Building cyber security awareness with the board

Cyber security awareness

Cyber security is making the news almost daily, normally for the wrong reasons.  However making board members of any company aware of these issues is sometimes easier said than done. The UK government is making efforts to highlight the important of cyber security within the business.

With cyber security making the news regularly you would have thought it would be easy to convince the board members about the important of securing the business and ensure that they know where the blame lies with if a breach or incident does happen.  However this isn’t normally the case, so what can we do to ensure that the awareness of cyber security is promoted across the entire business and that the board prioritise cyber security within the business?

How to increase cyber security awareness?

So how do we increase awareness within the boardroom?  The main areas to focus upon will be what will hurt the company most, these being:

  • Financial impact
  • Reputational damage
  • Risk management

Financial Impact

We know from the news from past years that a number of high profile businesses have been breached and the financial impact of these breaches continue to grow and heart the companies.  The most publicised ones have been Target, Home Depot and Sony.

In December 2013, Target had a data breach which was one of the largest data breaches in history and cost them a staggering $162M in 2013-2014.  During this breach approximately 40 million credit and debit card accounts were put at risk.

Home Depot suffered a data breach in September 2014 which made Target’s breach small fry as they confirmed that around 56 million cards may have been compromised in an attack that had lasted up to month months.

Sony has unfortunately suffered a number of breaches over the years, primarily on their PlayStation network and then recently their internal studio networks which put their staff details at risk.

Reputational damage

Once a data breach has occurred and the business discloses their breach is only becomes a matter of time that customers lose confidence, stockholders and investors will potentially start to pull out and lawsuits may start being placed against the company.

But this is only the start, the effects of a breach can extend months to years, as in the case of Target, they are still feeling the effects even now 2 years after the initial report.

Taking the home Depot incident which happened in 2014, they are facing dozens of data breach lawsuits which will increase the overall cost of the incident and additional fines may be enforced upon them.  This action will force the board members and senior departmental members to divert their attention from the real issue of ensuring that their business is secure and that it doesn’t happen again.

Senior members of the business must be held accountable for all actions, including cyber security related actions.  It’s for this reason that the awareness of cyber security must reach the board members and ensure that they understand the potential issues.

For smaller businesses this could be the end of their business, they may not be able to survive such a reputational disaster.

Risk management

The business should have a risk assessment strategy which also includes the support for dealing and working with cyber security in an everyday environment, this risk assessment should be passed around and verified with all departmental heads including board members.  Once agreed it should be signed and reviewed frequently, ensuring that it is updated and amended appropriately.

If the risk assessment uncovers any issues, it should be managed appropriately, ensuring that the risk is either resolved as soon as possible or a contingency plan is put in place to ensure that a detailed plan of action is known and passed around all necessary departments.

What can we learn from these lessons? Not only is it the business that is put at risk, but that their customers information is at risk as well.  The financial implications of a data breach alone can be significate and is worthy of time and investment both by the board members and senior members of departmental staff.

Risk management plays a big part in the business, how much risk can a business endure before it’s too much.  Businesses need to ensure they have a well-defined risk management strategy and all senior management know the strategy at all times.

That every business should invest in a cyber-security governance framework which works alongside their risk management strategy and can be followed and acted upon should a breach occur.  This framework should be in place to ensure that such data breaches are reduced as much as possible.

Previous Post
US-CERT: Top 30 Targeted High Risk Vulnerabilities
Next Post
Logjam, another chink in the SSL armoury

Related Posts

No results found.

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

five × three =

This site uses Akismet to reduce spam. Learn how your comment data is processed.