Three Things Corporate Board Members Need to Know to Protect Their Companies From Cyberattacks
By Sami Mäkiniemelä, Chief Security Officer, Miradore
Last year, the U.S. saw a 57% increase in the number of cyberattacks — that’s nearly double the 38% increase that was reported worldwide. This rising threat of cyberattacks comes at a time when many companies are cutting costs and reducing staff in response to economic uncertainty. While these cost savings may help a company in the short term, they could be opening the door to catastrophic, long-term consequences associated with data breaches and cyberattacks.
Recent data shows that each of these cyberattacks — whether it’s a malware, ransomware, data breach, or DDoS attack — had a median cost of $18,000 in 2022. That’s nearly double the amount from the year before, up from $10,000 in 2021. The study also showed that nearly half of all American businesses suffered a cyberattack in some way during the last year.
However, as the risks and costs of cyberattacks are growing, concern at the corporate level is not matching the threat. New research shows just 23% of corporate board directors think the risk of a cyberattack is very likely — even more alarming is that 47% believe their company is unprepared to handle a cyberattack if it did come. This could be a serious problem as the costs of these attacks continue to grow, posing a threat to the very businesses these boards are overseeing. That’s why those in the C-suite positions and their board members need to be more proactive about protecting their businesses from this complex and costly threat.
This disconnect between the disinterest of corporate boards and the reality of the threat landscape is especially disconcerting considering the fiduciary and oversight responsibilities these bodies are entrusted with. Boards and their members have a duty to educate themselves about the risks and strategies for cyber resilience in order to take the proper precautions against these attacks.
Here are three essential things board members need to know about cybersecurity today to help protect their companies from future fiscal disaster.
Understanding the importance and impact of cybersecurity is the first and most important step in safeguarding your business.
Cybersecurity can seem very complicated to someone without deep IT or technological knowledge. However, your entire board doesn’t have to understand everything about computer networks and how to protect them against potential attack. They just need to be committed from the top down to enhancing cybersecurity. If not, employees who see their board dismissing cybersecurity concerns are likely to do the same.
Also, cybersecurity considerations need to be part of a company’s overall business strategy. When reviewing corporate financials, board members need to ensure that there’s a robust budget to support regular maintenance and upgrades to company infrastructure that will defend against cyberattacks. Even with the current economic uncertainty and cost-cutting mandates, cybersecurity spending is expected to rise by more than 10% this year compared to 2022. This underscores the importance of this issue for organizations of all sizes.
Poorly managed cybersecurity can risk the entire business.
It’s easy to ignore cybersecurity when nothing happens. But when things go wrong, fixing it after the fact can be problematic and very expensive. Cyberattacks can have significant consequences for a company, such as financial loss and reputational risk. IBM estimated the average cost of an American data breach in 2022 to be $9.44M. But there’s also the reputational damages of lost public trust that are harder to measure and can have a significant negative impact on the business too.
Years after Facebook’s Cambridge Analytica data breach, 44% of social media users still have a negative opinion of Facebook — 41% of millennials use Facebook less because of the data breach, compared to 37% of Generation Xers and 24% of baby boomers. According to a recent study, the average financial losses for this particular type of damage are $8,653 for SMBs and $204,750 for larger companies when you combine consultancy expenses, lost opportunities due to damaged corporate image, and marketing and PR activities aimed at reducing the impact to reputation.
That’s why it’s cheaper and easier to make sure in advance that your business is fully protected against cyber crimes before they even happen. With the increasing frequency of state-sponsored and other highly sophisticated cyberattacks, the threat of cybercrime is growing more serious. Fortunately, while cybercrimes are getting more sophisticated so is the technology that helps prevent them. Towards this end, there are a variety of available resources to help stay on top of cybersecurity trends and issues. Government agencies like CISA and the SBA provide essential guidance, while companies like Miradore offer MDM, and cyber intelligence firms like Google’s Mandiant can help companies mitigate risks before, during, or after an attack.
It’s helpful to think about cybersecurity like your home — it’s easier to deter a burglar with cameras, an alarm system, and proper outdoor lighting than it is to recover stolen property after the break-in. By being proactive about cyberdefense before an attack, board members can save their companies money on the bottom line.
Management needs to be an active participant in the company’s larger cybersecurity efforts.
Companies of all sizes should set up an information security management strategy and management committee. Members of the board of directors and senior management team should be on this committee to signal the importance of this issue to the company and its customers. Also, having a presence in that space means the board will be informed of and able to act on any potential cybersecurity incidents in a timely manner, ensuring a more efficient response.
Additionally, board members should push to establish metrics and reports to measure the business impact of cybersecurity. To quote American author and entrepreneur H. James Harrington, “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it.” Boards should keep track of all cybersecurity incidents and how much money and time is spent fixing these, while also looking into how they can prevent similar incidents in the future. Measuring the impact of cyberattacks and progress towards preventing them is a critical step in managing a company’s cyber risk profile.
As the cybersecurity landscape continues to evolve and expand, the threat of cyberattacks will continue to grow more pernicious. Members of a company’s board of directors have an obligation to understand the basics about cyberattacks and how to prevent them in order to exercise their oversight responsibilities and protect their business from untold monetary and reputational losses.
While there is no one perfect solution or silver bullet for all cybersecurity issues, boards who are committed to this issue should experiment with the available resources until they find a combination of tools that works for them. The right mix of actions and intentions about cybersecurity from the board will ensure the company is in the best position to prevent cyberattacks and respond to any attacks that do come quickly and efficiently.
About the Author
Sami Mäkiniemelä is the Chief Security Officer at Miradore, a software company that offers MDM
services. Sami can be reached online via LinkedIn. You can learn more about the cybersecurity benefits of mobile device management on Miradore’s website.