Board members, C-level executives, and even small business owners who think that cybersecurity and compliance are the responsibility of the IT department or an outsourced IT vendor are very much mistaken. Forbes points out that what is considered “reasonable” has changed, and individuals are being held accountable for their duty to protect the data collected by their organizations.

Think about the duties of the Board and an organization’s executives, and risk management.  When clearly one of the greatest risks businesses face today is a cyber incident, it is clear that this requires the focus of those at the top to make informed decisions to protect the stakeholders.

How can you meet this responsibility head on?

  1. Verify what type(s) of data are transmitted and stored.  This will determine if you have compliance requirements for protecting it, and will help you to assign a value to any data that is not protected by compliance.  For example, if you have trade secrets, details about customer orders, or information on donors to your fundraisers, this information may not be protected, but if it is critical to your ability to function, could give a competitor valuable insight to win business away from you, or breach the privacy of your major supporters, this data should be protected at a high level.
  2.  Understand that there is no solution that can protect from all threats.  Firewalls are an important component of cybersecurity to minimize the risk from outside threats, but if they are not configured properly, they do little to protect you.  It’s equally important to have a vigilant process in place to push patches to known vulnerabilities – failure to do this has caused a number of large malware attacks to take down businesses, and was completely preventable.  Educating the staff and the Board on cybersecurity and their role is also critical, as human error allows even unsophisticated attacks to be successful, despite all the investment in technology to protect the data.  If an attacker tricks your CFO into wiring them funds, your Administrative Assistant into providing their login credentials with access to the client database, or a Board member into sending a confidential report to a spoofed email address, there is little that any technology can do to prevent it.
  3. Measure, monitor and revisit regularly.  Cybersecurity and compliance must be ongoing to be effective.  Measure by assessing what is in place and if it meets compliance requirements or would be considered reasonable protection.  Monitor to be aware of indicators of threats so action can be take immediately to minimize the business impact and liability.  Revisit by including IT in your executive meetings and discussing any changes to the network, processes or data that could affect your risk.  Ask questions of your IT resource to understand your areas of greatest risk and what they are doing to mitigate it.  Know what the plan is should an incident occur and what your role is in communicating with your legal counsel, the authorities, and your stakeholders.

You can’t prevent all threats.  But you can meet your responsibility by being informed and prepared.

5 questions every C-level (or Board member) should be able to answer, from Dept. of Homeland Security.