Boardrooms need to “wake up” to the danger of cybercrime, according to a recent report.
The UK’s ICSA, commissioned by the government’s Department for Business, Innovation and Skills (BIS), issued the guidance document on how boards can better understand and cope with the threats posed to businesses by malware, hacking, cyber espionage and other digital dangers.
Now, in security circles, “ICSA” generally refers to a leading security testing and certification body, formerly known as NCSA. Or, in some specialist cases, the International Chinese Statistical Association (for some reason, founded in San Francisco and registered as a non-profit in Delaware).
But no, the ICSA we’re talking about here is the Institute of Chartered Secretaries and Administrators.
Their report didn’t get much attention when it first appeared a few weeks ago. In fact, I didn’t spot it until the press release was picked up by, of all places, an Isle of Man-based news site.
So, I hear you ask, what’s the rumpus? A bunch of people moan about their bosses’ ignorance, and no-one really listens. Big deal.
Two things though. First, these are not the people who do the typing and answer the phones. Important and delightful as those secretaries are, these are corporate secretaries, a whole different thing.
Corporate secretary is a high-power position, basically sitting between the board of directors and the company at large, ensuring the board gets the information it needs from the company, and the company acts on the board’s decisions.
The ICSA is the body representing the most experienced and highly-qualified corporate secretaries in the UK, and rightly refers to itself as “a recognised authority on corporate governance and compliance”. So, if they say boards are paying too little attention to cyber issues, you can be pretty sure they’re right.
Second, their report (PDF) provides some pretty good advice. It gives a clear, simple breakdown of the dangers businesses might face, stressing the need to weigh up the risks specific to a given organisation and the importance of focusing on resilience in the face of attack:
The cyber threats facing businesses and their supply chains cannot be prevented through investment in technology alone. It requires comprehensive risk assessment processes to identify and prioritise the protection of critical information assets.
It puts particular emphasis on the problem extending to all parts of a company:
Internal functions such as HR, finance, legal and marketing may not appreciate the extent to which critical information is at risk, nor realise the potential impact of a cyber attack on their organisation. ...Day-to-day control of cyber risks should not be left to the IT department.
Few companies can survive these days without some sort of internet presence, and even the smallest are likely to be making ever more use of information technology.
For most, all this is still a relatively new side of doing business, and it changes and evolves at a bewildering pace. This exposes firms to a whole new world of risk, which many staff – especially in senior roles – have minimal understanding of.
Board positions tend to be very senior roles indeed, so members might not be in touch with the fast-moving world of cyber security.
They also tend to be filled from a limited set of backgrounds, mainly financial, sales, marketing and legal areas with limited uptake of people from more technical departments. But their input and backing is vital to ensure cyber security is given the proper emphasis at every level.
It seems that board members need all the help and advice they can get when it comes to shoring up their firms against digital dangers.
So, if you’re a board member, read the guidance, and act on it. If you’re working for a board which isn’t helping with your cyber security needs, try subtly pointing them towards this kind of advice – it just might sink in.