With so much digital information passing in and out of businesses at all times, cybersecurity should be at the forefront of our thoughts. Cybercrime can cause financial losses, disruption and reputational damages to organisations, and that is why it is imperative that your information security report to the board of directors is as thorough as it can be.
Cybercrime can manifest in many ways. It could be through stolen equipment, weak passwords, blackmail, email phishing or any other way that criminals can gain access to a company’s digital systems. Reports say that more than 90% of cybersecurity breaches begin with an email, and scammers send out 3.1 billion domain spoofing emails every single day. This was the kind of activity that led to Belgian bank Crelan losing €70 million in 2016.
Although the bank did not reveal full details, many experts believe someone in the organisation was the victim of CEO fraud. This is where a C-Suite executive, finance officer or another individual with authorisation powers, receives an email that looks as if it comes from the CEO or a partner organisation requesting the transfer of funds. However, it actually comes from a sophisticated cybercriminal.
This underlines the importance of everyone within an organisation being alert and trained to spot false information that could lead to cybercrime occurring. This article explores the board’s role in information security and how you should structure your report to the advisory board of the business.
The board’s role in overseeing cyber security
A board should seek to protect shareholder value, and one aspect of that is preventing the company from cybercrime. In the US, Ocean Tomo found that:
- In 1975, 17% of the market value of S&P 500 firms was tied to intangible assets
- In 2020, that had grown to 90%.
One of the reasons for this is the rise in digital assets, which are prime targets for cybercriminals. This means that a company can lose a large amount of value in any given attack. The board must therefore keep a close watch on the systems in place for preventing digital crime.
Deloitte analysed the changing role of the board in terms of cybersecurity following the coronavirus pandemic. During a time when more people were working from home than ever and connecting to companies’ systems remotely, often using personal devices, cyberattacks became an enterprise-wide risk management issue. The Deloitte report suggests that cybersecurity is now the second most important aspect of the board’s role, following strategic planning. It states:
“Simply ‘being aware’ of cyber risks is not enough for the board in this ‘new normal’, which is why they need to understand the criticality of each breach and the steps being taken to mitigate it.”
The 5 cyber security risks to report to your board
1. Passwords
It is important that there is a company policy on passwords, as they provide the most basic level of security for everyone from the board to the intern.
In fact, 82% of data breaches worldwide leveraged weak or stolen passwords, showing how instilling an enterprise-wide minimum requirement for password security could mitigate a large proportion of the company’s cybersecurity risk.
The use of weak passwords, or reusing passwords that have been subject to a previous breach, is an open door to your company’s IT systems that criminals can exploit.
Your information security report to the board should highlight this issue if you do not already have a policy in place. You should then recommend what the policy should entail. For example, users should all choose a password that they have not used anywhere else. It should also set requirements for the strength of the password, requiring a mixture of upper and lower case letters, numbers and symbols.
You should illustrate how easy it is for hackers to uncover common or obvious phrases within passwords. For example, you can cite recent statistics, such as this study that showed 23.2 million victim accounts worldwide used 123456 as a password. You can also convey your message through relevant resources, such as this website that enables anyone to check if they have been the victim of a data breach.
In this vein, here are some examples of weak and strong passwords:
| Password | Strength |
| realmadrid | Weak. The strength of this password is only 22 bits. If the user is a fan of Real Madrid, this is information that a scammer could easily find out, using this knowledge to guess the password. |
| Rea1Madr1d | Better, but still not secure (46 bits). The use of numbers and capital letters makes it more difficult to guess, but a scammer could still use the information about the user and play around with capitals and numbers to guess the password. |
| 9bLo0@£eR5€!a | Strong (103 bits). This would be impossible for a hacker to guess. In fact, some experts suggest it could take more than 200 years to crack a strong password, especially one that uses symbols such as €, which does not appear on a standard QWERTY keyboard. The downside is that humans usually don’t remember such passwords. |
2. Use of two-factor authentication
Two-factor authentication (2FA) is an ideal way to mitigate some of the risks from weak passwords. Essentially, in addition to entering a password, you use another method that is unique to you to prove that you are who you say you are.
This makes it more difficult for criminals to hack into accounts, and you should report to the board on how many employees currently utilise 2FA, with recommendations for extending its use across the company as an effective tool against cybercrime.
