Board Members' Lack of Security Awareness Puts Businesses at Risk of Cyber Attacks, Finds Savanti Report

A report from cybersecurity consultancy Savanti reveals that board members are facing challenges in understanding cyber risks, and this has important implications for businesses.

Many board members lack the necessary level of security awareness and understanding of cyber threats, which puts their businesses at a higher risk of being targeted.

Importance of Cyber Preparedness: Effective Management Leads to Business Growth

The report highlights the importance of effective cyber preparedness in driving business success. Enterprises that demonstrate strong cyber preparedness experience higher revenue growth, valuations, and net margins. 

This indicates that cybersecurity is not just a technical issue, but a fundamental aspect of business strategy and performance.

Notably, regulators, investors, and public bodies are placing a greater emphasis on cybersecurity. Regulatory requirements are becoming more stringent, and boards are being held accountable for managing cyber risks effectively. The US Securities and Exchange Commission, for example, now requires publicly listed firms to disclose serious cyber incidents within four days.

Business Impacts of Cyber Attacks

The impact of cyberattacks on businesses is wide-ranging. They can result in business disruption, increased insurance premiums, intellectual property theft, reputational damage, regulatory actions, litigation, and lower productivity. These consequences can have a significant negative impact on the financial health and stability of an organization.

Communication Challenges: Boards and CISOs Struggle to Connect

One of the key challenges highlighted in the report is the communication gap between board members and their organization's CISO. Many board members find it difficult to challenge or fully understand cybersecurity discussions, potentially due to a fear of exposing their lack of understanding. 

At the same time, CISOs often struggle to effectively communicate cyber risks and their implications at the board level. This disconnect can hinder the development of robust cybersecurity strategies and proactive risk management.

Savanti outlines five steps to ensure effective cybersecurity governance:

1. Understand your unique role as a board: Boards must recognize their responsibilities in setting the risk appetite for their organization and being prepared to play an active role during a cyber incident. This includes understanding the risks they accept and making informed decisions.
2. Be appropriately informed about technology, data, and cybersecurity: Boards should consider recruiting at least one member with specific expert knowledge in cyber to ensure they have the necessary understanding to assess and mitigate cyber risks effectively.
3. Put cybersecurity on the board's agenda: Cybersecurity should be a regular topic of discussion during board meetings. This ensures that it remains a priority and allows for informed decision-making and oversight.
4. Board and executive access to independent cybersecurity advisors: Independent cybersecurity advisors can enhance board members' knowledge of cyber risks and help CISOs improve their communication and engagement at the board level. Such advisors can provide valuable insights and guidance to inform decision-making.
5. Actions for regulators, investors, and public bodies: Savanti recommends "smart and focused regulation" that places new requirements on boards. This could include reporting on a company's risk management arrangements for cybersecurity. Additionally, stakeholders such as investors should place pressure on businesses to take more action in addressing cybersecurity risks.

Related: CEOs and Boards are Unprepared for Cyber Risk 

Show Your C-Suite the ROI of Security Awareness Training with KnowBe4 Executive Reports