What does good governance of cybersecurity look like?

Oversight of cybersecurity  is featuring higher on the board agenda than ever before. Earlier this year, Gartner predicted that 40% of boards will have a dedicated cybersecurity committee by 2025. This is with good reason. For one thing, the financial impact of an attack can be huge. According to figures from IBM, the average cost of a data breach reached $4.24 million per incident in 2021 – the highest in 17 years. There is also strong evidence that attacks are increasing in the wake of the pandemic. Ransomware attacks increased by 93% in the first six months of 2021 alone.

Facilitating collaboration and communication is a core component of the board secretary role, none more so than in the hybrid working age. Preventing attacks from hackers, government agencies and terrorists is also increasingly being seen as an important part of the ‘social’ component of ESG performance – not least because of the wider impact a cybersecurity attack can have on society and customers. If you run a bank, an attack can seriously affect the public’s ability to access key financial services. If you run a healthcare organisation, a breach can lead to confidential personal data being stolen and have a big impact on delivery of vital services. If you run an energy company, as happened in the US earlier this year, an attack can cripple the services that power our daily lives.

With these kinds of incidents rising year on year, it’s not a surprise that effective cybersecurity is  increasingly being considered as a key indicator of a company’s corporate resilience and social responsibility. But what does good governance of cybersecurity look like? And how can boards show they are not just paying lip service to security and have plans for all eventualities?

Minimum requirements

As a baseline, today’s boards should be able to demonstrate to partners, regulators and their own organisation that they have: 

  • Understanding of cybersecurity threats at individual director level
  • Strong board oversight over a robust and well thought out cybersecurity strategy 
  • Plans for disaster recovery with contingencies for helping services to recover quickly 
  • Evidence that they have made efforts to recruit cybersecurity experts and advisors 
  • Processes for ensuring that cyber risk is integrated with business risk

All these elements are vital if boards want to satisfy demands from external monitoring bodies and protect their organisation against potentially catastrophic threats.

This is not a static situation though. What boards also need to demonstrate is that they are agile enough to adapt their strategies to changing circumstances, new threats, and changes to working patterns that have the potential to dramatically alter the security landscape.

Recently, organisations have adopted widespread hybrid working in response to the pandemic. In many ways this has been a positive move, helping increase productivity and employee satisfaction.

The impact of the pandemic and the rise of hybrid working

The lessons from Covid 19 provide a perfect case in point. Recently, the majority of organisations have adopted widespread hybrid working in response to the pandemic. In many ways this has been a positive move and has helped to increase productivity and employee satisfaction. However it is also clear that hybrid working exposes organisations to increased risk of security breaches. Problems arise from users shifting between secure and insecure networks, not following IT security policies when at home, weak passwords, using unauthorised personal devices, connecting work PCs to smart home devices and bringing malware into the office when they log back in the corporate network.

A recent survey by HP Wolf Security found that 83% of global IT teams believe this has created a ‘ticking time bomb’ for corporate network breaches. 

The consequence is that boards now need to demonstrate that they have plans in place to protect against new vulnerabilities. In particular, they need to show that their organisations have revised strategies that take account of new threats, especially those related to ransomware, email based threats and client-side attacks that have all increased dramatically in the wake of the onset of remote working.They also need to show that they are backing investment in systems required to protect a hybrid workforce – including secure VPNs, multi-factor authentication and endpoint monitoring. Just as important is having a strategy for changing the culture of the company. This should include plans for education and training all employees on the specific threats related to hybrid working, and ultimately creating a cybersecurity-aware culture that is fit for the modern, fast-changing times.

Further reading

At Admincontrol we have recently been looking at these issues in depth and have produced a handbook for boards on how to manage the impact of hybrid working on cybersecurity

We have also created an infographic which summarises the 7 ways boards can guide organisations towards secure hybrid working.

We hope you find the information useful as you continue to evolve and adapt your cybersecurity strategy.

Related articles