Cybersecurity 101 for C-Level and Board Members

people sitting at a conference table while man demonstrates at a white board
The increase in the number and cost of cybersecurity incidents has put more pressure on board members and C-Level executives to become aware of their company’s security. This, paired with newly proposed SEC regulations, means understand cybersecurity 101 for c-level and board members is more important than ever.

Table of Contents

Why should board members care about cybersecurity?

According to the IBM Cost of a Data Breach 2022 report, the average cost of a data breach in the United States was $9.44 million. The high cost and the increasing risk of a breach has led the Securities and Exchange Commission (SEC) to propose new disclosure requirements for publicly traded companies. These rules aim to increase transparency by requiring companies to disclose significant cybersecurity incidents and report on their cybersecurity management practices and board oversight.

Soon, Cybersecurity 101 knowledge may not be enough. These regulations would also require public companies to disclose whether their boards have members with cybersecurity expertise. This would allow investors to consider their investments as well as their votes on the election of board members and directors.

Get Started: Resources for more information

Cybersecurity 101 for Board Members and the C-Suite

Cybersecurity can be boiled down to the act of protecting the information systems of your business and the data that they collect, create, process, maintain, use, share, store, or transmit. There are many tools and services that can be used to protect these systems.

One of the trickiest parts about learning the basics of cybersecurity is that you don’t know what you don’t know. To begin, gather information using a cybersecurity framework like the National Institutes of Standards & Technology Cyber Security Framework (NIST CSF). This will help you to understand your particular organization’s basics of cyber security.

IPDRR - Identify, Protect, Detect, Respond, Recover

Identify

What data does your organization transmit and/or store? This is critical, as you need to know what types of data you have in order to know which compliance requirements you need to meet. If you process credit cards, PCI DSS will apply. Health data may fall under HIPAA. If you maintain Personally Identifiable Information (PII) then it’s likely state regulations will apply — or even GDPR regulation if you have PII on citizens of the UK.

A data classification project should be your first step in understanding your organization’s cybersecurity. Talk to each department’s heads, as even your IT team may not realize all the types of information being processed.

Protect

Now that you know what you have, confirm what is in place to protect it. All sensitive data should be encrypted and should be accessible only by the staff who need to use it. This will lessen your exposure should a breach occur. Two-factor authentication (2FA) can be put into place to require something in addition to a log in and password to gain access.


A strong multi-factor authentication program will require at least two of the three forms of authentication:

  • Something you know (like a password, answer to a security question)
  • Something you are (a biometric measure like a fingerprint or face scan)
  • Something you have (like a token)

Additionally, it’s a wise idea to invest in additional security measures such as firewalls and endpoint protection, patch management, and more. If your organization doesn’t have the in-house staff to set up and maintain these tools, consider working with a cybersecurity firm.

Detect

This is a critical and often overlooked piece in cybersecurity. Since the ultimate responsibility to protect the data falls on the highest rank in the organization, you need to know what is in place to detect unusual behavior on the network. Simply having antivirus software is no longer enough – malware is constantly evolving and the protections that rely on signatures cannot keep up.

Operating your own 24/7/365 cybersecurity operations may not be a desirable or workable option. Instead, many companies opt to partner with a reputable cybersecurity firm, like Foresite, for 24/7 monitoring and alerting. This allows organizations to get the protection and expertise that comes from highly trained cybersecurity specialists without needing to invest in an in-house security operations team.

Respond

Before an incident ever occurs, it’s crucial to have a response plan in place. Do you have the expertise on staff to quickly identify threats, know what action to take, and how to remediate without compromising logs or other evidence that could be needed if litigation occurs? Do you know who will be responsible for leading the efforts? What if the incident occurs outside of normal business hours? Unless you have a 24/7/365 IT security team in place, it’s a smart idea to work with an incident response team to quickly mitigate and remediate the damage from a breach.

In addition to your technical response, you’ll also likely have a public relations or reporting response. You may be required to notify regulators in the event of a breach. In November 2021, the Board of Governors of the Federal Reserve System (Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corp. (FDIC) issued a final rule on how banks need to handle and report cybersecurity-related incidents. The proposed SEC rules would expand this ruling to all publicly traded companies.

Recover

In addition to getting back to business as quickly as possible after an event, you will also want to use every event as an opportunity to get stronger. Analyze what happened, and what has been done to prevent it in the future. If clients were affected, what kind of follow up communication will you provide from your organization to reassure them? How you handle recovery can make a huge difference in the overall cost of the event, so don’t skip over this step.

Cybersecurity 101 Training for Board Members & C-Suite

Organizations that don’t have a cybersecurity expert on their board can benefit from bringing in a consulting team to better understand the challenges and opportunities facing their company. From baseline assessments to yearly reviews, cyber security consultants can offer assessments such as penetration testing, vulnerability scans, and business continuity planning to help ensure your company is prepared to weather a cyber event.
Tristin Zeman
+ posts

Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity. 

Search