One of the most reliable constants in the cybersecurity world is that threats are always increasing as cybercriminals advance their tactics and develop new ones. It can be a daunting task for organizations to continually stay on top of these threats, protect their own data and assets, and monitor the threat landscape for changes. A recent report from UK cybersecurity consultancy group Savanti details the challenges facing UK companies in this area—the growing threats and the difficulties that boards face in understanding and implementing cybersecurity policies—as well as a five-point plan to help with effective cybersecurity board governance.
New and Evolving Threats
There is no doubt that cybersecurity risks for companies are on the rise, especially in recent years. In 2021, nearly two-thirds (61%) of enterprises were targeted by cyberattacks, a significant increase from 51% in 2020. Furthermore, one out of every six companies targeted in the last year stated that the attack almost caused the organization to go under. From 2019 to 2021, ransomware attacks increased by 200%, including several notable ransoms in the multi-millions of dollars that organizations paid out. While paying the ransom demanded by cybercriminals can set a company back a great deal of money, the other costs associated with the containment and remediation of cyberattacks are also astronomical.
The costs of falling victim to a cyberattack are multitudinous—the report cites “higher insurance premiums, business disruption, lower production, delays, reputational damage, intellectual property theft, litigation, and regulatory actions” as examples. Cyberattacks can come from within a company or without, target software or hardware, and have a wide range of goals and impacts; given this, it only makes sense for cybersecurity to be a major priority in the boardroom. Companies are vividly aware of the fact that cyberattacks can be devastating and cybersecurity is of the utmost importance, but this knowledge alone does not mean that they are prepared to address these issues.
Companies Struggling to Keep Up
According to Savanti, there are five major trends driving recent board prioritization of cybersecurity. First, boards cannot avoid the increasing frequency of cyber events or the risks of being targeted. Second, media reporting on cyber incidents has escalated, putting pressure on those who would be in the spotlight in the event of a cyberattack. Third, the pandemic led to a heightened focus on operational resilience and data security. Fourth, investors have been pressuring organizations to bolster their cybersecurity posture, associating effective cyber preparedness with the overall success of the company. Finally, regulations regarding cybersecurity have been ramped up in recent years, forcing organizations to adhere to new requirements.
One survey showed that 83% of board directors identified cybersecurity as a top priority, while less than half of respondents had taken any action toward fortifying cybersecurity. Boards struggle with understanding their role in the company regarding cybersecurity, with nearly a quarter (23%) of directors citing their role as “standing by to respond should the board be needed.” Board directors also struggle with cyber awareness—often, they lack an understanding of cyber risks, solutions, and best practices, partly due to the fact that few directors have expertise or experience in technology and cybersecurity. Board recruitment can help close this gap, but board turnover is low due to a lack of term limits and high mandatory retirement ages.
Recommendations for Improvement
The five-point plan set forth in this report is a solid foundation for improving cybersecurity board governance. The first recommendation is to understand the unique role of the board in cybersecurity—that is, to set the company’s risk appetite, maintain a satisfactory understanding of the company’s resilience and recovery, stay informed on cybersecurity enough to “interrogate what they are told” and “ask the right questions,” and ensure preparedness for potential cybersecurity incidents. Second, boards are encouraged to have at least one non-executive director with expertise in technology, digital, data, or cybersecurity. This is vital to ensure that the board as a whole is able to fill its role in protecting the company against cyberattacks.
The next point in the plan is to put cybersecurity on the board’s agenda. This means that cybersecurity should be regularly discussed at board meetings, accounting for changes in the threat landscape and meeting critical cybersecurity situations with increased focus. Fourth, organizations are recommended to enable board and executive access to independent cybersecurity advisors, contributing to multiple facets of cybersecurity governance by advising CEOs and CFOs, non-executive directors, and CISOs. Finally, Savanti’s plan lays out responsibilities for regulators, investors, and public bodies and the role that each plays in ensuring effective cybersecurity board governance. Regulators are encouraged to enact “smart and focused regulation” for cybersecurity, investors to ask questions to drive companies to more effective governance, and public bodies to partner with private entities to spread knowledge, solutions, and best practices regarding cybersecurity management and governance.
Cybersecurity is important not only to protect organizations against cyberattacks, but also in assuring prospective clients, partners, and consumers of a company’s reliability and effectiveness. Without effective board governance and boardroom prioritization of cybersecurity, an organization is open to more risk of cyberattacks and other security incidents. The Savanti report explores the continuing growth of cyberthreats against organizations, the challenges standing in the way of effective board governance, and a number of steps that boards can take in order to improve the effectiveness of their governance of cybersecurity.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire.