Cybersecurity incidents are not only increasing in frequency, but also in cost.
In fact, the global average cost of a data breach in 2024 is $4.88 million, which is a 10% increase from 2023. It’s also the highest cost to date. Of course, financial repercussions are not the only cost organizations face when they deal with a cybersecurity incident—as reputational and operational damages can also cripple the business.
Board members must play an active role in mitigating and preventing cyber attacks. However, only 12% of S&P 500 companies have a current or former board member that is a cyber expert. This knowledge gap may be hurting your organization now and in the future.
How can you ensure your organization doesn’t end up in the latest cybersecurity breach news cycle? It starts with asking the right questions.
Navigating today’s cybersecurity landscape: Areas of focus for the board
Technology capabilities have grown significantly over the years, empowering organizations to operate more efficiently and drive expedited outcomes. As technology becomes increasingly intertwined with business objectives, board members need to evaluate technology decisions in the same way they evaluate strategic business decisions.
Just as the board guides an organization’s business direction, it is also now responsible for ensuring that the correct technology elements are enabled to support the business strategy and the right level of cyber risk tolerance is achieved and managed.
To ensure responsible oversight, the board should focus on the following areas:
Six strategies to increase your cybersecurity knowledge
For boards to successfully oversee their organization’s cybersecurity program, bridging the current knowledge gap is essential. This will help ensure cybersecurity is adequately addressed in regular board meetings and allow boards to confidently carry out their duties where cybersecurity is concerned.
Here are six strategies you can use to build your knowledge and become more prepared to integrate technology risk into decision-making processes:
Ensure you are getting regular updates about cybersecurity. During these sessions, carve out time to discuss the top risks in your industry and relevant experiences of similar organizations, and ask questions around what your business is doing to mitigate, prevent, or respond to the risk of those types of incidents happening to your organization. The answers you receive may be key in strengthening your organization's defense framework.
It's important to shift the focus from technical metrics to common sense metrics that highlight risk and value. For example, identifying the number of end-of-life systems with vulnerabilities and the controls in place to mitigate their risks, or discussing the complete costs of cyber breaches, which includes the actual response team, legal support, as well as the impacts to insurance premiums and the organization's revenue. Use industry benchmarks to compare your organization with others in your vertical, helping you understand where the organization stands and what improvements are required.
By bringing in external cybersecurity experts, board members can not only enhance their cybersecurity knowledge, but also get support “translating” technology-focused information into risk-focused insights and strategies. Ultimately, adding a cyber seat to the board will offer regular access to the expertise you need that complements your organization's risk management, security, and technology teams.
To get a deeper understanding of actual cyber threats and how to respond to them, consider hosting facilitated incident simulations. These exercises will help you understand your role as a board member during a cyber event, potential impacts, areas for continuous improvement in process flows, and build muscle memory.
In the event of a cyber attack, board members should actively engage with and receive updates from the security experts and incident response teams. By staying updated on the incident progress and outcomes, they can offer independent oversight and ask questions to uncover any lingering risks. It's also important for boards to understand how the organization plans to respond to future cyber attacks.
What you can learn from close calls or even a previous cyber incident may be what stops it from happening again, especially since 83% of organizations have had more than one cybersecurity breach. Ask how many times these close calls or actual incidents have happened and what the organization has learned to identify gaps and develop appropriate measures.
The board’s critical role in managing cyber risk
What has changed in recent years is the level of scrutiny around the board of directors. After all, boards are there to help the organization manage risk—and that includes risks from cybersecurity incidents.
In a recent Gartner study, 88% of boards of directors said they view cybersecurity as a business risk, which highlights the move to prioritize cybersecurity as a focus of the board. It is your fiduciary duty to not only provide independent oversight to manage the company’s cybersecurity posture, but also to challenge your organization in different ways to raise the bar for your defense framework.
How BDO can help
At BDO, our approach to cybersecurity includes a business focused approach for managing cyber risk. We offer board education sessions to help bridge the knowledge gap and enable board members to stay ahead of the rapidly evolving technology landscape. In these sessions, we show board members how to refocus a technology-centered conversation into one about business risk, so that boards can effectively offer a responsible level of oversight and ask the right questions of their teams. Our board education sessions also cover the latest cyber risks organizations are facing today and what organizations are doing to mitigate those threats.
In addition, our Perpetual Defence framework can help organizations elevate their cybersecurity posture, and get pre-emptive threat management that adapts to evolving cybersecurity risks. The framework includes comprehensive preparation; 24x7x365 monitoring, detection, and response; and operational and offensive security testing.