Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
5 ways Boards and executives can defeat ransomware
We all know cybersecurity is an arms race: continuously evolving security technologies versus ever more advanced attack techniques. However, the dominant attack vector for threats hasn’t changed. Social engineering is still by far the most common technique hackers use, exploiting phishing emails and the like.
And one of the most common, and most damaging, forms of these attacks is ransomware. Globally the damage caused by ransomware in 2019 was estimated at US$11.5 billion and is forecast to rise to US$20 billion in 2021. The threat is very real, and calls for some concrete steps to mitigate the risks.
Here are 5 specific actions that board members and directors need to take to ensure their organisation stays resilient when it comes to cyber risks.
1. Cybersecurity needs to be a regular item on the Board’s agenda
Just having a once per year check-in is not enough. Boards and executives need to have much more frequent reviews of their organisation’s cybersecurity posture. This will drive visibility, accountability and alignment between business priorities and security practices. The good news is that this trend is on the rise. According to Gartner, in June 2020: “boards today are more informed about cyber risk, with just 15% of directors reporting their boards had very little to no knowledge of cyber risk, down from 22% in 2015.”
2. The CISO needs to be a member of the Risk sub-committee
To implement real change, CISOs need a direct voice on the board to drive action and investment. This means giving the CISO a seat at the table in the organisation’s risk sub-committee. This will enable the board to get a better handle on the challenges and issues that directly affect their security risks, and gain more visibility into actions and investments needed to mitigate cyber risks. Cyber risk should feature regularly in board discussions, at the very least in the form of status updates from the CISO (Here’s a useful guide for CISOs on how to report cybersecurity issues to their boards).
3. Security awareness training needs to be driven from the top
Culture comes from the top. Directors and senior executives shape culture through the policies and practices they follow and by setting the right example through their own behaviour. Simply being ‘aware’ and compliant with training is not enough – modifying cyber behaviour of everyone across the organisation is critical. Aside from teaching employees how to spot phishing emails, mandating strong passwords, regular password changes and two-factor authentication should be part and parcel of day-to-day operations.
4. Regular internal communications
There needs to be a mechanism for CISOs to share the stories of security challenges other organisations have faced and how they can be avoided. Making a digest of some of this information available to all employees, perhaps as part of regular communications, would help maintain a high level of awareness of the threats currently out in the wild.
5. Foster a cyber-aware company culture
Social engineering attempts prey on exploiting psychological norms, such as obeying authority, to trick employees into giving up sensitive information. A common example is a phishing email that looks like it came from the CEO, but demands to transfer funds immediately to an unfamiliar account. The way to combat attacks like these is to foster a culture where it's okay to stop and re-confirm any instructions from the higher-ups. Boards and executives need to create a sceptical and questioning workforce (without creating anarchy) to strengthen their human firewall. One way to do this is to have board members and top executives participate with the staff in cybersecurity training sessions — particularly in phishing detection. This not only deepens their understanding of security issues, but also sends a message to all staff that cybersecurity is a core part of the company culture.
Culture is key to building cyber resilience, and a strong culture isn’t built overnight. It requires sustained effort and repetition, and a hard look at current practices. But by following these 5 action points, boards and executives can substantially lower their level of cyber risk, and build a more cyber resilient workforce.