Why boards must give cybersecurity the attention it deserves

Business needs are constantly changing – what was a priority last year might not be this year, as C-level executives adapt the company’s direction to drive performance

One element, however, that should be a major focus in today’s digital world is cybersecurity. This is an area that can often be overlooked due to a lack of understanding of the risks that businesses are facing.

In 2021, UK businesses spent almost £1 billion on cybersecurity. However, with cyberattacks costing UK businesses around £34 billion every year, it’s clear there’s a long way to go to even this out. More investment – both in time and money – needs to be made in cybersecurity to keep businesses secure, and this decision can only be made in the boardroom.

Counting the cost

Even with all of the cyber attacks that we’ve seen in recent years, many C-suites still think of attacks as a ‘what if’ scenario – one that impacts other companies but not theirs. Unfortunately this just isn’t the case anymore and senior teams that don’t take cyber risks seriously will find it challenging to combat them effectively.

Cyber attacks are not only more frequent than many businesses realise, but they are also increasingly costly. The latest Verizon Data Breach Investigations Report found that a cyber attack today can cost on average $1.2 million in damages – and this doesn’t take into account the reputational damages that are typically suffered. So why aren’t these risks being talked about in the boardroom?

Taking further action is critical

Cybersecurity is – or rather, should be – a major concern for all businesses. A recent report from the World Economic Forum revealed ‘cybersecurity failure’ was among the top risks currently facing businesses, but despite this, many continue to suffer the consequences of cyberattacks through a lack of proactive action.

The reasons behind this will vary between businesses, however for most it boils down to two overall issues: lack of investment, and the C-suite believing that cybersecurity comes under the domain of IT and therefore is not something to be considered in the boardroom. Furthermore, cybersecurity typically doesn’t produce an obvious ROI. It’s nearly impossible to calculate how much money has been saved by successfully preventing attacks – since they didn’t happen in the first place – so senior leaders don’t always view it as the priority it needs to be.

Prevention is better than a cure

To ensure that businesses can continue to operate despite today’s threat landscape, it’s vital that they study their internal vulnerabilities to assess where their weaknesses lie. Leaders can thereby

work with their security teams to establish a cybersecurity strategy that helps the company to protect itself before any attacks strike. Putting these measures in place early rather than waiting for an attack to occur is the smartest option – on average companies suffer a 1.1% drop in value and a 3.2% drop in annual sales growth after a cyberattack, so it’s not something to take lightly.

However, senior leadership teams shouldn’t think that disaster is an absolute certainty. While cyberattacks are extremely likely, businesses can mitigate the damage they cause by considering the risk in advance, as they would with any other business risk.

Members of the C-suite need to communicate with their security teams regularly to keep up to date on the latest cyberthreats in the industry, and to discuss what the best course of action is to help prevent them. Ideally, boards should appoint a chief information security officer to coordinate these conversations and ensure that the company invests in the right solutions and training that will eventually be reflected in the bottom line.

Steps to a safer future

With the number of cyber threats rising every day – in 2021, the number of cyberattacks and data breaches on average increased by 15.1% compared to 2020 – having appropriate cybersecurity approaches in place is crucial. The World Economic Forum issued six guiding principles to support boards in understanding the cyber risks they face today, and what action they can take:

1. Promote cybersecurity as a strategic business enabler

2. Understand the underlying economic drivers and impacts

3. Align cyber risk management with business needs

4. Ensure organisational design supports cybersecurity objectives

5. Incorporate cybersecurity expertise into board governance

6. Encourage systemic resilience and collaboration

These guidelines don’t require C-level executives to become experts in cybersecurity – in contrast, they encourage the leadership team to work closely with their IT team to devise a comprehensive cybersecurity strategy. And while ROI for cybersecurity can be tricky to see, businesses that implement effective measures will without doubt find their investment very valuable as we continue to see the threat landscape evolve.

About the Author

Paul Farrington is CPO at Glasswall. File-based threats are increasing faster than ever. With global trends like hybrid-remote working, the threat landscape is becoming more sophisticated and complex. Reactive detection-based security solutions can’t keep up. Approximately 1 in every 100,00 files contain malicious content with 97% unknown to antivirus solutions by the time it’s been Glasswalled. Antivirus puts you at risk for up to 18 days or more with every new threat. Meanwhile, sandboxing exposes you to risk from advanced malware and disrupts business productivity. And complex security solutions add stress to busy security teams.

Featured image: ©TippaPatt