With so much talk over the past 12 months regarding the personal liability of Directors of organisations that are found to be non-compliant with GDPR by next May, and cyberattacks such as WannaCry making the national news, it would be hard for any C-level executive to have not put two and two together and place cybersecurity firmly on their next meeting agenda.
If Directors listened to everyone who said that X or Y needs to be on the board’s agenda, their meetings would be never ending. But in the case of cybersecurity it would appear that the message is being heard loud and clear. In an article published by Infosecurity Magazine this week it is reported that 25% of business decision-makers added cybersecurity to the boardroom agenda in the wake of WannaCry, with 58% believing their organisation will likely or definitely suffer a cyberattack in the coming months.
This is welcome news to those of us that over the years have been shouting from the rooftops that good cybersecurity begins at the very top of the organisation. That being said, I fear for the remaining 75%. The threat landscape continues to evolve, attacks are becoming more targeted and sophisticated (WannaCry was an exception), SMEs are vulnerable to becoming collateral damage, as cybercriminals look for the weak link in the supply chain of bigger fish, and if they don’t get you the regulator will, should you suffer a data breach. It is fair to say that organisations big and small are fighting a war on all fronts – as if the day job wasn’t hard enough already!
My advice to those C-level executives that are now switched on to the risk (and to those that soon will be) is look for the obvious gaps and plug them quickly. All too often it is people that are the weak link, whether complicit or not. How many times a day do staff members share passwords to access online applications, or use each other’s desktops? Are passwords reset on a regular basis and if so are they just using the same easy to remember credentials, over and over again? This has become standard daily operating procedure for so many of us (especially in smaller organisations) and most people are blissfully unware of the harm it could cause. What’s more, Directors can be some of the worst culprits for reusing passwords across corporate and personal accounts.
One good option is to remove passwords altogether, so that that the burden of responsibility is not on their shoulders. Remember, if you suffer a data breach and are found to be negligent in safeguarding against such an incident, it will be the Directors necks that are on the chopping block.
Author: Steven Hope, CEO of Authlogics