⌛️ It's too late after the Data Breach ➲ Your Ship has Sunk!
⭐️ Call for CyberSecurity to be a Global Top-Priority Boardroom Agenda Item
The boardroom of every business, charity, and social enterprise globally needs to urgently add cybersecurity agenda items so that they can spend the time required to seriously consider the real risk of cybersecurity existential-level cyber incidents and what they can do to cost-effectively mitigate or avoid this risk, as well as ensuring they understand the evolving legal landscape and their compliance obligations related to CyberCrime, CyberSafety and CyberWarfare (if any).
Whilst there has been much media attention directed at the constant stream of headline-grabbing data breaches it appears to me that cybersecurity to date has been pigeon-holed as a problem for the Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or IT Department (if any) to solve on their own. The crux of the problem is that cybersecurity is not currently getting the level of attention it deserves in the boardroom.
Small Organisations Face the Highest Level of Existential Risk
Whilst small organisations may not be legally regulated to protect client or customer data or to report data breaches in the event of a cybersecurity incident or data breach, once word of a cyber incident spreads it is almost certain that they will struggle to survive in the longer term. The evidence to date indicates that a high percentage of smaller organisations go out of business shortly after encountering a cybersecurity incident.
Place yourself in the shoes of a Client or Customer who has recently been notified that their data has fallen into the hands of a third-party with criminal intent, and ask yourself whether you would continue to do business with your organisation, or decide to take your business elsewhere?
All Organisations Face Quadruple Threats
All organisations, especially organisations with a more recognisable brand, and larger digital footprint face at least the following threats:
- Ever-increasing regulatory fines and penalties for data breaches; as well as the
- Long public relations nightmare that accompanies reporting a data breach, and the huge potentially unrecoverable costs of investigating the root cause and rebuilding public confidence that it will not happen again;
- The possibility that their brand might be spoofed or impersonated by cybercriminals to swindle or scam personal data or money from their innocent clients or customers; and
- The possibility that the weakest link in your organisation’s supply chain (with whom your organisation stores or shares client or customer data) has a cyber incident or data breach.
When considering the last 2 threats, even the most internally cybersecure organisation can be affected. Therefore, large organisations need to have an increased awareness of the potential techniques that might be employed by cybercriminals to use their brand to attempt to hoodwink the public and what they can do on a cost-effective basis to reduce or limit the risks.
How General Counsel & Chief Information Security Officers (CISOs) Need to Report CyberSecurity Risks to the Boardroom
A CyberSecurity Board Report is a detailed summary of an organisation’s CyberSecurity risks. It helps the board understand potential cyber threats so they can take a proactive approach to mitigating the risks. The objective is to explain to the board why investment in CyberSecurity is a vital component to the organisation’s survival and continued success.
The report highlights the threats that matter most to the organisation. It contains a CyberSecurity plan, a risk quantification with potential costs of security breaches, pertinent legal compliance and regulatory issues, and any necessary technology solutions or additional security resources.
Historically, many CyberSecurity breaches have been traced back to 3 root causes:
- Failure to prioritise CyberSecurity;
- Failure to funnel resources towards CyberSecurity; and
- Failure to execute on CyberSecurity initiatives.
The challenge was in getting senior management to understand how imperative it is to strategise and take action – and in engaging employees towards organisational change. General Counsel and Chief Information Security Officers (CISOs) can achieve higher levels of boardroom buy-in for CyberSecurity by connecting plans to business objectives which involve:
- Cohesive storytelling;
- Prioritising existential security threats; and
- Ensuring C.A.R.E. (Consistent, Adequate, Reasonable, and Effective security controls).
⚖️ Directors' Duties
All Directors have a duty to exercise their powers and duties with the care and diligence of a reasonable person. A Board of Directors who do not set their corporate agenda to carefully consider CyberSecurity and related matters (that is, how to protect, mitigate, manage, and respond to a CyberSecurity incident) are most likely going to be in breach of their Directors' Duties.
Directors in Australia need to take personal responsibility and dig deep to question and understand advice about CyberSecurity and examine for themselves whether it is being implemented. In contrast, Directors in the USA may rely on the Directors' defence of total reliance on the recommendations of reasonably qualified external experts which is available under the US interpretation of the Business Judgment Rule.
Conclusion
Regardless of the legal position, it is incumbent on all top-level executives to come to grips with CyberSecurity (it isn't just a matter for the CTO/CISO/IT Department). Given the continued woeful performance of top-level executives around the world (the current global trend of data breaches is showing no signs of abatement) now is the time to reset your boardroom agenda making CyberSecurity and related items a top priority.
⬇️ FREE CyberSecurity Download
Get started with a free consultation with one of our PKI experts.
As a public Certificate Authority that is trusted worldwide, GlobalSign can help your websites to build trust and credibility as you go about and conduct your business.
If you’re interested, email marketing-apac@globalsign.com today!