Cyber Attacks Are Too Common to Dismiss

Cyber attacks are constantly in the news, and when they happen, they can damage an organization’s bottom line. Boards must ensure their company or agency has a mitigation plan of some sort in place.

Board Members Must Be Familiar with Risks

Too many board members tend to defer to cyber experts on the board or in the organization on cybersecurity matters. The risks are too great, and the topic too vital, for board members to stay hands-off. 

Cybersecurity Learning Never Stops

Continuing education is an essential part of cybersecurity preparedness. The threats — and consequences — are always changing. Board members should stay on top of the changes.

Webinar Recap: Cybersecurity expert Chris Hetner, distinguished board director Betty DeVita, and leadership guru Stuart R. Levine explore the challenges of cybersecurity and AI – and how directors can navigate this terrain.

Design Lines

In today’s world, technology is moving at breakneck speed. This pace of change presents big opportunities for businesses. But it also introduces significant challenges. 

For starters, cybersecurity is a growing (and costly) risk for organizations of all sizes and across all industries. In addition, artificial intelligence (AI) is changing the face of business. 

In the past, board directors remained largely uninvolved in such matters. But today, directors must keep pace with this game-changing terrain – and be prepared to navigate their organizations through it. 

“In the age of technology and digital transformation, this endeavor of managing cybersecurity risk becomes even more important,” said distinguished board director Betty DeVita

Recently, DeVita joined cybersecurity expert Chris Hetner and leadership guru Stuart R. Levine joined us for a discussion diving into the heart of cybersecurity challenges, the fast-paced world of technology, and how directors must take an active role in fortifying their organizations’ technological future.  

The discussion covered topics including:

  • Today’s top cybersecurity regulations and risks for directors
  • Best practices to enhance your organization’s cyber-readiness and technology governance
  • How AI is reshaping the business landscape and what directors need to steer this change successfully

Here, we share some of the key takeaways from this timely, engaging session.

 

Cyber Attacks are Common – and Costly

These days, cyber attacks are a regular topic of news headlines. Currently, HCA Healthcare is in the midst of negotiating a ransomware attack. In addition, the National Institutes of Health (NIH) Federal Credit Union was recently subjected to a major breach. Those are just a couple recent examples. 

Cyberattacks are more common than we’d like to think. When they happen, they can be costly and damaging.

“There are companies that are realizing both internal types of events as well as external events causing cyber attacks that are costing companies hundreds of millions of dollars,” Hetner said. 

When it comes to cyber attacks, it’s a matter of when rather than if. Businesses can no longer hide their heads in the sand. Rather, they must have a plan in place to mitigate risk.

Cybersecurity Must Be a Key Focus of the Entire Board

Levine shared a statistic from The Wall Street Journal that a mere three in 10 directors rate their board as able to oversee cyber risk today. This is troubling, given the likelihood of a breach – and the potential consequences.

Board directors can no longer turn a blind eye on cybersecurity. Instead, they must be actively involved in managing risk.

Appointing a single director to be responsible isn’t going to cut it. Levine recounted a conversation he had with a chair of a board recently who said he felt “very secure that his board was covered on cyber because they had identified one person out of nine members as a cyber risk expert.”

“Frankly, that’s a myth,” Levine said. “Everybody on the board owns cyber risk and owns the integrity of the system.” 

DeVita agreed. “Cybersecurity is really an enterprise risk. It’s not an individual person’s risk. It’s a board responsibility and it needs to get viewed more than just at the committee level,” she explained. 

Hetner referenced how much attention board members typically pay to financial reports. “We need to achieve that level of consistency with cyber (reports),” he said. 

Business-Oriented Conversations are the Way to Get Directors on Board

While cybersecurity should be a top focus of boards, in reality, it often isn’t. What’s the disconnect?

Oftentimes, it’s because of the way cyber risk is presented to boards. 

“If you start delivering highly technical jargon to a board member who’s not very astute in technology, they tend to retract, not engage, maybe even feel threatened,” Hetner said. “Therefore, you miss the opportunity for them to really grasp the issue and take action.”

Instead, conversations about cybersecurity must be more business-oriented. For example, if we have a ransomware event, it’ll take down this segment of our network for 48 hours and we’ll realize $50 million in lost revenue.

“Unfortunately, we’re not having that conversation,” said Hetner. “We need to be more business-contextualized in our discussions – in the way we exercise proper governance and risk oversight from the management perspective.” 

Continuing Education is Key – But it Must Be Ongoing

According to Levine, “Cyber is not a fluent subject for a majority of directors.” It’s essential these directors get up to speed so they’re better able to lead.

Today, some organizations offer a cybersecurity credential for attending a training session. But in today’s rapidly changing world, a one-time training isn’t enough.

“I think it’s valuable from the standpoint of level setting the playing field,” said DeVita. “But it can’t be a ‘one-and-done.’ You can’t just sit on your laurels that you have a certificate.” 

Instead, training must be ongoing. As DeVita put it, “the reason continuing education is done annually or biannually is there’s always new innovations going on.”

Continuing education shouldn’t be limited to one or two appointed cybersecurity experts on the board. In addition, the entire board should receive cybersecurity training at a regular cadence.

“I think the board should seek out experts and hear different perspectives and continue this continuing education,” said DeVita. “I believe in continuing education, as long as it is actually continuing.”

Practice is a Key to Preparation

Even the best businesses can encounter a cyber attack. It’s important to be prepared. 

“I always use the analogy that if you’re an athlete, before you get on the field, you’re going to train,” Hetner said. “You’re going to run through scenarios and have a playbook so that when it’s game time, you’ve got the muscle built and you’re ready to execute.”

It’s very similar to cyber risk.

“You want to perform ongoing exercises, you want to pursue outside expertise to run different types of scenarios,” Hetner said.

That way, you have a playbook for if and when an attack occurs. 

 

Driving Employee Awareness is Essential to Reducing Phishing

Of course, there are myriad types of cyber attacks. One that was explored in detail during the webinar was phishing, which Hetner defines as “a mechanism by which an adversary penetrates a company environment through email.”

Often, phishing attempts are highly targeted by group and function. For example, an HR employee may get a phishing email with messaging about HR matters. Or, a phishing email might come out during bonus time – with messaging about compensation. 

According to Hetner, preventing these attacks “all boils down to employee awareness.”

At a previous organization, Hetner’s team ran phishing attack simulations to different departments. Emails were nuanced by department. If the employee clicked on a link, it would launch a page where they had to undergo training.

“At the end of the day, it’s about ensuring you have proper training and awareness,” Hetner said. “And this can’t be a static activity; it needs to be ongoing.” 

The right technology is key to achieving your board’s goals. However, organizations – especially nonprofits – must understand the ROI before making an investment. Is your nonprofit interested in how you can more effectively evaluate ROI? If so, save your spot for our next ATLAS Leadership Webinar, Evaluating ROI for Technology in Nonprofits, featuring Karen Graham, nonprofit technology strategist and founder of Karen Graham Consulting.

Working at this table
Unlock Superior Board Governance

Streamline your board meetings and unlock valuable insights with OnBoard’s powerful platform. Experience the difference of secure, efficient, and intuitive board management software designed for success.