Few business risks today have the destructive capability of a cyber attack. Yet, for many organisations, cyber risks remain obscure, low priority, and are frequently seen as the domain of IT departments to manage.
The reality is that cyber crime is no longer just a tech issue, nor is it an issue for middle management. Today, investors and regulators are increasingly looking to company boards to show leadership.
As any board member who has experienced a major cyber attack will know, dealing with a major cyber incident can feel very new and uncertain. The problem in the boardroom is that there are few who have had that experience. This can be compounded by unfamiliarity with technology issues, perhaps because of a generational gap.
Nonetheless, the recent spate of high-profile cyber attacks across the globe has raised awareness among chief executives and boards of the evident threat of cyber breaches – so much so that in our survey of UK chief executives this week, we found that four in 10 said that becoming a victim of a cyber attack is now a case of “when” and not “if” for their organisation.
Raising awareness is great, but executives need to realise that cyber breaches can have lasting consequences. The immediate damage is real, but often there can be a long-term impact creating distrust, questioning integrity, and tarnishing reputations.
So what do boards need to do? How can executives mitigate and minimise damage and disruption to normal business operations? No two corporations are the same, so there’s no one-size-fits-all cyber security plan.
The first step is to develop a cyber security policy that the leadership team can understand, take seriously, and enforce through accountable management. This will be far more effective than delegating responsibility to a beleaguered chief information officer. There may also be a consideration of appointing a board member with cyber expertise to continually guide and challenge the organisation.
Another step is to begin discussing cyber threats in board meetings, which will allow the business to develop a robust approach to ensuring the organisation’s digital security. It’s an opportunity for internal teams to show, in understandable terms, what is being done across the organisation to improve cyber resilience, and also demonstrate that they have exercised for cyber attack scenarios.
Once the business is in a position of preparedness, it’s then time to get some qualified people from outside to shoot holes in the plans. Find a firm that will tell the hard and uncomfortable truths that technical staff may not mention. Welcome the challenges, and be prepared to lead and work as part of a broader community to deal with the threats.
Finally, at the heart of the problem is a shortage of skills. We really cannot wait for this to fix itself. Those in senior positions need to educate themselves, and overcome their fear of cyber.
Ultimately, cyber security is firmly a business issue, not a technology one.
There are many aspects to an effective corporate battle plan to defend against a cyber attack, but success is dependent on direction from the top. Business leaders have a responsibility to master this growing risk arena, and create cyber-resilient organisations.