This Data Privacy Day it is time to address those who serve on Boards of Directors because there is an opportunity to turn 2023 into the year of Cybersecurity culture building – starting at the very top.
These days when it comes to an organization’s cybersecurity strategy, the question isn’t IF a breach will occur, but WHEN. Cybercriminals are becoming more sophisticated and the frequency of attacks is rising. Staying on top of each and every threat is like trying to ice skate uphill. And with the average cost of a data breach expected to hit $5 million in 2023, it is vitally important to prioritize your security strategy to protect your most sensitive data.
With the number, frequency and sophistication of threats increasing, it’s important that organizations build a security-minded culture, where employees at all levels feel empowered and accountable to not only protect sensitive data, but also to build resiliency into the business. However, organizations often turn their attention to employee security training and forget to bring along those at the top. As Boards become acutely aware of data privacy and data protection, they are increasingly interested in participating in the governance of both.
Here are five useful steps Board and C-suite members can take now to ramp up their cybersecurity expertise in 2023 and beyond.
- Add a cybersecurity expert to the Board. This will help drive a cybersecurity culture and make data privacy governance and data security a priority at the highest level of the organization. Visibility is key to building trust by helping people to understand how data privacy, data security and compliance are maintained in the background. This applies to the Board as well. Having clear and well-understood policies and solutions can drive investment and buy-in. In fact, the U.S. Securities Exchange Commission recently proposed a new rule that mandates cybersecurity experience at the Board level, as well as regular reporting among its recommendations. And not just regulatory bodies are pushing for more of this knowledge at the Board level – MIT recently launched a course to teach Board members security tactics.
- Create a cybersecurity committee in which qualified Board members can participate in advising and mitigating risks. Creating this committee opens the door to more resources and support as the CISO and their team have the opportunity to build allies and champions within the Board, C-suite, and across the organization.
- Conduct a cost-benefit analysis on cybersecurity insurance. While cybersecurity insurance can be an effective part of an organization’s overall security strategy, it’s expensive and it usually doesn’t cover everything. Cybersecurity insurance is a tool within a company’s security toolbox to recoup losses from unforeseen incidents – it’s not meant to be a substitute for risk management. An insurance payout may cover the cost of a breach, but it won’t cover the damage to reputation and trust. Each company is different and so are its security needs, so it’s important to evaluate all factors and decide if it meets your business needs.
- Learn the distinct differences between data privacy and data security. These terms are often mistaken as interchangeable ideas; however, while they are connected, they are fundamentally different. Data privacy focuses on how personal data is collected, used, and shared. Data privacy laws and regulations can vary by regionally, with each having varying degrees of rigor and enforcement. Conversely, data security is focused on how sensitive data is protected from external and internal threats. From a compliance perspective, taking ownership of data security means responsibility to abide by data privacy regulations in place like the EU’s GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act), to name a few. If an organization gets its data security framework right, then it can achieve data privacy for its clients. If not, then that’s a problem. Of all the information available, a person’s identity is the most coveted data there is and when it’s mishandled that’s when the opportunity for fraudsters occurs.
- For user authentication, it’s time to embrace some friction For years experts have touted the need to remove friction (or passive authentication) in the consumer, workforce and citizen identity verification experience. However, when friction is completely removed, that’s often when a breach happens – particularly when that friction is reduced by workarounds rather than reducing complexity. There’s an idea circulating among experts that some level of friction can serve as a trust builder – if people have no impediment to accessing applications and services, they start to question whether or not there are any security measures in place at all. This tells us organizations need to strike the right balance between minimizing friction and maintaining customer trust in an organization’s or government’s ability to keep their personal data safe – because when systems are secured, employees are enabled, partners are confident, and customers feel safe doing business with the organization, then you know you’ve got a formula that works.
Board-level involvement in the governance of data privacy and security for an organization can only enable an improved security posture and help mitigate risks. So go ahead and seek out opportunities to engage with your organization’s CISO to see how you can help keep sensitive data safe.
Interested in learning how Entrust can help you with your organization’s cybersecurity strategy? Visit our website: https://www.entrust.com/identities-payments-data-protection