Corporate Boards are Getting More Involved in Cyber Security

We’re hearing more and more about boards of directors playing a greater role in cyber security efforts as a growing number of data breaches make headlines, and now there’s data to back it up. Unfortunately the same research indicates that enterprises need to do much more work to improve their cyber security programs.

Accounting and advisory firm BDO USA, in its 2017 Cyber Governance Survey released in September 2017, sheds some light on how boards are taking a keen interest in the cyber security initiatives of their organizations. It also shows what those organizations are doing—or not doing—to protect against attacks.

More than three-quarters (79%) of the 140 public company directors surveyed in August 2017 report that their board is more involved with cyber security than it was 12 months ago, the study said. A similar percentage (78%) say they have increased company investments during the past year to defend against cyber attacks, with an average budget expansion of 19 percent.

This is the fourth consecutive year that board members have reported increases in time and money invested in cyber security, BDO USA said.

The vast majority of directors (91%) are briefed on cyber security issues at least once a year. This includes more than a quarter (28%) that are briefed quarterly and more than one-fifth (21%) that are briefed twice a year. The balance are briefed on an annual basis (36%) or more often than quarterly (6%).

Surprisingly, 9% of board members say they are still not briefed at all on cyber security. However, during the four years of the survey, the percentage of directors reporting no cyber security briefings has dropped consistently, from a high of 29% in 2014.

This year’s study indicates that boards are aware of the expanding threat of ransomware, and most of their businesses are proactively addressing the risk of these types of attacks.

A majority of corporate directors (61%) say their company has a cyber breach/incident response plan in place, compared with less than one fifth (16%) who do not have a plan and close to one-quarter (23%) who are not sure whether they have such a plan.

The percentage of those organizations with plans is about the same as a year ago (63%). But it’s a major improvement from 2015, when less than half (45%) of directors reported having such plans.

Despite the overall positive progress on the security front, however, the survey also revealed some weaknesses in security programs. One is that organizations continue to resist sharing the information they have gathered from cyber attacks with entities outside of their company.

Just one-quarter (25%) are sharing information gleaned from cyber attacks with external entities, “a practice that needs to become more prevalent for the safety of critical infrastructure and national security,” the report said. Sharing information gleaned from attacks is a key to defeating hackers, and the U.S. government has consistently communicated how businesses can contact relevant federal agencies about cyber incidents they experience, the report noted.

Of those organizations sharing information on their cyber attacks, the vast majority (86%) share with government agencies such as the FBI or Department of Homeland Security, and close to half (47%) share with Information Sharing & Analysis Centers. Only 8% of the companies choose to share attack findings with their competitors.

And attacks continue to plague organizations. Nearly one in five (18%) of the board members surveyed indicate that their company experienced a cyber security breach during the past two years, a percentage similar to the previous two years (22%).

One of the fastest-growing types of attacks is ransomware, such as the “Wanna Cry” attack that earlier in 2017 impacted businesses in more than 150 countries and greatly raised awareness of the threat posed by these kinds of attacks.

When asked whether their organization had taken steps to minimize its vulnerability to ransomware, a majority (60%) indicated that they are addressing the threat. Of those targeting ransomware vulnerabilities, a majority (58%) are placing a greater emphasis on patch management and increasing the frequency of data back ups (58%). Nearly half of the organizations (46%) said they have increased their ability to restore data more quickly.

As BDO concludes in its report, cyber security will continue to demand the attention and resources of almost all organizations, and the table stakes for those individuals charged with governance at public companies are significant. Both the investment and regulatory communities are paying close attention, the firm said.

“With cyber security threats on the rise for organizations of all sizes and in all industries, boards are encouraged to remain abreast of cyber security developments and continue to educate themselves and their organizations,” the study said. “Companies must be able to detect and mitigate cyber breaches that have the potential to disrupt business operations, damage their brand, and cause significant financial losses.”