How to ensure cybersecurity is still a board level concern

In 2021, cybersecurity has to be a visual, prioritised part of every business strategy.
Cybercrime has become industrialised on a scale not seen before and shows no sign of flattening out. Current enterprise spend is around $54bn* globally in 2021 (*source Statista March 2021). In a 2020 report McAfee estimated global cybercrime losses to exceed $1 trillion. Discreet malware cases alone in the last 10 years have increased from $99.71m in 2012 to $1214.76m* in 2021 (up until 6th May) (*source AV-Test 2021).

Most common cybersecurity threats

The sophistication of the cyber threats and their intensity are escalating, amid the swelling levels of remote working and dependence on digital devices. The most damaging forms of cybercrime to enterprises include:

• Social engineering
Including phishing emails, scareware and quid pro quo.

• Ransomware
The third most popular type of malware used, Ransomware is employed in 22% of instances. In 2020 hackers demanded $1.14 million from The University of California after accessing COVID-19 research and stole 10tb of data from Canon.

• DDoS attacks
DDoS (Distributed Denial of Service) can have a devastating effect on businesses with a high reliance on on-line traffic digital services. DDoS attacks have become an increasingly popular threat. Alarmingly there is an increase in DDoS for hire services, which are relatively cheap to engage.

• Third party software
It only takes one compromised enterprise applications within the ecosystem to open the gateway for hackers to other domains.

• Cloud computing vulnerabilities
Criminals scan cloud services searching for those that have no password, exploiting unpatched systems and performing severe attacks to access the user accounts. These breaches can result in ransomware, theft of data or coordinated DDoS attacks.

Threats are increasing

The unprecedented number of recent infiltrations demonstrates that cybersecurity risk is as significant as other critical strategic, operational, financial and compliance risks under a board’s scope.
Just as boards are charged with overseeing a company’s financial systems and controls, they have a duty to oversee a company’s management of cybersecurity. This includes oversight of appropriate risk mitigation strategies, systems, processes and controls.

Without effective oversight and accountability, an organisation’s cybersecurity governance systems, policies and procedures are rendered meaningless, leaving the enterprise vulnerable to attack.

How do you quantify cybersecurity risk?

The more an enterprise is dependent on digital devices and services, such as remote working and the cloud in general, the greater the associated risk is, as most threats appear from outside of the organisation than from within.
To quantify where your risks lie and what you stand to lose, auditing your current security capabilities is a good place to start. List your current security capabilities, the programs you have in place and what they are expected to do. By considering the most common forms of cyber threat (mentioned earlier) – how does your current programme address each high-risk scenario you may face?

Understanding your vulnerabilities

Having a very good understanding of your susceptible assets will help you create a vulnerability management plan. The plan most likely will include scans of all appropriate assets. This process should help you understand what specific action you may need to take and might include managing patches and updates. The vulnerability management plan can also feed into your business continuity and DR plans to strengthen your resilience. A thorough audit will pay dividends and is likely to uncover areas of ‘dark data’ within the enterprise, as well as quantifying cybersecurity risk.

How much should you spend on cybersecurity?

Your board will inevitably want to know how much budget to allocate to cybersecurity defences. Some believe 10% of IT budget should be spent on security measures, but this is misleading and an underspend could put your enterprise at risk. Another metric employed by some organisations is a percentage of revenue. This might add more gravity to the potential risk. We recommend spending in-line with the level of exposure and associated risk to cybercrime your enterprise has. Also, to look at it purely on IT budget spend, would severely miss the point. The approach to cyber security should be enterprise-wide rather than fitting into one specific domain.

Are regulatory compliance and cybersecurity the same thing?

In short, no they are not the same thing, but both have the same objective ‘managing risk’. Both are responsible for designing, establishing and enforcing controls to protect organisations, but they come from different camps.

Cybersecurity is responsible for securing the enterprise’s information assets from damage and theft and is in its nature very technical. Compliance focuses on ensuring policies, regulations and laws are adhered to and enforced. Its role is based in auditing, interviewing, reporting and communicating.
Confusingly, these two terms are often spoken of in the same breath and can become conflated. Both are however, managing risk to the enterprise. It is important that your board of directors understand the differences.

What are the new approaches to cybersecurity?

It is key to keep the board updated on the latest technologies so they might evaluate the options in an educated way. A threefold demand in cloud services has in part changed the cybersecurity landscape, with new approaches that include:

• Zero Trust architectures
• Real-time threat intelligence
• Security Orchestration, Automation and Response (SOAR)
• Advanced endpoint protections
• Identity and Access Management (IAM)

In addition, enterprises are rapidly moving their operations to the cloud, replacing static and inherently insecure legacy systems, for dynamic, agile, integrated cloud and network systems, that are by nature inherently secure, due to their design.

At present some of these new approaches, may be out of reach for SME’s; however, as adoption gathers pace for larger organisations, the cost will fall, making them more accessible.

Cyber defences should match your organisations

Something worth highlighting to the board, is that whatever decisions/approaches your enterprise takes, in terms of cybersecurity, they will need to be tailored specifically to your organisation; ‘one size’ does not fit all.  To make it more specific to the enterprise, a ‘risk based’ approach is coming to the fore. By adopting a ‘risk based’ approach, your enterprise is committing to a systematic method, that identifies, evaluates and prioritises the threats you’re facing.  This approach allows your enterprise to tailor cybersecurity to your organisational needs and operational vulnerabilities.

Building a business case for cybersecurity spend

Show Business Value. Unless your enterprise has already suffered at the hands of cyber criminals, you will need to actively demonstrate the value of investment in cybersecurity to the board. We believe it should be a key board meeting agenda item on an on-going basis. The justification for spend should not only demonstrate losses avoided, evidenced (hopefully) by examples of high profile attacks elsewhere, but also commercial benefits. These include improved customer experience, reduced insurance premiums, lower loss covering capital retained, increased IT productivity and enablement of new digital services, to name a few.

Educate the board. By demonstrating the potential risks to each part of the enterprise, with ineffective or lacking cybersecurity measures, and balancing it with the associated benefits of a cohesive and progressive cyber strategy, will make sure that the board is fully engaged.  This allows the board to understand the risk and allows them to effectively communicate to all employees, how the exposure to potential threats is being managed.

Gain commitment

To gain the commitment of the board to embrace and manage cybersecurity risk, it is more than just getting the right presentation materials and the right metrics. It’s about being a part of an overarching risk management strategy, where cybersecurity can be contextualised, and into which your risk quantification can resonate and give the board some ability to better establish risk tolerances. 

If, after reading this blog, you feel that it might be the right time to look further into your organisations cybersecurity, having a partner who can help guide you through will be invaluable to making the right decisions. Pendulum offers support and cybersecurity expertise to help you get the most out of protecting your organisation from cybercrime.