The dangers that cyber threats pose have never been as apparent as now. High-profile organizations have been at the receiving end, there has been both reputational and financial damage and brand equity has been hit. One thing is clear: cybersecurity is no longer just a problem for the IT department to solve. It is a problem which the entire organization must tackle and as part of that, the first step has to come right from the top, from the board level.
To begin with, executives at the board level must understand what they are dealing with. It is interesting to consider what Robert S Muller, a formal director of the Federal Bureau of Investigation (FBI) said at a cybersecurity conference in 2012, “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Tackling cyber threats at the board level
But that does not mean that it is a hopeless cause. At the board level, cybersecurity must be regarded as a continuous process, with risk mitigation being given as much importance as prevention. The first step is risk identification and management. For that, the senior executives of an organization must look at the enterprise, its environment and identify the specific risks that cyber threats pose.
Some of the threat factors against an organization are common. They may involve:
- Ransomware: Malicious programs which take control of organization systems and demand payment for access to be given back to the user.
- Phishing links: Misleading links in official-looking which surreptitiously get unaware employees to provide personal information.
- Unpatched software: Hackers may target security vulnerabilities in unpatched software to gain access to systems.
- Weak passwords: Weak passwords are an easy way for malicious individuals to hack into systems and gain access to data.
The above are just an indicative list of some of the threat factors that plague large and small organizations in this day and age. But at the board level, companies can create a plan against these threats by creating company-wide policies to deal with these threats. To create these policies, senior executives can first draw up a list of key information and vulnerable assets.
Once details about sensitive assets and other key information is in place, the next step is to move on to create a defined set of cybersecurity policies which will help the organization work towards threats. Again, the exact nature of the policy will vary from organization to organization but some basic policies that can be discussed and defined are:
1. Usage Policy: This policy can determine the different usage permissions allowed to employees. It can deal with topics such as online browsing, downloading, attachment usage, etc. Laying down this policy will ensure that employees can be monitored and can be held unaccountable for any unreasonable usage.
2. Remote Usage Policy: This policy can set down the company’s position towards remote work which may be beneficial for employees, but may pose security risks. This policy should outline whether employees can use personal devices for official work and the security precautions to be taken.
3. Employee Training Policy: This policy will set down the procedure for employees to be trained regarding different facets of cybersecurity. This will ensure organization-wide awareness of the threats.
Based on the decisions taken at the board level, organizations can think about implementation of security solutions like Seqrite’s Endpoint Security (EPS) for protection against threats. EPS provides an added layer of protection against a number of the threats outlined above through features such as Advanced Device Control, Application Control, Web Filtering and Asset Management.