CHALLENGES AND TRENDS FOR BOARDS OF DIRECTORS
Not very far back in time, the boards of directors in companies all over the world seldom involved themselves with the issues pertaining to cyber security. The ever pervading notion was that cyber security is a purely technological issue only to be overseen by IT professionals or CS specialists. Because of various reasons, things have somersaulted to a new and drastically altered situation as CISOs today attend board meetings all the time. And their presence is considered indispensable for business operations and growth.
Challenges for the Leadership
This is the age of new ideas. That’s why there is a constant change in technologies defining physical and digital boundaries of businesses everywhere. This change forces cyber security specialists to devise newer methodologies and sophisticated approaches for preventing and detecting cyber-attacks. But these measures still fall short of a comprehensive plan to protecting them from external and unwanted intervention. There is a simple reason. Cyber-attacks are of varying types and there can’t be a single solution for all of them. Had that been the case, no one would need a dedicated security department for the purpose.
This state of affairs requires that CEOs and top leaders of the businesses put their heads together and devise a strategy for swift response and resilience. Cyber security risk is rising with each passing day and top leaders, who wield power of decision making, can prioritize security and safety for smooth running of the business. Risk management is no longer a concern for the IT professionals or cyber security specialists; it is an enterprise wide issue and everyone should have a plan for it.
In general, people have an aversion towards change because change demands altering of behavior which is difficult to achieve and requires considerable amount of effort. And when the change is rapid, adapting to it is even more arduous. In this digital era, change is fast and furious. The boards of directors have to realize that ‘nothing is permanent except change.’.
To make things even worse, cyber attackers all over the world are working overtime because the stakes are high and the prospects of gaining enormous amounts, though illicit, are huge. That’s why they too are investing their time and resources to increase their level of sophistication. Increasingly, they make changes to their modes of operation frequently allowing them to enter systems undetected.
On top of these challenges is the onset of COVID 19 pandemic which has totally reshaped our ways of conducting day-to-day business. As the virus intimidates people with its lethal power, social distancing has become the order of the day. Remote working has not only become common, it is the norm and managers encourage employees to work remotely.
As a result, employees opt for a variety of apps to communicate with colleagues and clients. Boards of directors also resort to such communication gadgets to conduct their regular and occasional meetings. Zoom, an online meetings platform, has recorded a steep rise—over 20 times—in its use worldwide. In the pre-covid days, the platform recorded somewhere near 10 million active users. After the pandemic, this figure jumped to a whopping 20 million.
Obviously, such platforms are not merely used for audio communications. File sharing and document transfers are also very much the goal. It is easy to realize that when people spend more time online, the probability of attacks increases manifold. Consequently, the boards of directors have an added responsibility to monitor the communications and make sure that such communications follow strict guidelines of safety and security.
Trends for the Planners
In recent years cyber security has assumed an unprecedented importance. But the boards of directors are not fully prepared to formulate policies and guidelines that will see their business stay safe from all types of risks. The tough task is to predict and identify future risks because the hackers at the other end are constantly changing their modes of attack.
For safe and secure business operations, the boards will have to work on some areas based on upcoming cyber threats and corresponding regulatory principles. Only by adopting these pragmatic approaches can the boards offer a risk free environment for their employees.
Revisit Buisness Plans.
A few years back, a renowned internet infrastructure provider suffered a hostile attack which blocked the services it offered to a number of clients. As a result several large websites, majority of them e-commerce sites, went offline. The hackers targeted insecure devices such as cameras, webcams and other digital devices which were affected by malware. This marked the beginning of a wave of attacks on small internet connected devices because this strategy was found to be extremely effective in perpetuating denial-of-service. And hackers discovered a new and more potent weapon to commit crimes of heinous nature.
Working on the same lines, ransomware attacks also get hold of data by planting malware through encryption. The targeted organization’s data remains in the custody of the attackers until a hefty amount is paid in bitcoins. The payments as ransom crossed 1 billion mark five years before. Today the figure may have risen manifold. The prospects of generating huge amounts of money are so great that ransom-ware show no signs of abating. The hackers are equipping themselves with more sophisticated methods of attack. What is worse, they have moved on to launching targeted businesses. Unlike the attackers who steal and block information, the ransomware attackers look out for sensitive and clandestine data and threaten their release on the web if their demands are not met. Many of these attackers, sometimes aim
for internet connected technologies and infrastructure in a similar fashion.
In comparison to the older versions, when the hackers limited themselves to breach of customer data or theft of sensitive information, cyber attacks are now more vicious and pack a lot of destructive power. Evidently, boards need to have a robust defensive strategy in the wake of such tactics. In certain cases, the employees and customers are also in danger in an event of attack. This added dimension has remained unexplored till now. But the boards of directors need to take a serious note of it and formulate an effective plan.
Almost all organizations have a well-defined business continuity plan. What they lack, however, is a mechanism to test whether that plan would work in an event of a breach. To remove this shortcoming, the board of directors can hire the services of a cyber-security company or assign the task to their own IT department to conduct mock exercise to check the level of preparedness. This attempt is a sure sign, across the entire setup, that the board members are genuinely interested in investing their resources to make the organization a safe and secure place for work.
Evaluate Cyber Risk.
It has been a practice all around the world that organizations rarely disclosed breaches that they experience. The common logic was that these attacks hardly had any effect on the stocks. But now regulations are underway to enforce reporting and disclosures of cyber-attacks. The Securities and Exchange Commission has noticed that every year only a few dozen organizations disclose data breaches when, in fact, thousands of attacks are launched worldwide.
Disclosures help in formulating a nationwide—or worldwide—policy to combat organized crime. If organizations do not report such crimes, workable solutions cannot be found and defenses against such attacks will remain ineffective.
The board of directors must make sure that if any breach occurs, it should be promptly brought into the knowledge of authorities. This facilitates investigation and final apprehending of criminals. The members on board can and should devise a mechanism to report and disclose breaches at the instant of occurrence. Only such a vigilant attitude can put an end to cyber crimes.
Reassess Governance.
The past years have seen an enhanced interest among governing bodies and regulatory authorities about cyber security and data privacy.
In order to streamline the security and safety aspect all across the organizations, strict requirements are being suggested instead of flexible rules that were followed earlier. Organizations that collect personal information are now bound by a minimum level of information security. Similarly, banks, insurance companies and other service providers are now required to follow security measures, staffing regulations and annual compliance reports. Certain governing bodies are now prioritizing and enforcing enhanced cyber-security standards for a variety of organizations.
China has also taken the lead in enforcing cyber-security laws. Network operators and critical information infrastructure operators that include energy, transportation, finance, utilities and e-commerce sectors are now bound by regulations relating to safety of personal information and notifying of breaches.
With these emerging changes all around the world, the time is ripe for the boards of directors to revisit, reevaluate and reassess their cyber-security policy.
By adopting a robust stance against breaches, a safer and more secure work environment will be ensured. And this translates into growth and profitability.