Entrust, which is one of the world’s leaders in the field of trusted payments, identities and digital infrastructure, has spoken on the topic of board-level governance and cyber responsibility, ahead of Data Privacy Day.
As the company notes, the number of data breaches in Australia surged in 2022. Organisations have been hit by major breaches over the past few months and concerningly, the increased sophistication of cyber threats is making crimes like extortion, espionage, and fraud easier to replicate at a greater scale. The evolving cyber threat landscape has opened a Pandora’s box of liabilities and accountabilities regarding an organisation’s cybersecurity responsibilities.
As boards become more acutely aware (and personally liable in some cases) of data privacy and data protection, they are increasingly required to participate in the governance of data privacy and data security. The Australian Securities and Investments Commission (ASIC) has warned companies that they will come under scrutiny if their businesses are hacked by cyber criminals, and they failed to prioritise cybersecurity.
Now more than ever business leaders need to address data protection and the costs to both businesses and customers. Recent research by Gartner predicts that by 2025, 40% of boards of directors will have a dedicated committee overseen by a qualified board member, up from less than 10% today. Adding someone to the board that has cybersecurity experience will help drive a cybersecurity culture and make data privacy governance and data strategy a high priority.
Entrust, a global leader in securing identities, payments and data around the globe – has developed some key recommendations to help organisations drive a cybersecurity culture:
1. Develop a cybersecurity committee in which a qualified board and c-suite leaders have oversight of.
- While this drives more scrutiny, it also opens the door to more resources and support to the CISO and their team.
- Not working on the front lines, board members can often be overly cautious when it comes to cybersecurity, underestimating the degree to which employees and/or customers will simply find workarounds to ‘get the job done’, which this committee can help advise and mitigate.
2. Decide on whether to buy cybersecurity insurance or not?
- Consider what costs more, paying lawyers or the costs of a data breach (direct and reputational). Each company is different and so are its security needs. While cybersecurity insurance can be an effective tool (if its within your organisation’s budget), its only one of many ways to effectively mitigate risk of a cyber breach.
3. Have a clear and well understood cybersecurity policies and procedures
- Visibility is key to building trust by helping people to understand how data privacy, data security and compliance are maintained in the background. This applies to the board as well and have clear and well understood policies and solutions can drive investment and board level ‘buy-in’.