Is your board prepared to deal with a major cyber breach? Does your organization know whom to contact, what to prioritize, and how to contain the damage? Ready or not, boards play an important oversight role for breach preparedness. And while these questions can add stress to any meeting, answering them effectively is part of the job.
To be certain: cyber breaches are all but inevitable. The unprecedented (and rapid) shift to hybrid workforces, enhanced digital services, and workforce platforms has placed sensitive business to business (B2B) and business to customer (B2C) data within shorter reach of cybercriminals. The result is a net-net increase of cyber incidents both in Canada and worldwide, as well as greater public and regulatory scrutiny on any organization that holds or processes sensitive data.
The risks of a breach should be no secret to boards. And yet, there can be uncertainties as to a board's responsibilities and how to see them through. In this post, I've collaborated with Imran Ahmad, Head of Technology and Co-Chair of Data Protection, Privacy and Cybersecurity at Norton Rose Fulbright, to bring clarity to what has become a pressing matter in every boardroom.
More than a financial hit
The impacts of a breach cannot be understated. It's not uncommon for ransomware schemes to extort millions of dollars or for "zero-day" exploits to bring entire operations to a standstill. Failure to prevent these and other attacks—like phishing, malware, and distributed denial-of-service (DDoS)—risks exposing organizations to reputational harm, financial loss, operational disruption, and legal and regulatory repercussions.
These risks apply to all sectors. For example, heavily regulated industries (e.g., financial services, transportation, healthcare, energy, and telecommunications) face severe public and regulatory scrutiny in the event of a cyber breach. At the same time, loss or theft of customer information can adversely impact market-leading brands and service providers. Elsewhere, zero-day exploits can have a seismic impact on manufacturers, distributors, and other supply chain participants.
And if you think your data doesn't have value, take a closer look. Whether it's related to B2B (e.g., IPs, transaction documents, trade secrets) or B2C (e.g., customer info, credit card numbers), as soon as stolen data hits the dark web, someone somewhere is surely willing to sift through the bytes in search of something of value.
Asking the right questions
The unavoidable truth is that boards have a fiduciary responsibility to ensure their organizations are prepared to act decisively and effectively in the event of a breach. This is an obligation Imran and I often discuss. In a recent conversation of best practices for boards to consider as they prepare for, react to, and recover from cyber incidents, we landed on six key questions that boards need to ask—and get answers to—when reviewing their incident response strategy. They include:
- Is everyone taking ownership for breach preparedness? Boards are not directly responsible for implementing cyber security protocols and policies. Neither are they solely in charge of managing a cyber incident response. They are, however, expected to drive the conversation, which means ensuring everyone in the organization understands the risks and are doing their part to mitigate them.
- What are we protecting? What data is most at risk? What is the value of that data, and how will its loss or leak impact the organization, its customers, and its partners? Building an effective breach preparedness strategy starts by understanding why a cybercriminal may target your organization.
- How else are we exposed? Data isn't the only element in a cyber criminal's crosshairs. Attacks can also target operations by locking or disrupting key systems. These potential attacks must also be considered.
- Are we allocating the right resources? Do all business units and leaders have what they need to stay cyber resilient? This includes training, frameworks, policies, and cyber security tools.
- How will we embed a culture of breach preparedness? Breach preparedness isn't a one-time, tick-the-box exercise. It requires constant monitoring and updating as the risk landscape evolves. This demands a workforce that recognizes the risks and is taking them to heart.
- Are we considering employee turnover? What happens to your cyber strategy when employees leave? What processes are in place to make sure their cyber security responsibilities are being passed down and that their skills and training aren't going out the door with them?
Asking these questions is critical, but so is knowing the right questions to ask. Here's where collaborating with IT leaders, cyber security specialists, and trusted industry advisors will ensure your breach preparedness strategy begins on solid ground. In a future post, I'll explore what boards need to do to ensure this knowledge and awareness translates into action.