Blog : BOARD TALK
|Posted on May 17, 2017 at 1:30 PM|
It is extraordinary how UK boardrooms repeatedly manage to pass off cybersecurity as some sort of natural disaster that is outside their remit of accountability.
A timely message lands from Brussels making just this point - repeatedly explored by me in posts on Forbes - but in a different way.
The WannaCry globally-coordinated ransomware attack on 12 May 2017 should put the spotlight on the need for a change in organisations’ thinking about Cybersecurity as it can only be addressed at Board level, says BDO Global, the business advisory firm.
Executive boards need to immerse themselves in the cyber issue and allocate sufficient resources to identify and ensure the effective management of cyber risks: a Board’s accountability includes the way organisations protect, detect, respond and recover, it adds.
"Boards have to lift their organisations to the appropriate level of cyber resilience: this means going above and beyond employee behavioural change programmes and IT departments’ technical measures.
Last Friday’s attack originated in poorly protected workstations, showing that training employees is necessary but no longer sufficient. Cyber threats are more potent than most executive Boards recognise. Companies do invest in security technology - but discover all too soon that the technology is being persistently undermined by different attack methods" says BDO.
Instead, it argues, boardrooms need to move from 'protect' to 'defend' in their thinking about cyber security.
“Ransomware presents a growing threat to every industry, but healthcare organisations are particularly vulnerable. Their digital transformation came late, and the simple reality is that many IT systems weren’t installed with cybersecurity in mind. Because many hospitals rely on end-of-life technology and may prioritise immediate data access over data security, cybercriminals have found their systems relatively easy to penetrate. Hospitals also don’t have the luxury of time: a ransomware infection that blocks access to critical medical data endangers patients’ health. In a scenario where patients’ lives are at stake, the only feasible option, paying the ransom or not, is an extremely tough dilemma” says Shahryar Shaghaghi (USA), Head of International BDO Cybersecurity:
“In a secure environment, executive Boards allocate resources and provide management with the tools to identify cyber risks and apply appropriate mitigation. Cyber-responsible Boards do not just check policy but also oversee and verify the implementation of cybersecurity measures to ensure their effectiveness” says Ophir Zilbiger, Partner at BDO Israel’s Cybersecurity Centre.
I like the phrase 'cyber-responsible boards' - let's hope we hear more of it. It's a lot better than having ostriches in the boardroom.
The link is to a 2014 post on Forbes but hey - three years is a very long time in a fast-changing world. Isn't it time boardrooms caught up ? And then there's the matter of exiting CEOs being paid huge amounts of money despite the cybersecurity breaches on their watch....