide Data Security Platform can help you streamline your risk management strategy, schedule a demo with one of our engineers.