Many cybersecurity problems occur because of human error. A study from
Stanford University revealed that 88% of data breach incidents were caused by
employee mistakes.1 Aligning all employees, not just the cybersecurity team,
around practices and processes to keep the organization safe is not technical
problem — it’s an organizational one. Cybersecurity requires awareness and
action from all members of the organization to recognize anomalies, alert leaders,
and ultimately to mitigate risks.
Boards have a unique role in helping their organizations manage cybersecurity
threats. They do not have day to day management responsibility, but they do have
oversight and fiduciary responsibility especially when NIS2(Network & Information Security
Directive) and DORA (Digital Operational Resilience Act) will be implemented in 2024.
Don’t leave any questions about critical vulnerabilities for tomorrow. Asking the
right questions at your next board meeting might just prevent a breach from
becoming a total disaster.
We recommend asking your board three questions which you can find on the
following page. Simply asking these questions will raise awareness of the
importance of cybersecurity, and the need to prioritize action.
Three Questions your Board Needs to Know
1. What are our business recovery plans in the event of a cyber incident?
Many leaders have not tested their business recovery plans. There can be
significant differences in the recovery from a business disruption due to a cyber
incident. Data recovery might be different if all records are destroyed or corrupted
by a malicious actor who encrypts files or manipulates them. Board of Directors
(BOD's) want to know who “owns” business recovery, whether there is a plan for
how to make it happen, and if it has been tested with a cyber incident in mind?
2. What are our response plans in the event of an incident?
If a ransom is sought, what is our policy about paying it? Although the board is
not likely to be part of the detailed response plan itself, the BOD does want to be
sure that there is a plan. Which executives and leaders are part of the response
plan? What is their role? What are the communications plans (after all, if systems
are breached or unreliable, how will we communicate?). Who alerts authorities?
Which authorities are alerted? Who talks to the press? Our customers? Our
suppliers? Having a plan is critical to responding appropriately. It’s highly unlikely
the plan will be executed exactly as designed, but you don’t want to wait until a
breach happens to start planning how to respond.
3. What is the board’s role in the event of an incident?
It would be helpful for the BOD to know what their role will be and to practice it. Is
the board’s role to decide on paying a ransom or not, to talk to the largest
customers, to be available for emergency meetings with organization execs to
make just-in-time decisions? Using fire drills and tabletop exercises to build
muscle memory sounds like a luxury, but should your company have an incident,
you want to be sure that response muscle is ready to work.
Conclusion:
There are specific proposed regulations that are complicated, if not concerning.
For example, if there is a material cyber incident the company would have only 24
hours according to NIS2 in which to publicly disclose it upon determining that the
incident was indeed, material. Determining materiality involves both quantitative
and qualitative evaluations; that process needs to be re-examined.
Further the regulations require that any prior incident that doesn’t rise to the level
of materiality may subsequently be deemed material when aggregated with
other subsequent and similar cyber incidents. The process and protocols for this
aggregation will require very thorough Board oversight and input.
Boards have a unique role in helping their organizations manage cybersecurity
threats. They do not have day to day management responsibility, but they do have
oversight and fiduciary responsibility. Don’t leave any questions about critical
vulnerabilities for tomorrow. Asking the smart questions at your next board
meeting might just prevent a breach from becoming a total disaster.