Skip links

“Cybersecurity in the Boardroom: A Strategic Imperative”

Blog By

Angela Violet,

Cybersecurity & IT Risks Associate (CITRA) South-End Tech Limited

In the current world that is interconnected in almost every way, cybersecurity cannot be viewed only from a technical perspective and with reference to the Information Technology function alone. It is a material business question that must be addressed by the board of directors to ensure the company’s sustainable development. Consequently, the threats arising from cybercrime are very severe to organizations as they cover an organization’s operation, its image, and its financial health. Directors should therefore realize that cybersecurity is critical to the achievement of organizational goals and objectives and should be incorporated in the board’s governance model.

The Evolving Cyber ​​Threat Landscape

The cyber threat landscape is constantly evolving, with cybercriminals using increasingly sophisticated techniques to penetrate organizations’ defenses. Malware, especially ransomware have become more sophisticated, phishing scams as well as data breaches are on the rise and affect all sizes and sectors of businesses. The peaceful work environment has amplified such dangers, especially with the COVID-19 pandemic, bringing new dangers of remote work settings.

 The top threats are:

  1. Ransomware: Virus that infects business information and requests for payment to avoid the lock down.
  2. Phishing: Scams which act as a means of deceiving the employees by asking for sensitive details, or proposing them to download a particular file.
  3. Insider Threat: A worker or a contractor who knowingly or unknowingly becomes a threat to security.
  4. Advanced Persistent Threats (APT): A continuous attack with a specific aim of capturing data and or disrupting an organization’s operations.

Why Cybersecurity is a Boardroom Issue

  • Financial losses: Cyber-attacks are Disastrous; the financial consequences may be massive. Some of the costs that organizations incur after a data breach are penalties, legal expenses, and restoration expenses. Moreover, costs of paying ransoms as well as occasions when business cannot operate because of the attack will surely influence the economics of the organization.  IBM’s report dated 2023 reveals that the global mean cost of data breach is $4.45Million.
  • Legal Requirement: Many laws including GDPR in Europe, CCPA in the US and many others have been put in place to ensure that data is protected. Non-adherence to the provided standards can lead to heavy penalties; legal consequences too exist. The boards must provide appropriate regulation and standards for the organization’s cybersecurity compliance.
  • Conventional Profits Impact: Effective cybersecurity can significantly reduce the organization’s profit-making capability and, in some cases, bring it to a complete standstill. Large-scale information security incidents are frequently reported, and this results in negative publicity and consequential effects. Thus, boards need to be wary of cybersecurity risk so as not to have their brand and their customers, investors, and partners’ trust compromised.
  • Impact Explanation Business Continuity: Cyber-attacks have the effect of interrupting business on a large scale with a devastating impact on productivity.  Again, when important segments like the medical, financing and energy industries are affected, it can lead to lasting consequences.  It is evident that protection of company from cyber threats can be regarded as one of the key factors to keep the business going.

The Board of Directors’ Responsibilities When It Comes to Cybersecurity

  1. Governance and Oversight

 In this matter, the board of directors has overall responsibilities of the company’s cybersecurity strategy and its consistency with the interest of the business. This includes:

  • Improve board awareness: Prioritize overall cybersecurity concerns within board meeting conversations and managerial decision-making. Make sure that the chief information security officer (CISO) whichever name they may be given within the firm as well as other relevant security employees, have adequate skills and tools needed to shield the business.
  • Establish a cybersecurity committee: There should be a specific committee or subcommittee with responsibilities for the aspects of cybersecurity and that committee must present its findings to the full board on a regular basis.
  • Risk Management

The board needs to be aware of the organization’s position with regard to risk and make sure that there is an adequate risk management plan. This includes:

  • Carrying out routine risk evaluations: Identifying the organization’s weaknesses and the likelihood of potential risks in the field of cyber threats.  Implementing a risk management framework: Implementing and following methodologies like National Institute of Standards and Technology (NIST) Cybersecurity Framework or International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001 for the regular approach toward cyber risks.
  • Monitoring third-party risks: Evaluating the suppliers, partners, and other third party’s cybersecurity postures to ensure risks which can threaten the whole enterprise are managed.
  • Cybersecurity response plan and recovery

When notified of a cyber incident, there are measures, which should be taken in an organization. The board should ensure:

  • Cyber incident response plan created: For every organization it is crucial to have the documentation of the incident response plan where it depicts on how the management of the organization, employees, contractors, third parties, will react to a cyber incident.
  •  Conduct regular exercises: Audit the state of readiness of the incident response plans by doing simulations, and exercises for the plans.
  •  Post-incident reviews:  occurrences are reviewed in order page 97 to isolate issues for learning purposes and enhance on the activities of responding to occurrences.
  • Culture and Awareness

Implementing a cultural approach to cybersecurity will help diminish the impact of human factors and increase the general population’s security consciousness.

The board can support this by:

  • Train employees: Make sure that all workers, from the managers to the lower-ranking staff, engage in cybersecurity training and awareness activities frequently.
  • Foster a security-first culture: Organizational cybersecurity should become an organizational culture where the employees have responsibilities in the protection of the organization.  As a result, cybersecurity is a strategic business function that needs the engagement of board of directors in the current world that is characterized by the use of digital technology.

 From the changing threats proactively looking for financial and reputational threats and being keen on governance and risk management are some of the ways boards can assist in safeguarding an organization from cyber threats. Finally, there are implications to the fact that every organization must be safe from cyber threats because the advancements in technology and the shift towards digitization cause organizations to be much stronger if they can withstand cyber threats.

Do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email.

aviolet@southendtech.co.ke cybersecurity@southendtech.co.ke or info@southendtech.co.ke

This website uses cookies to improve your web experience. Privacy Policy