Table of Contents
Why should board members care about cybersecurity?
Soon, Cybersecurity 101 knowledge may not be enough. These regulations would also require public companies to disclose whether their boards have members with cybersecurity expertise. This would allow investors to consider their investments as well as their votes on the election of board members and directors.
Get Started: Resources for more information
Cybersecurity 101 for Board Members and the C-Suite
One of the trickiest parts about learning the basics of cybersecurity is that you don’t know what you don’t know. To begin, gather information using a cybersecurity framework like the National Institutes of Standards & Technology Cyber Security Framework (NIST CSF). This will help you to understand your particular organization’s basics of cyber security.
IPDRR - Identify, Protect, Detect, Respond, Recover
A data classification project should be your first step in understanding your organization’s cybersecurity. Talk to each department’s heads, as even your IT team may not realize all the types of information being processed.
Now that you know what you have, confirm what is in place to protect it. All sensitive data should be encrypted and should be accessible only by the staff who need to use it. This will lessen your exposure should a breach occur. Two-factor authentication (2FA) can be put into place to require something in addition to a log in and password to gain access.
A strong multi-factor authentication program will require at least two of the three forms of authentication:
- Something you know (like a password, answer to a security question)
- Something you are (a biometric measure like a fingerprint or face scan)
- Something you have (like a token)
Additionally, it’s a wise idea to invest in additional security measures such as firewalls and endpoint protection, patch management, and more. If your organization doesn’t have the in-house staff to set up and maintain these tools, consider working with a cybersecurity firm.
Operating your own 24/7/365 cybersecurity operations may not be a desirable or workable option. Instead, many companies opt to partner with a reputable cybersecurity firm, like Foresite, for 24/7 monitoring and alerting. This allows organizations to get the protection and expertise that comes from highly trained cybersecurity specialists without needing to invest in an in-house security operations team.
Before an incident ever occurs, it’s crucial to have a response plan in place. Do you have the expertise on staff to quickly identify threats, know what action to take, and how to remediate without compromising logs or other evidence that could be needed if litigation occurs? Do you know who will be responsible for leading the efforts? What if the incident occurs outside of normal business hours? Unless you have a 24/7/365 IT security team in place, it’s a smart idea to work with an incident response team to quickly mitigate and remediate the damage from a breach.
In addition to your technical response, you’ll also likely have a public relations or reporting response. You may be required to notify regulators in the event of a breach. In November 2021, the Board of Governors of the Federal Reserve System (Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corp. (FDIC) issued a final rule on how banks need to handle and report cybersecurity-related incidents. The proposed SEC rules would expand this ruling to all publicly traded companies.
Cybersecurity 101 Training for Board Members & C-Suite
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.