In the wake of today’s cyber security landscape, Boards must become fluent in the language of cyber security to improve the way they prevent and respond to threats. This is according to Phil Bindley, CTO of The Bunker, who argues that the C-Suite and Non-Executive directors need to look at everything within their organisation through a lens of data security, as ultimately they are accountable.
A recent report from Lloyd’s, on what European businesses are doing to tackle cyber security, highlights the severity of data breaches with 92 per cent of the senior business decision-makers questioned stating that they have suffered a security breach in the past five years. Despite this large number, only 42 per cent were worried about becoming subject to another breach in the future, highlighting a complacency towards good security hygiene within organisations.
The Companies Act 2006 states that directors have a legal responsibility to act within their powers and promote the success of their companies, and to exercise independent judgement, reasonable care, skills and diligence. As a result, it’s critical that Board members and Non-Executive directors have a complete understanding of their data protection strategies, the cyber risks posed and are able to demonstrate that they have taken the appropriate measures to protect their company from an attack.
Phil Bindley, CTO at the Bunker, commented: “The regularity and severity of breaches should act as a stark wake-up call to the C-Suite and their Boards. It is no longer acceptable for the Board to be ignorant; stating a lack of understanding of technology and cyber security is far from an acceptable excuse. This raises the question of when does ignorance become negligence? All too often the buck falls on IT teams to be solely responsible for cyber security. However, it’s vital for Non-Executive directors to have a firm grasp on the security hygiene of their company and the potential risks posed.
“Although, board members may find comfort in the fact third party IT suppliers are compliant with standards such as ISO 27001 and PCI DSS, it’s important for this not to be taken at face value. Organisations must do their due diligence when selecting a supplier to ensure that they assess and reassess these standards on a regular basis. Fundamentally, businesses need to look at everything through a lens of data security and the Board is no exception to this rule. This approach will enable organisations to become more competitive, manage risk, protect the brand, all whilst innovating in a controlled manner.
“There are clearly defined steps that organisations can take to combat the increasingly advanced tactics of hackers and cyber criminals. It’s not about building a bigger firewall, it’s about a shift in attitude towards cybersecurity. It’s essential to have the right people processes, technology and most importantly culture in place to protect the business. This culture starts in the boardroom. Only then can organisations achieve a best practice approach to IT.
“With the deadline for compliance with the GDPR swiftly approaching it’s vital that Board members, irrespective of their industry, take security, compliance and good governance more seriously. A failure to appropriately manage cyber security risks can result in disaster and can lead to serious legal implications,” concludes Bindley.
