As we change the way people work and live using technology in hybrid work environments, new vulnerability points are continuously formed. Our infrastructure to daily life is more reliant on internet connections, data clouds and wireless nodes, creating opportunities for hackers to target central services like transportation, financial services, and health care. Add to this continued uncertainty about artificial intelligence, blockchain governance, cryptocurrency regulation, scarcity of privacy across platforms and smart-everything there are more points of technology disruption and cybersecurity threats than even just three years ago before the pandemic upended everything.
Most directors do not have a technology background. That’s okay. In fact, it may be a good thing so long as you are informed enough to ask the right questions and strong enough to hold your security team accountable. And, not surprisingly, more boards are looking to beef up credibility of their directors' knowledge of cybersecurity through continued education.
All this comes at a challenging time for boards, under more pressure to do more with fewer resources. According to an annual survey by the National Association of Corporate Directors, funding other initiatives more directly tied to growth may supersede cybersecurity, particularly in difficult economic times like the one we are experiencing. This means boards have difficult decisions when approving budgets and creating incentives for the executive team. The key issues for board members to consider when allocating budgets and resources to cybersecurity readiness:
Understand your exposure points.
Understand why someone might attack you.
Get outside perspective, not just internal sources of information.
Learn what questions to ask.
As part of your annual risk assessment, develop an annual risk appetite and cost-benefit analysis to cyber security so that you make informed decisions when allocating precious resources during challenging times. Below are a few of the emerging trends in cybersecurity and questions to be asking your executive team. These are simplified questions to complex issues, but serve as a starting point for understanding your exposure points.
Privacy Compliance
How will our customers react if we compromise their “private” information? What is our plan to protect our customers' information?
What is that worth in cyber security spending?
What privacy laws will impact us in the future and how are we preparing to comply with changing privacy standards around the globe??
Are we taking the highest standards and working toward that or working toward a lower standard and if so, why?
Open-source Compliance
What is our open-source compliance policy?
What about the policy of our critical vendors who supply us with code and development?
What outside help do we use?
What tools do we use?
Are devices timely updated?
How do we patch and track open-source code? For that matter, how are you patching all code?
Readiness for Artificial Intelligence
How are we using AI versus just data analysis?
What unintended consequences could occur from assumptions made by AI?
What is our viewpoint on the corporate responsibility for bias in AI?
Ransomware Preparedness
What happens if we are hit with a ransomware attack?
What is our viewpoint on paying out money to regain access to our systems?
Do we need to have bitcoin or some cryptocurrency on hand if it is needed? If so, how much?
Is there a threshold where we pay out to get our business back on track or keep it out of the press?
Does that create a slippery slope and make us a future target?
How do we interact with law enforcement?
Malware, phishing, Inside Jobs
What is our plan if we are hit with malware? What steps are taken to slow and stop the spread?
Where do we buy our IT support? Network Infrastructure components? Are we at risk if a state actor can take control of our systems?
How do we ensure that the people working for us are not disgruntled (particularly those in our IT infrastructure functions)?
How do we continually train about phishing and monitor to stop phishing?
How do we as a board watch for spear phishing on our personal devices?
Crisis Communication Preparedness
What is our plan if something catastrophic occurs?
How do we convene and what is our approach? Apologies may not be sufficient, what responsibility do we have to customers, employees?
What will we provide to the media?
Internet of Things Lock Down
If something happens and our systems are compromised, how do we quickly lock down all devices and vulnerability points?
What if that doesn’t happen, how do we get back online?
How do we communicate this to the public?
Personal Devices
Should board members be issued personal devices and emails used only for board purposes?
How do you ensure your personal device is not the target of spear phishing?
Audit, check and check again – trust but verify
How do we trust, but verify what we are being told?
Do we have the right team in place?
Are we at a high enough risk, that we should consider a third-party audit of our security initiatives?
Should we have a technical advisory panel for the board to regularly assist us on cybersecurity initiatives?
These are just a few of the questions to be considering when cybersecurity is on the agenda. Cybersecurity attacks continue, even if you don't hear about it in the media. It's the quiet ones you don't know about that should be of greater concern. It's never a check the box and you're done project, it's a constantly evolving threat to every organization, large and small and will only continue as our use of technology accelerates.
If you would like more information or are interested in education sessions on technology disruption, cybersecurity, the future of work or other technology related topics in governance, a strategic and facilitated discussion or a 360 review, contact me at jwolfe@consultwolfe.com or 513.238.4348.