Cybercrime reaches new heights with the average cost of a single data breach hitting $3.62 million USD, making it crystal clear that technological defenses alone are not enough to protect organizations data assets. Cyber criminals are extremely aware of technology loopholes and are constantly driven by motives such as financial gain, espionage, hacktivism, or, even worse, terrorism. From market manipulation to vandalism, it is evident that these threats have become a business risk for the entire organization and not just a problem for the IT department.
According to the Global State of Information Security Survey 2017, less than 45% of board members actively participate in the organization’s security strategy. In fact, the Global Enterprise Security Survey by Fortinet shows that less than 50% of board members treat cybersecurity as a top priority.
With organizations and individuals moving toward digitization, more devices require enhanced security measures. Even the growth in artificial intelligence and machine learning is a double-edged sword: while they help create better cybersecurity strategies, they can also be used to enhance tools used for malicious cyberattacks.
1. The Active Involvement of Regulatory Agencies
Regulatory agencies like the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) have filed lawsuits against companies that have failed to take appropriate steps to safeguard their data. Mishandling data can lead to mistrust among customers, ultimately leading to the downfall of a company. When viewed with that perspective, it’s hard to see cybersecurity as anything but a business risk issue. The fear of reputational damage to an organization is slowly forcing company board members to participate more actively in cybersecurity strategies.
Although the complete elimination of cyber risk is impossible, it is important for a company to understand the importance of linking cybersecurity and business strategies. This will enable a company to face problems head-on, make better decisions, and provide customers and employees with better disclosure.
2. Increased Expenditure Does Not Equal Better Cybersecurity
Increasing expenditure on security is not the only solution to this problem although doing so is a step in the right direction. In 2014, despite spending $250 million per year on cybersecurity, JPMorgan fell victim to an attack that exposed the confidential data of 76 million households and 7 million small businesses, proving that it takes more than just expenditure to prevent malicious cyberattacks.
Board members must confront cybersecurity as a business risk to help increase insider safety and contain outside threats. To be able to treat cybersecurity as a business risk, board members and other leaders in the company should have an understanding of what their digital assets are and how any security policy might affect them.
3. Board Members Must Understand Cybersecurity
This also means that company leaders must be knowledgeable enough to ask the right questions when meeting with the CISO and CIO to discuss company security strategies. It is incumbent upon the security leaders of the company to provide business leaders with clear, concise, and accurate reporting to ensure they understand their security posture.
Understanding the technical jargon of a CISO might be difficult for those business leaders who have limited knowledge in cybersecurity. It is the joint responsibility of the CISO to work to bridge this gap and speak the language of business and the business leaders’ responsibility to educate themselves on the importance of and basics of cybersecurity. This join approach will help the organization create better cybersecurity strategies and implement better ones in the long run.
4. Conducting Cybersecurity Awareness Training Programs
Constant cybersecurity awareness training programs for employees and vendors will also help create a safer cyber environment and control insider threats to a great extent. Security awareness training programs such as EC-Council’s Certified Secure Computer User (CSCU) is specifically designed for today’s computer users who rely on the internet extensively to work, study, and play. This course introduces students to security and teaches them how to secure operating systems, internet safety, social network safety, mobile safety, email safety, and data backup and disaster recovery.
Cybersecurity is not just the responsibility of the IT department nor is it the responsibility of the board of directors alone. It requires a collective effort from all levels of an organization in order to develop a cyber safe environment. As a professionals in any area of a company, it is your duty to help create a secure cyberspace by attending and understanding awareness training programs.
You can also play a bigger role in the cybersecurity industry with the help of EC-Council – the world’s leading information security certification body since the launch of their flagship program, Certified Ethical Hacker (CEH), which created the ethical hacking industry in 2002. EC-Council Foundation, the nonprofit branch of EC-Council, created Global CyberLympics, the world’s first global hacking competition, in order to spread awareness and encourage more professionals in cybersecurity.