Top management, even in some large organisations, is frequently weak or even uninterested in cyber security. Why is this?
Cyber security is very much a consideration for top management. It seems that new threats such as viruses without signatures arrive almost daily. New regulations such as the GDPR (and the eye watering fines of up to 4% of global turnover that will go along with it) make the world an increasingly complex place to operate. And an ever-increasing dependency on data and digital technology increases the “attack surface” of all organisations. This all means that cyber security is becoming ever more significant.
So why are senior managers in so many organisations seemingly dismissive of their responsibilities in this area?
It stems in part from a fear of technology. Experienced business leaders, comfortable with strategic and financial decision making, often feel exposed when it comes to issues of technology. Cyber security is no exception. How can I oversee this area, they think, when I don’t know the right questions to ask, let alone what the answers might mean and how I should react to them?
And partly it is a conviction, commonly held, that cyber security is a technical problem, the province of IT departments or security professionals. It isn’t important enough for the Board. Someone just needs to buy the right equipment. And if they don’t, they’ll get fired.
That’s no longer good enough (if it ever was)! Keeping cyber secure is important. The odd breach isn’t just a “cost of doing business”. It’s a strategic issue. Yes, there are the eye watering fines. But there is also the effect that a major breach can have on share price, on customer churn, and on the ability of an organisation to recruit the best talent. (In other words on the personal reputations of those Board members who have allowed the breach to happen).
It’s not just the personal data of customers and employees that can leak. It’s also strategic information that can find its way into the public arena, or the hands of competitors. Plans for mergers and acquisitions, new product design blueprints, plans for entering new markets: all of these have been leaked in the past, and have weakened the relevant organisation’s competitive position.
And there is an issue of integrity. Lost personal data can ruin lives. Remember the Ashley Madison breach? Several people killed themselves when that happened. But even an “ordinary” leak, such as the loss of customer data by the likes of Talk Talk or JP Morgan can have untold consequences on consumers who find themselves tricked by sophisticated criminals. It’s not good enough for companies that have been breached to say “We have no legal responsibility towards anyone who has been duped because we are not directly responsible for the financial loss.” They are, if not legally then certainly morally.
So what to do? Well, knowledge is a good start. Which is why a new book on cyber security from Palo Alto Networks, Navigating the digital age, is definitely worth a look. It is aimed at senior managers and delivers a concise and practical description of the main issues company directors need to grapple with and you can read our review of it here.