“A $2 million punch. The average cybersecurity incident at a small- or medium-sized company leads to $2 million of business interruption losses, according to the most recent Ponemon Institute. Yet only 30% of the companies surveyed believe they are adequately prepared for the evolving nature of cyber threats.”
That’s a quote from a white paper written a few months ago by the Private Directors Association’s Cybersecurity Committee. This reminds me of the old fable about the ostrich that buries its head in the sand to hide from threats it’s afraid of. While that fable has long ago been disproven, this one proves itself true on a regular basis. Companies have read – and correctly so, by the way – that it’s impossible to protect themselves from all cyber threats, because the bad guys are smarter at getting in and avoiding getting caught than the good guys are at stopping or catching them. The short-sighted rationale seems to be: we can’t be foolproof so why do anything beyond the basics? And the answer is: because the bad guys will go after the easiest marks first, those that have the least protection, so the more protection you have, the less the odds you’ll be tapping your insurance company for help to save your company.
So not just for the big guys. And for those companies wise enough to have a Board of Directors in place, here are some foundational guidelines for directors to follow in respecting their role of caring for the company they serve when it comes to cyber governance, compliments of PDA, and rephrased to avoid some of the stuffy phrasing:
- Define the most critical assets and functions that are so critical to the company’s success that they rise to the importance of Board governance oversight.
- If there are relevant Board committees in place, clearly state in committee charters their role, including knowledge sharing, cross-committee membership, and update frequency.
- Have access to someone with the specific expertise to advise the Board, either on the Board or relevant committee, or available as a consultant, to effectively evaluate the risks.
- That person should report regularly and directly to the CEO and/or the Board, rather than a senior leader in the IT department.
- Often sited as the most critical risks to protect include intellectual property, reputation of the family or company name, ability to operate, and uninsurable financial losses.
- Be ruthless in protecting those assets considered most valuable. Set the policy and be unwavering in enforcing it.
- You are not protected by outside regulations or compliance requirements. Those are minimum protections that are constantly being overwhelmed by creative hackers.
- Do not let routine business decisions create detrimental consequences for cybersecurity; that includes those of employees, vendors, and business partners. This IS business.
- Have a clear incident response plan. Who should be notified? How frequently to revisit the plan? Is the plan tabletop-tested? Is management prepared for the alternative options they may face?
- Even if your company is small, that does not necessarily mean your cyber risk is small. You need outside assistance to identify the risks that are most critical to your company.
We are NOT experts when it comes to cybersecurity. We ARE experts in knowing when to ask for help. We do know WHO to go to when that help is needed. How do we know that?
We are Your CFO for Rent.