The Boardroom and Cyber Security: the unspoken threat
Cyber security is one of the top five global risks for every organisation, from SMEs to the very largest multinationals. As the debate and publicity intensifies over consequences of breaches, Boards are facing a choice. They can either choose to make cyber security an integral part of their strategy or regard it as an inconvenience that needs to be addressed. This is a leadership issue. Doing nothing is not an option. Understanding the issues, taking personal responsibility, and developing the right strategy will be a key differentiator for business success.
It is well known that the most exposed part of any cyber security system is the human element – over two thirds of all global cyber security breaches last year were mainly as a result of human error. Awareness and training for managers and front line staff is seen as a sensible intervention to address this area. However, there is a lack of recognition that this education needs to be led from the top; Board members need to be both role models and to embed a cyber security culture across the organisation.
There are a growing number of cases where Board members do not personally put into force cyber security best practice, even though the information the individuals handle is often of utmost sensitivity and importance to a company’s well-being. The figures are alarming: 75% of Boards in the FTSE-350 have not received any cyber security training, whilst 25% had a poor understanding of how they shared information with third parties. This may be due to a lack of awareness, a conscious decision to favour convenience over best practice, or in some cases, complacency.
The European Union’s forthcoming General Data Protection Regulation next year underlines the stark consequences faced by organisations who fail to protect a company’s data. “Strong data protection rules must be Europe's trade mark… data protection is more than ever a competitive advantage,” Vice-President Viviane Reding, EU Justice Commissioner. Under these new proposals, businesses can face a fine of up to 5% of their global turnover, or a fine of €100 million if greater, if they do not comply with these data protection laws, an update to the UK’s Data Protection Act 1998.
Aside from the threat to revenues, the general threat to the organisation of a Board member being lax in cyber security best practice cannot be overstated. The potential of losing key Intellectual Property in particular can be extremely damaging in the long term, and this is constantly a risk from insider threats both malicious and non-malicious. Yet, incredibly, 40% of boards in the FTSE 350 did not receive cyber security threat updates in 2013.
Cyber security breaches can lead to massive reputational damage to a business, destroying customers’ confidence, the company’s reputation and possibly even leading to bankruptcy. There is the very real threat of personal liability for Board members that show negligence in handling information, including possible prison sentences.
In summary, it is essential that members of the Board of all businesses are actively vigilant, and accept personal responsibility for their own cyber security activity. Not only does this involve training in best practice, but also it requires caution over unwittingly sharing sensitive information with others, and an awareness of the potential for insider threats.