In this month’s blog, we explore why many businesses place technology at the core of their cybersecurity efforts, with little investment in board-level governance and oversight, but to what cost?
It is tempting to prioritise technology when it comes to implementing cyber security within your organisation, but equally as important is having an effective governance structure. And where some organisations do discuss cyber security matters at the board level, these may still not gain the full attention they deserve in comparison to more commercial matters.
As the importance of effective cyber security becomes ever more obvious and business-critical in the next decade, all organisations will be forced to address these matters at the highest level, and this is becoming a greater concern now for investors. The Government’s own Cyber Security Breaches Survey 2019 shows that 32% of businesses and 22% of charities identified specific cyber breaches or attacks in the past year.
According to PWC, while there are many governance frameworks for management, there still remains little consensus on how best to implement board-level oversight of cyber security. And in the words of the Department for Digital, Culture, Media and Sport, “there is still more that organisations can do to protect themselves from cyber risks. This includes taking important actions that are still relatively uncommon, around board-level involvement in cyber security, monitoring suppliers and planning incident response”.
The importance of board-level engagement for cybersecurity
The Cyber Security Breaches Survey 2019 also reveals a lack of cyber security senior governance and oversight, demonstrated by the fact that only around a third of businesses and charities have a board member (or trustee) responsible for cyber security. Some businesses do this more than others, especially insurance firms (56%), information/communication firms (53%), and education companies (50%). According to the survey, this lack of board-level governance was typically due to either a perception that the firm was too small to worry about such matters or because cyber security was not considered a high enough priority.
Beyond the measures taken internally by UK businesses, 82% of businesses place no requirements on their suppliers to adhere to specific cyber security standards, which according to the qualitative analysis in Cyber Security Breaches Survey 2019, was due in part to many simply not even considering third-parties as potential sources of cyber breaches; a rather worrying fact in itself.
These results are all the more concerning because board-level engagement is considered by many in positions of responsibility for cyber security to be essential in embedding the culture and tone necessary for effective cyber risk management. And boards that take a keen interest and receive regular updates on cyber matters are more likely to agree to investments in cyber security technology and people, as they have a stronger understanding of the rationale.
In practice, a great deal can be achieved simply by placing cyber security on the agenda of every board meeting and inviting those responsible to present updates during board meetings. It is essential to ensure that such measures are not tokenistic and are genuinely viewed to be as important as any other more commercially related matter.
How to make cyber security a board-level priority
As we have established, it is one thing for measures to be put in place which increases the discussion of cyber security matters at board level, but this does not guarantee meaningful engagement. From the outset, it is important that board-level executives be reminded of the risks of cyber security breaches – including penalties under the Data Protection Act 2018 and the GDPR, both in terms of the business and personal directors’ liability (as part of the directors’ fiduciary duties under the Companies Act 2006). This includes understanding the cost to the business of down-time of a cyber breach which renders systems inaccessible. At the individual level, any inability to understand and mitigate cyber risk may be deemed a breach of the Companies Act 2006, which places a duty on directors to “promote the success of the company and to exercise reasonable care, skill and diligence in the conduct of their role”.
Furthermore, according to the Cyber Security Breaches Survey 2019, there is a general lack of understanding of the economic impacts of a cyber breach by management board members, as it is often viewed that monetary losses are not an immediate priority for them (whereas taking steps to handle any breach would be). Hence any strategy aiming to increase board-level engagement of cyber matters should seek to improve their grasp of the impact of any economic loss and why this could impact them.
It is also recommended that any discussion or presentation of facts, risks, or other cyber security matters to the board should be explained in terms that are specific to the business. It is all too easy to explain a new aspect of cyber law or recent fine for a cyber breach, but unless the specific vulnerabilities, remedies, and associated costs are explained for their business, the opportunity to implement a resolution may go unrealised amid a flurry of new information being relayed to the board.
The number of businesses with cyber security focused executives on the board is low, but this is increasing each year, due in part to rising awareness of the business and personal costs of a breach, but also the increasing press coverage of cyber-attacks on businesses. Given that cyber threats are now a firm fixture of our commercial reality, it is possible that businesses which prioritise the investment of financial and board-level resources into cyber security will gain a competitive advantage of doing so. Ultimately, savvy consumers and business partners will learn to separate those businesses which take cyber security seriously from those that do not and invest their money accordingly. By making this a board-level priority, you will be demonstrating you mean business when it comes to cyber risks.
Lineal is a global leader in cybersecurity. To find out more about our services, please call us on +44 (0)20 7940 4799 or email email@example.com.