Works councils have many aspects of responsibility. Cybersecurity is perhaps one of the most nuanced and important areas of the council’s work, but not all council members are clear about why and where they stand on cybersecurity.
Cyber security is a problem at Board level for three main reasons:
- Cyber security breaches are a serious problem for any business.
- Companies must be aware of the management, regulations and compliance with cyber security requirements.
- Everyone in the company and on the board of directors should be responsible and accountable for good cyber security practices.
Security breaches are serious business!
Security breaches can result in financial damage to companies, damage to brand reputation and loss of data (both personal and business intellectual property), to name but a few examples. Unfortunately, crimes that affect hundreds of millions if not billions of people are more common than we would like. Among the most notable cyber security breaches you can remember are Equifax in 2017, Adobe in 2013 and Zynga (a company that produces Words with Friends) in 2019. In July 2020 we witnessed the compromise of the Key Profile Accounts on Twitter. You don’t want the name of your company in the headlines because of this offence!
Cyber Security Management, regulations and compliance
In addition to security breaches, governance in the area of cyber security is becoming increasingly important. The office describes the policies and processes that determine how organizations identify, prevent and respond to incidents in cyberspace. In many organisations there is a separation between leadership and management activities. Council members should participate in the assessment of security reporting requirements and the overall competence of the cybersecurity programme, policies and procedures. If you are a U.S. listed company, there are additional requirements for the Securities and Exchange Commission that you should be aware of, such as a written disclosure of how the board performs its risk oversight function.
Attention should also be paid to the issue of government regulations and their implementation. However, a simple comparison does not mean that you are sure. Over the years, Congress has regularly proposed cyber laws. Almost all U.S. states have their own laws on what constitutes a security breach and when information about it should be released. It is important to understand local, state and federal (including international) cyber security laws in the places where you do business.
Every responsible and liable person
Each member of the Executive Board is responsible and may be held legally and financially liable for violations. It’s not just CISO, CSO or IOC who have to take care of the good things and do them. We all have a role to play in protecting the company and creating the conditions for its success.
If one person does not contribute, everything can fall apart for the company. For example, the former head of Uber was prosecuted for non-disclosure of information as early as 2016 in August 2020. Mr Uber’s former head of the security service was accused of obstruction of justice and concealment of a serious crime for not reporting the violation to the Federal Trade Commission in 2016. This is the first direct example in the United States, where an executive is accused of a criminal offense and sentenced to imprisonment for responding to a data breach.
Assessing the Cyber Security position of your organization
How do you assess your company’s position when you discuss cyber security in the boardroom? Here are some tips to help you get started today. This list is by no means complete, but here are the items you can start with today.
- Approach – How does your company approach cybersecurity? Depending on your company’s approach, it determines how much risk your company takes and what you should do differently.
- Passive – all threats just go away, and that’s fine.
- Answer – Responsibility for cyber security has been delegated to the IT department, which responds to what is happening in the company or in the media. They’re still catching up.
- Proactive – Try to avoid problems and check them regularly. Can consult external companies to ensure a high level of safety.
- Progressive – Management is heavily involved in reviewing the company’s safety position. They often carry out proactive analyses because they know that an attack may occur at any time, and they can also consult with external companies to proactively address vulnerabilities.
- Risk Management and Compliance – How much time and attention does management spend assessing risk management practices in the area of cyber security? Are they modern in their city, state and country?
- Every company should have an effective risk management plan, which it should pursue. They need to collect and analyze data from multiple entries, systems and groups in order not to risk a major attack. Part of risk management is ensuring compliance with government rules and regulations. The Company must understand and be familiar with the laws that apply to the Company.
- Review of procedures – How often do you review your cyber security policies and procedures?
- Ideally, you should review these rules and procedures at least twice a year, as well as in the event of significant changes within the company (i.e. if there are new key employees or departures, mergers/acquisitions, reintegrations, the need for new rules, etc.).
- Health and Safety – Does the company maintain good hygiene and safety?
- Your organization must keep up to date with the latest patches/updates for all hardware and software systems and use and integrate the latest functionality into the security software.
- Your company should be able to find the signal in the noise with its current security solutions and not have too many distributed products that do not fully exploit it.
- The company also needs to regularly back up important data and disable old servers and virtual machines that are no longer in use.
- The company’s suppliers and vendors must comply with all rules and regulations necessary to ensure that the company’s confidential information is adequately protected.
- Hire an expert – Has the company hired reputable third parties to carry out a risk analysis or check the possibility of an intrusion into business systems?
- There are third-party companies that conduct penetration tests to determine how easy it is for a hacker to get into your business. These companies can tell you what you can see in public, for example if you have emerging IP addresses, and review your company data to identify risks. If a third party was involved, what were the results and changes were quickly made to address the weaknesses.
- Response Procedure – What is the company’s protocol for responding to violations?
- Organizations must have an Incident Response Team and a detailed list of actions to be taken by Incident Response Team members when a vulnerability or incident is identified.
- Training – How often do you train your employees on best practices and simulate what to do if an incident occurs in cyberspace?
- Companies perform fire drills to be prepared with the muscle memory in case of a fire. The same applies to incidents in cyberspace. Ongoing training of employees at all levels on how to protect the company from injuries and cyber attacks and what to do if something happens is very important. You can never get too close.
Cybersecurity is a very important topic in the meeting room and should not be taken lightly, but also not overloaded. Use these tips to find the right way for your business. If you do not have a cyber security expert on the board, there are experts who can advise you.
x3Cimg height=1 width=1 style=display:no src=https://www.facebook.com/tr?id=766537420057144&ev=PageView&noscript=1 />x3C/noscript>’) ;