‘One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.” ― Stephane Nappo
In today’s digital age, cyber-attacks are on the rise, and no organization is safe from the threats. Cybersecurity breaches can lead to reputational damage, financial losses, and even legal consequences. In fact, a recent study by IBM found that the average cost of a data breach in 2020 was $3.86 million, with the healthcare and financial sectors among the most vulnerable. Meanwhile, a study by the Ponemon Institute found that the cost of a data breach is higher when a third-party vendor is involved, highlighting the need for effective third party risk management.
Despite the serious nature of these threats, many boards of directors are ill prepared to handle cybersecurity issues. According to a survey conducted by PwC, only 42% of boards have a comprehensive understanding of the cybersecurity risks their organization faces.
Boards ought to play a crucial role in overseeing an organization’s cybersecurity strategy and architecture. However, many boards lack the necessary training and knowledge to effectively fulfill this role. Given the serious nature of cybersecurity threats, it is imperative that boards receive adequate training on how to respond to these threats. By doing so, they can help to ensure that their organization is adequately prepared to mitigate the risks of a cybersecurity breach, and protect the organization’s reputation and financial wellbeing.
To mitigate the risks, boards need to prioritize cybersecurity training to develop a strong cybersecurity governance framework, implement effective risk management practices, build a culture of security, and stay informed about emerging trends and threats. The board should also ensure that the organization has adequate resources to implement and maintain effective cybersecurity measures.
Types of cyber threats targeted at Directors:
Directors are often targeted for cyber-attacks due to their access to sensitive information and their high-level decision-making authority within the organization. Cyber criminals may use a variety of techniques to target directors, including spear phishing, social engineering, malware, ransomware, insider threats, Wi-Fi hacking, and phishing. It is important for directors to be aware of these various types of threats and take steps to protect themselves and the organization from cyber-attacks.
1. Spear phishing: This is a targeted form of phishing where cyber criminals send emails that appear to come from a trusted source, such as a colleague or business partner. The email may contain a malicious link or attachment that, when clicked, can infect the director’s computer with malware.
2. Social engineering: This involves manipulating individuals into divulging sensitive information or performing actions that can compromise the security of the organization. Cyber criminals may use social engineering techniques to gain access to a director’s login credentials or other sensitive information.
3. Malware: Malware refers to any software that is designed to damage or disrupt computer systems. Cyber criminals may use malware to gain access to a director’s computer or network, allowing them to steal sensitive information or cause other types of damage.
4. Ransomware: This is a type of malware that encrypts the victim’s data, making it inaccessible. Cyber criminals then demand a ransom payment in exchange for providing the decryption key. Directors may be targeted with ransomware attacks as a way to extort money or gain access to sensitive information.
5. Insider threats: Insiders, such as disgruntled employees, contractors, or business partners, may pose a significant threat to an organization’s cybersecurity. Directors may be targeted by insiders who have access to sensitive information or are in a position to cause damage to the organization’s systems.
6. Wi-Fi hacking: Cyber criminals may use Wi-Fi hacking techniques to gain access to a director’s computer or mobile device when they connect to a public Wi-Fi network. This can allow them to steal sensitive information or install malware on the director’s device.
7. Phishing: This is a common type of cyber-attack where cyber criminals send emails or messages that appear to come from a legitimate source, such as a bank or other financial institution. The email may contain a link to a fake website where the director is prompted to enter login credentials or other sensitive information.
Celine C. Okoroma-Vincent ACIS is a Lawyer, Corporate Governance & Compliance Specialist