Here are some examples of the three different types of two-factor authentication:
| Category | Example |
| Knowledge – something only you know | A personal identification number (PIN) or the answer to a ‘secret’ question, such as the name of your first pet or the town in which you were born. |
| Possession – something only you have | A credit card or mobile phone on which you can receive a one-time passcode (OTP) via SMS to prove account ownership. |
| Inherence – something only you are | A fingerprint scan or a facial recognition scan. |
3. Lack of reporting
What the company doesn’t know, it cannot resolve. This is true of many aspects of business life, but especially cybersecurity. In order to remain secure, the IT department relies on reports from users about any breaches or potential breaches of security. If employees are not reporting incidents, this is a risk factor that you should feature in your board report.
The company needs strong reporting channels in place to provide employees with an easy route to escalate issues, as well as training to let them know what to look out for and the reasons why reporting is so important.
The organisation should have a reporting channel, such as a telephone line or email address, where employees can report potential breaches or risks such as:
- Receiving suspicious emails.
- If they have clicked on a suspicious link or downloaded a suspicious attachment from an email.
- The loss of any device that links directly to the company’s IT framework. For example, work laptops, tablets, phones, external hard drives, USB drives or any personal device they use to connect with the business. This could be through theft or merely misplacing the item.
- Being asked or pressured into providing information on or access to the company’s IT systems.
4. Service disruption
The board must understand the risks associated with cybersecurity and how criminal activity will affect the organisation. One of the factors they need to understand is the level of service disruption and how it affects the organisation. This will help them determine whether it fits inside or outside their risk appetite.
A distributed denial of service (DDoS) attack, where the criminal floods a company’s servers to make sure real users can’t access the information within, can cost a company around €21,500 for every minute that it lasts. The perpetrator might use this opportunity to bribe the affected company into paying for them to call off the attack, or it could be an act of sabotage or simply a random action to cause chaos.
Recently, Lithuanian energy company Ignitis Group was hit by multiple DDoS attacks, which disrupted its digital services and websites. Thankfully, the Russian-based attacker was unable to breach the company’s secure data.
Service disruptions can happen internally or externally and should be included in your reports to the board.
5. Reputation damage
Grant Thornton found that boards expected reputational damage to be the most likely outcome of a cyberattack. This should form a key part of your information security report to show the risk level involved within your organisation.
Any business that suffers a preventable attack and is seen to have been lacking in its preparations can find customers publicly calling them out. Social media is an easy route for customers to vent their frustrations and spread word of the organisations’ failings.
It is easy to lose the trust of the public, and that can damage a company for decades to come. Communications firm TalkTalk admitted in 2015 that hackers had accessed the personal details of over 150,000 customers, leading to the company losing around 100,000 customers and more than half of its value.
How can boards minimise the risk of a cyberattack?
Corporate boards should lead the way with good practice in terms of preventing cyberattacks with their network security. By using a risk assessment to create policies to train staff on using 2FA and strong passwords, providing reporting channels for suspicious activity and taking steps to prevent attacks and the fallout they leave.
Using software that meets strong security requirements in all aspects of the business will help prevent attacks. For boards, this means looking for a board portal with rigorous procedures in place to keep users and the organisation safe.
iBabs allows directors to collaborate in the cloud before and during meetings, keeping them up to date with the latest versions of important board papers. It also provides robust security, including 2FA for logging on, an auto-lock capability to shut down compromised accounts, the option to purge confidential documents from lost or stolen devices and much more. It also uses the same AES 256-bit encryption trusted by national banks when storing your data on our servers or end-user devices.
FAQs
How do you talk to the board about cyber security?
Boards need to know the risks involved in any activity in order to make their judgements over solutions. Try to put a numeric value on the risk of any particular aspect in order to speak to the board in the language they appreciate.
What is the difference between information security and privacy?
Data privacy is the act of keeping people’s personal information private and secure within your systems. Information security involves preventing anyone unauthorised from accessing that data.
What is information security governance?
Information security governance is the aspect of the board-level work relating to assessing risks and monitoring processes for protecting the company’s digital assets.
Conclusion
When making your information security report to the board of directors, you should consider the risks at play in terms of financial and reputational damage to the organisation of cyberattack, but also the ways to mitigate those risks. You should assess the current state of information security and then offer practical ways in which to tighten it up and make it more robust.
Using a board portal like iBabs for board meetings, where the whole lifecycle of a meeting is contained within one secure platform, helps you mitigate all security risks you may face. The platform features multiple features to offer peace of mind whilst providing a powerful option for streamlining your meeting processes. Request a free demo for your organisation.
