How to Bring Cybersecurity to the Attention of the Board

All aboard the cybersecurity express!

That’s kind of what we need to have in mind when we approach our board about cybersecurity matters. Thankfully, cybercriminals, whilst they plunder our company booty, are at the same time, giving the cybersecurity professionals among us, fodder.

To convince the board that cybersecurity needs attention and budget, we need to use the intelligence gathered in our daily job as a security professional. The ultimate goal is to make sure our company is cyber-safe. To do this, we need to have everyone on board, and this starts with the company directors.

Company directors are busy people, but cybersecurity is an urgent matter. So, how do you get into the dragon’s den and show them how to fight fire, with fire?

Five Easy Steps to Project “Cybersecurity Onboarding”

Step 1: Give them the lowdown – in a “Cybersecurity for All” report

Let’s not beat about the bush, cybersecurity is a crime-wave. Cyber-attacks will cost global businesses $6 trillion USD (£4.6 trillion) a year by 2021; double the amount that cybercrime cost in 2015. And it is the fastest growing crime.

To begin Project “Cybersecurity Onboarding” create data-focused reports that show the scope of cybersecurity threats and incidents. Make these reports accessible to a non-technical audience. Include sections on:

Industry sectors: Offer data for areas where your company works in. Industry sectors have their own set of challenges. Use analysts and specialist reports from the likes of IBM X-Force, Symantec, and McAfee to create industry specific figures that hit home.

Check out Defence Works industry series which looks at industries such as:

• Financial
• Healthcare
• Education

Types of threats and trends in cybersecurity: Give examples that are pertinent to your organisation. Some examples could include:

• 27 percent of phishing incidents targeted webmail users
• Business Email Compromise (BEC) fraud costs around $12.5 billion USD (£9.5 billion GBP)
• Scams continue unabated. Stolen personal data is being used to fuel extortion and sextortion scams
• Keeping on top of employee device use is still part of security 101. Mobile malware is even more sophisticated as time passes with fake apps and banking trojans being a major issue in 2019.

Step 2: Engage them in the process and hit ‘em where it hurts

Cybersecurity has a fundamental impact on a business. It hurts in a number of tangible and intangible ways. Extend your “Cybersecurity for All” presentation to include the following areas:

Cybersecurity impacts:

• Share price: Comparitech carried out a multiple year study into the real effects of a cybersecurity incident on a company share price. After 1-year post-breach, share prices were down, by an average of 3.7 percent. And 3-year’s post breach, share prices remained depressed by 15.6 percent.
• Lost jobs: There are countless examples of C-level executives losing their posts after a cybersecurity incident. A recent example is the Yahoo data breach. CEO Marissa Mayer was financially punished to the tune of $12 million USD and company counsel Ron Bell ‘resigned’.
• Reputation: Reputational damage can have long lasting effect on an organisation. A smaller company can end up permanently damaged. Large companies can lose an enormous amount. This was the case for TalkTalk after the 2015 data breach. The company lost 101,000 customers as a result of the attack at a cost of £60 million.
• Fines: The UK’s Data Protection Act 2018 (DPA 2018) along with the General Data Protection Regulation (GDPR) both set high fine levels for data breaches.

Step 3: Show them how cybersecurity is a company NOT a technical matter

Cybersecurity threats affect everyone in an organisation. The days where cybersecurity could be siloed into the IT department are long gone. Cybersecurity is as much about human behaviour and actions as it is about technology – the success of phishing bears this out. Phishing and other related scams like BEC use human behaviour and social engineering to defraud your company. This fundamental fact needs to be conveyed to your board.

Cybersecurity risk is an enterprise risk; an attack hits right across departments. Business Email Compromise (BEC) is a perfect example of this. In this scam, the cybercriminal will spend time ‘getting to know’ your company by using surveillance techniques. They may also use phishing emails to gain access to executive email accounts. The end result is the loss of large sums of money in a clever ruse that has hits tens of thousands of companies worldwide.

Step 4: Make them aware of security awareness training benefits

It all comes down to your board understanding that cybersecurity threats exist, hurt the business, but can be prevented. Prevention is the watchword in a world where modern cybersecurity is like a chameleon changing to prevent detection.

Once you have established the problems of cybersecurity threats to your company show your board how you can fight back. Security awareness training is a company-wide process that needs board-level backing for successful implementation. Give your board the tools to counter cybersecurity threats by showing that security awareness training offers:

• A way to teach staff how to spot the tell-tale signs of phishing
• Keeps staff abreast of security issues that hurt your industry
• Trains staff in everyday security hygiene like how to create robust passwords
• Engages staff in a culture of security that permeates everything they do

Creating a cyber-savvy workforce that makes your organisation cyber-safe.

Step 5: Show them results

Board level folks like results. Well, to be fair, we all do, but they need to see results to justify the expense. One of the best ways to show that their investment in security awareness training is working is by showing them results. When you choose a security awareness training package make sure you can measure the success of the program.

Create a board presentation that shows how employees have fared during the training.

• What kind of cybersecurity attacks would be successful?
• How effective are phishing messages on tricking your staff into clicking links or downloading malicious attachments?
• Can your staff apply the requirements of regulations like GDPR?
• Add metrics to show how behaviour has improved after training.

Getting your board, onboard with your efforts to prevent a cybersecurity attack will hopefully be a little easier if you follow our steps.

Whilst you’re at it, why not sign up for a free demo and find out how we’re already helping organisations just like yours.