Despite what the headlines suggest, it’s not just big corporations like Target, JPMorgan Chase, and Sony that are at risk of cyber attack. Smaller organizations are often more attractive targets because of their weaker security, and frequently provide cyber criminals with a way in to large enterprises further up the supply chain. As McAfee’s Mike Fey said last year, “Small- and medium-sized businesses are nice easy targets – and you can attack 2,000 small businesses at once.” In spite of this, many boards remain in the dark about security issues, and show no interest in addressing them.
Willful ignorance of a business-critical issue
IT Governance’s own 2014 Boardroom Cyber Watch Survey found that:
- 32.5% of boards do not receive any information about their cybersecurity posture and activities.
- Of the 55% that do receive regular reports, 19% receive reports only annually.
- 29% of IT teams don’t report data breaches for fear of retribution.
It’s astounding that nearly a third of boards know nothing – and want to know nothing – about the security of the information their organization collects, holds, and processes. Indeed, PwC’s Global State of Information Security Report 2015 called it a “dangerous misconception” for small firms to “consider themselves too insignificant to attract threat actors”.
What to ask
So what should the board be asking their cybersecurity teams? What do CEOs and other C-suite professionals need to know about?
Here are a few questions that boards should ask.
- What are the current cybersecurity threats that the organization faces and how could they affect the business?
It is essential that boards are fully aware of the threats they face. Business-critical issues are board-level responsibilities. Cybersecurity is not just a job for the IT department – it’s something that affects the entire organization, and must be led from the board downwards. It is essential that boards are able to understand the challenges their organizations face so that they can make appropriate business decisions. The risk appetite must be set by the board, and the company’s cybersecurity strategy then implemented accordingly.
- How and when is the board informed about the current cybersecurity threats that the organization faces, and how they could affect the business?
Only 55% of respondents to our Cyber Watch survey said their boards received regular cybersecurity reports. Managing cybersecurity risks is a daily battle, and boards need to be briefed much more frequently. Regular communication between the board and the CISO/CIO is essential.
- How does the organization address cybersecurity threats?
Anyone connected to the Internet could jeopardize the entire organization with a careless mouse-click. Are all staff adequately trained to understand that cybersecurity is an enterprise-wide responsibility? What measures are in place to keep technological solutions up to date so that emerging threats are addressed? What processes are in place to ensure the organization can respond to cyber attacks?
- How is the cybersecurity team supported by the board?
29% of respondents to our Cyber Watch survey said fears of retribution discouraged their IT department from fully disclosing details of cyber breaches to top management. It scarcely needs pointing out that this is incredibly destructive. If the organization has suffered a breach, the board needs to know about it immediately. The cybersecurity team needs to be properly supported to respond quickly and effectively – not blamed. Statistically, there is a strong likelihood that every organization will suffer a successful cyber attack. It’s impossible to prevent all of them. How the organization plans for and reacts to a data breach incident will affect its short-term reputation and long-term prosperity.
- Is the organization’s cybersecurity posture based on international best practices and industry standards?
An industry-standard best-practice approach to cybersecurity, such as that set out in the international standard for information security management, ISO 27001, affords organizations a tried and tested approach to cybersecurity based on the collective experience of cybersecurity professionals around the world.
It is essential that boards are fully aware of their companies’ cybersecurity activities so that they can make properly informed decisions. ISO 27001 offers a holistic approach to information security that addresses people, processes, and technology, recognising that effective information security is an enterprise-wide concern.
Accredited ISO 27001 registration demonstrates to your customers that you have implemented effective security processes based on international best practices, and regular auditing shows that you maintain the quality of your information security posture. As well as increasing organisational efficiency, the assurance that accredited registration provides helps you gain new business and retain existing customers. Annual registrations to the Standard in the US have increased 36% year-on-year according to the latest ISO figures.
IT Governance ISO 27001 Packaged Solutions
Thanks to IT Governance’s fixed-price ISO 27001 Packaged Solutions, US organizations can take advantage of expert ISO 27001 consultancy to implement an ISO 27001-compliant information security management system (ISMS) for as little as $14,995, and organizations with fewer than 20 members of staff can achieve ISO 27001 registration for as little as $7,650.
With its unique combination of standards, books, toolkits, software, training, and online consultancy, IT Governance’s Get A Lot Of Help package provides US organizations with all they need to implement the Standard and ensure their cybersecurity.