With the steadily increasing deployment of new technologies across enterprise, the number of cyber threats facing organisations has been rising. Yet despite headline-grabbing evidence of the consequences of lax cyber security, it is still not being prioritised in the boardroom. This lack of attention and understanding will only make Board members a more vulnerable target for cyber criminals to exploit. Instead of simply adding cyber security to business strategies at the last minute, more needs to be done to raise awareness of best practice for a successful cyber security strategy. At the same time, education on cyber risk must be made compulsory for all levels of staff, including Board members.
perfect prey for cyber hackers
Historically, cyber criminals launched their attacks at weak spots in the company’s IT infrastructure. Then they moved on to targeting employees, often stealing credentials to sell on the dark web, or alternatively using the information to further compromise the business. Now, the focus has shifted on to the big fish in the pond. Senior executives and Board members have become prime targets as they both hold and have access to sensitive and valuable company information including board meeting minutes, business deals, budgets, and legal documents.
Once they’ve gained access, cyber hackers can then also exploit their target’s contact database; often Board members will have a network of similarly influential and valuable contacts. Those working in the finance and legal sectors may be of particular worth to cyber criminals thanks to their regular work with high net worth clients and companies.
If any of the Board members lack training, they can be exploited by common cyber attacks such as phishing or malware. Cyber criminals are also employing more and more sophisticated tactics, making it harder for executives to distinguish between genuine business communications and spear phishing attacks designed to gain personal details.
Cyber security should address both weak spots in the company’s infrastructure and weak spots when it comes to cyber awareness amongst employees; with both vulnerable to attack if not addressed. Too often, shoring up a company’s cyber security capabilities falls down the list of priorities but more must be done to help businesses invest in secure IT infrastructure. While more companies are now beginning to award cyber security the funding and attention it needs to function thoroughly, change starts from the top down. The first step in enacting this is helping Boards understand the risks facing their business and the potential consequences were they to suffer a cyber attack.
Conducting a cyber risk maturity assessment should be the first step. It will allow businesses to see where they may be vulnerable through both adversarial and accidental threats; from poor employee cyber practices to insecure IT systems. This will allow companies to create a bespoke, tailored strategy for bolstering cyber security and mitigating against any threats. With a company-wide assessment, the relevant IT professional within the business, whether that be a CSO or CISO, will be able to help the Board understand why investment is needed now to address current risks. It will also enable them to start building up the cyber security capabilities in order to protect the organisation in the long term.
Too often, companies focus solely on strengthening their infrastructure and glance over the risks posed by unaware and untrained employees, including the Board. It’s vital that members of the Board can understand the complexity and nature of cyber threats, and all employees must be able to recognise common cyber attacks. This can only be ensured through compulsory training for all members of staff, from junior employees to the CEO and fellow executives.
Introducing a preventative approach amongst employees will help create a layer of defence for a business. Employees have great insight into the business and how it operates so with cyber attacks evolving constantly, training must be implemented regularly so that employees can mitigate against common attacks such as ransomware, spoofing or phishing.
Cyber criminals are getting smarter and attacks are becoming increasingly complex. If businesses want to stay competitive in their market, they must make sure to invest time, attention and funding to developing their cyber security. Just one threat or data breach could derail a company’s operations, impact customer loyalty or affect their reputation in the market. The more that Board members understand the risks to themselves and their company, the more willing they will be to prioritise cyber security at the top level.