It seems that every week there are headlines about how cyber criminals are trying to steal your data through phishing attacks and malware — or bribing you with ransomware in order to get your data back.
And given the startling rise in attacks in recent years, most cybersecurity experts will now tell you that it’s no longer a question of “if” but “when” your organization will get hacked. And when it does, you will lose time, money, and maybe even suffer a reputational loss.
The devastating impact of cyberattacks now means the executive team — not just the IT team — must have a plan in place to ensure they are taking the correct steps to mitigate losses, and recover quickly in the event of a hack. And who keeps executives in check? The Board of Directors.
In addition to many other responsibilities, the BoD is responsible for overseeing their organizations' cybersecurity efforts as part of overall governance. If you’re on a board, here are a few things to consider…
What’s the cybersecurity plan?
Is there a roadmap to improving your cybersecurity? Is it based on an evaluation of cybersecurity risks? And what is being done to mitigate those risks? Getting answers to these questions is the best place to start your cybersecurity governance journey.
And once you have a plan, it’s important to continually improve on those processes. Your IT Team needs to regularly audit, review and align to best practices.
Is there an incident response plan?
An incident response plan basically outlines the who, what, why and how for a response to a cyberattack. This is important because you don’t want to waste valuable seconds in the event of a hack trying to figure out who does what, and what they need to do. And the faster you respond, the better the outcome.
You wouldn’t build an office without a sprinkler system. So make sure executives aren’t waiting to create an incident response plan when it can help stop a cyberattack from engulfing an organization in flames.
Do you have the right cyber insurance?
Perhaps your organization has cyber insurance — but it is the right coverage? For example, what is the coverage amount? Will that dollar amount realistically provide the necessary funds needed to recover from a hack? Also, take time to understand the inclusions. According to the Insurance Bureau of Canada, cyber insurance can cover everything from business interruption and expenses to response or recover data, as well as legal fees and paying for a public relations firm to manage the organization’s reputation. IBC also offers six questions to consider when buying cyber insurance.
Who has the expertise you need?
These are just a few tips to help you, as a board member, understand your cybersecurity governance responsibilities. But you may need support. Is there expertise within the organization that can support board members? For example, can someone on the IT team sit on a tech subcommittee?
You may also want to go outside the organization to look for expertise from organizations that can assess the effectiveness of a cybersecurity program, and help board members understand what they need to know in order to manage this risk.
Feel free to reach out to us any time with your questions.