he global COVID-19 pandemic   EMEIA financial services cybersecurity   organisations with these companies in
                 has exponentially increased the  leader, said: “Companies are outsourcing a   their supply chain.”
                 number of cyberattacks on   lot of their cybersecurity needs, but you   Budgeting needs to be driven by more
                 companies, countries, and   can’t outsource risk — responsibility   than image concerns and regulation. The
         T individuals — in part because   ultimately sits with you. This is a global   GISS suggests that organisations should
         of widespread government spending   threat that crosses jurisdictional   budget for cybersecurity in a different way
         programmes applied for and administered   boundaries. Companies need to stop   than they have in the past. “We’ve
         online. A 2021 global threat report by   looking inwards and locally, and boards   recommended that arguments focused
         cybersecurity firm CrowdStrike found   need to be better equipped to support   around value creation and transformation,
         intrusions involving hands-on keyboard   management.”              not just value protection and recovery, will
         techniques increased fourfold during the   Merle Maigre, former director of NATO’s   resolve some of the tensions between the
         prior two-year period.           Cooperative Cyber Defence Centre of   CISO and the board,” Seth said.
           In a world of increasingly linked   Excellence, argued that “while it is a good   Instead of focusing on how not to be the
         organisations, each target is a risk to   sign that so many companies have a chief   subject of a cyberattack, or how
         others, and the financial damage wrought   information security officer [CISO], that   cybersecurity is essential for customer
         by these attacks can be significant. Attacks   CISO has to have a meaningful relationship  trust, the value-creation argument allows
         on companies can compromise critical   with the board”. That is where it gets tricky.   organisations to invest in new
         national infrastructure, and attacks on   According to EY’s findings, only 48% of the   technologies that enhance outcomes for
         individuals can open back doors into   respondents felt that “their board and   customers and clients — for example, in
         companies already stretched to the limit.   executive management team have the   healthcare, where connecting highly
         As the harried world works from home and  understanding they need to fully evaluate   valuable and sensitive patient data can
         more businesses join the cloud to manage   cyber risk and the measures it is taking to   lead to substantially better patient
         their data, bad actors continue to take   defend itself”.          outcomes and increased operational
         every advantage they can.           So how can boards learn more about   efficiencies.
                                          cybersecurity and adjust to new risks? And
         Not up to speed                  how can executives charged with   Educate
         EY’s Global Information Security Survey   cybersecurity bring the board along with   According to Maigre, one of the best ways
         (GISS) revealed in 2020 that 59% of senior   them? The answer is threefold.   that executives can help the board
         leaders at almost 1,300 organisations                              understand the fundamental importance
         interviewed had faced a “material or   Budget                      of cybersecurity is to test board members’
         significant incident in the past 12 months”.   Ultimately, much of an organisation’s   own online security. Maigre said that a
         And that was before the coronavirus and   ability to handle cyberattacks will come   session in which they are asked about the
         mass home working. The survey found that  down to investment in IT security.   security of their passwords, the types of
         48% of boards expected a cyberattack or   “There are three types of cyberattack   things they post online, and the apps and
         data breach to more than moderately affect   — theft, subversion, and sabotage. And   services they use can be very helpful. This
         their organisation in the next 12 months.   they are all increasing,” Maigre said. She   has two benefits, she said. First, it helps
           Yet EY also found that only 20% of   explained that one growing trend is for   illustrate the type and depth of work that
         boards were extremely confident that the   hackers to use ransomware to steal   needs doing and shows that insecure
         “cybersecurity risks and mitigation   information that is not valuable to them   practices can be commonplace. Second, it
         measures presented to them can protect   per se but is valuable to the organisation,   secures the communications of board
         the organisation from major cyberattacks.”   demand a ransom for that information,   members, who are themselves prominent
         And worryingly, 7% of respondents to the   take the ransom, and then sell or leak the   targets for attackers because they often
         GISS said that cybersecurity was never on   data anyway. Cybersecurity research   possess sensitive information.
         the board’s agenda, while only 29% said it   company Cybersecurity Ventures predicted   Another key way that executives can
         was on the agenda on a quarterly basis.   that ransomware attacks would occur   educate the board on cybersecurity is to
         Facts and figures abound, but one thing is   every two seconds by 2031 (compared with   hire experts to speak with them in their
         clear: Although they may be more aware of   every 11 seconds in 2021), with a total   various subcommittees. “The job of the
         the risks now, most boards were not up to   attendant cost of around $265 billion.   board is to probe management’s strategies,
         speed on cybersecurity before COVID-19.   “Hacking is becoming more complex,   but if they’re not equipped to do so, then
           This is a problem because the board has   more common, and more professional,”   that querying role becomes impossible,”
         a key role to play in a company’s   Maigre said. “It is looking pretty bleak for   Seth said. Maigre advocated having a cyber
         cybersecurity. Boards help manage risk,   those small and medium-sized   expert on the board itself — and there is
         regulation, investment, and governance   organisations which feel like they do not   evidence to suggest that, in the US at least,
         — and cybersecurity has an impact on all   have the resources to invest in IT security   companies are looking to hire such
         four. In an interview, Kanika Seth, EY   — and by degree bleak for those larger   experts.
        FM-MAGAZINE.COM                                                        February 2022  I  FM MAGAZINE  I  23