Raising the profile of cyber security with the Board
In recognition of National Cyber Security Awareness Month, organised by the National Cyber Security Alliance, this is the second in our blog series in October on cyber security in the workplace.
Cyber security is part of our daily lives. The first thing that is important to point out is that cyber security isn’t just a job for the tech professionals, it’s a job for everyone, and this month gives us chance to shine a spotlight on the importance of the topic.
Cyber security affects every single one of us who owns an electronic device, such as a smartphone, PC, iPad or smart TV. It is more commonly thought of in the workplace simply due to the number of these devices in operation.
For more information on how to ensure your workforce are cyber security aware, read our previous blog here.
However in this post, we’ll take a particular look at how to raise the profile of cyber security with your Board of Directors, ensuring you gain their buy in for investment in order to protect the needs of your organisation.
Latest cyber security statistics show that in 2016, cyber crimes in the UK accounted for almost half of all crimes committed.
Cyber crime has cost the economy in excess of £30 billion, as now almost half of all UK firms have been hit by a cyber attack suffering expensive damages, some of which never recover.
It’s statistics like this you will need to put in front of your Board - how much would you be prepared to spend (or lose) to keep your business running? Once you have that number, you’re starting to understand what your cyber security budget should be.
Many smaller businesses believe they are not a threat when it comes to cyber criminals, as they see larger corporations with seemingly more valuable data and more lucrative bank accounts as a greater target.
However research would suggest that this is not the case, and no matter what the size of your business is, you are a target. A lot of cyber attacks are not even specifically targeted at the company or brand, but just on a vulnerability that allowed a bot to get into your network.
Cyber attacks are not always about who you are, but about how well you protect yourself. Alarmingly, 60% of small businesses that have suffered from a cyber attack have gone out of business within only six months of suffering the attack.
This is a grave figure and highlights the extreme impact a cyber attack can have on an organisation’s operations. Smaller businesses tend to be more at risk of going out of business as they simply don’t have the financial support to recover after an attack, but this is still a valuable lesson for larger enterprises.
Why should the Board pay attention?
There are a number of detrimental effects that a cyber attack can have on an organisation, which we’ve broken down for you in the graphic below. These are split into short to long term costs that can impact an organisation.
Using this chart, you’re able to pick out the risks that would be most detrimental to your organisation. Your Board may not be cyber-savvy, but which of these risks would get them thinking that way?
Would your Sales Director be concerned about loss of customers? Would your Marketing Director be concerned about reputational damage? Would your Finance Director be concerned over loss of earnings?
Recognising the emotive pain points for each Director that will make them want to invest their time in understanding the threat further is the first hurdle when gaining buy in from your Board.
A business needs to not only evaluate the level of risk, but the perceived cost of the risk to the business. It all comes down to how much would you be prepared to pay to keep your business running.
There’s not a week that goes by without a cyber attack hitting the headlines, and these reports are damaging for those organisations. The most important thing here for your Board to be aware of is that the blame doesn’t fall on the workforce, or the IT department, or the one individual who made a mistake; the blame falls to the Board.
The Board members are the ones held accountable when something goes wrong, and if they don’t have an accurate cyber security strategy in place, it’s time they start preparing their comments for the press.
With this in mind, we’ve summarised below the key points you need to make when raising the profile of cyber security with the Board.
- Consider the risks: The risks are usually much broader than you would first consider, and will impact every department. Perhaps each department could contribute some of their own budget into protecting against their perceived cyber security threats, to create a budget that will actually help to protect your organisation.
- What are the costs: How much will it cost you to keep your business running if you suffer an attack? Have you considered all of the costs in the graphic above. Once you take all of this into account, the number quickly starts rising.
- Who is to blame: The Board will instantly be in the spotlight and held accountable if your organisation suffers an attack. Cyber security solutions should be seen as an insurance measure, protecting you in your time of need.
It is also worth pointing out to your Board that they themselves can be the target of an attack. CEO Fraud has been on the rise, with £32 million reported as lost as a result of this type of cyber attack.
CEO fraud involves a cyber criminal sending an email to an employee in a company’s finance department. Posing as the CEO or another company director, the email demands money to be quickly transferred to a certain bank account for a specific reason.
The employee will do as their boss has instructed, only to find that they have sent money to a fraudster’s bank account. Attacks like this are common, and the only way to avoid them is for the Board to lead by example with a strong cyber security culture.
When your Board create an atmosphere that challenges suspicious activity and rewards good cyber citizenship, the company will follow.
Only by the Board leading from the top down will an organisation truly be in a position to protect itself from cyber threats, as they will understand the importance of the situation and invest both financially and operationally.
Finally, it is worth noting that when approaching any discussion like this, you need to have done your research and go in with facts. Gain the support of your peers in other departments and understand a true view of the threat across the organisation.
Use the stats and graphics in this blog to help support your argument, showing the scale of the problem and highlighting ways to overcome it. Each organisation is different in their response, some may invest in more solutions such as firewalls and threat detection, others may focus on culture.
The best action you could take is to invest in them all, and make sure this is lead by your Board.
If you’d like any further information on this topic, or you’d like to discuss improving your cyber security solutions with Smoothwall, contact us today.