Cyber Security in the Board Room


Most of us are all familiar by now with the Sony Entertainment hack which happened at the end of last year which had disastrous consequences for the film company. There have been many high profile breaches but this is probably the most notorious hack to date.

The Sony cyber attack resulted in embarrassing emails and personal details of movie stars published over the internet, contract and salary details released and the hackers managed to steal five entire movies! Whilst investigations were underway and the network disabled, Sony employees were left with just a pen and paper and fax machine to carry out their daily business. It has been impossible for business to ignore such high profile attacks which have helped to push cyber security onto most boardroom agendas.

The Thomson Reuters Corporate Governance Survey for 2014 reveals that although Cyber Security was now on the board agenda with 88% of boards including a Cyber Risk category in their Strategic Risk Register.

  • Only 29% viewed cyber threat as a “Top Risk”.
  • Two thirds (67%) of corporate boards are very concerned about cyber risk, but only 44% claimed they actually make decision on the topic.

The question is does the board see cyber security as an integral part of their business risk strategy or rather as tick box exercise that needs to be undertaken in order to satisfy compliance and regulatory departments. It still does not appear to be the case that company executives understand the paralysing nature of cyber crime and the ultimate affect it could have on their company’s profits and reputation.

An important part of any cyber defence approach is education and this must start with senior management. The Thomson Reuters Board Governance Survey found that board members had a poor understanding of the importance of the intellectual property and company data that they regularly carried around with them in person and on personal mobile devices.  A large volume of information was on paper which was rarely officially destroyed after it was no longer required and sometimes left on the train!  All company employees need to be trained in cyber security with the board being no exception.

  • The FTSE350 Cyber Governance Report found that 75% of board members had no cyber security training.

One way of improving this education is through the Chief Technology Officers and Chief Information Officers as the main communicators between IT and the business. A key part of their role is to talk to the company leadership in a way in a way which translates from the IT detail to a business level.

Less technological jargon and more about the people and the processes around which the IT framework sits.

The Government is keen to address this language issue and challenge the common perception that cyber security is an IT problem.  In 2013 it launched it’s 10 Steps Guide to Cyber Security which is a simple framework of 10 questions around information security presented in a more business friendly format. A summary of this document has been published with board members in mind 10 Steps: A Board Level Responsibility. The idea behind the 10 Steps is to encourage organisations to adopt a comprehensive risk management approach from the top.

The BIS 2014 Information Security Breaches Survey found that

  • 81% of large organisations had suffered a breach at an average cost of £600k – £1.5M
  • 60% small business suffered a breach at an average cost of £65k – £115k

A cyber attack experienced by Sony may sound like the stuff of Hollywood movies but the threat is very real, a threat that ultimately will affect the company profits.  A threat to company profits is a threat that any board member cannot afford to ignore.

If you would like any more information on Information Security and ways in which Broadgate can help your organisation please contact:

Kerry Housley
+44(0)203 328 8006

RSS Feed Subscribe to our RSS Feed

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , , ,

Write a comment