• Monday, March 04, 2024
businessday logo

BusinessDay

Why board members should give more attention to information security

Why board members should give more attention to information security

A key reason businesses go under while others struggle to stay afloat in today’s competitive environment is the neglect of information security. While organizations must provide the necessary value in exchange for needed value, it is also essential that they do not lose sight of customer data security.

Businesses such as financial institutions, healthcare service providers, and online shops with access to sensitive customer data should pay particular attention to how they handle it. A recent article by David Sennaike titled “How I Hacked a Group of hackers operating on Nigerian Banks: A Tale of Nigeria’s Cybersecurity State of Financial Institutions” describes in detail the active vulnerabilities that hackers have utilized to copy and sell sensitive financial information of Nigerian banking customers.

If the information in the article is anything to go by, many senior management staff of the affected institutions should be out of their jobs. Their insensitivity to active and continuous information security could be penalized if affected customers decide to press for charges.

The report shows that we can’t overstate the importance of active and continual information security. Not only is it necessary to protect sensitive customer data, but it is also pertinent to create systems that will not harm but maintain customer trust in line with industry regulations.

We cannot accurately estimate the cost of information security-related breaches in the financial services sector because some customers have lost a fortune without the knowledge, willpower, or legal means to reclaim them

Unfortunately, we cannot accurately estimate the cost of information security-related breaches in the financial services sector because some customers have lost a fortune without the knowledge, willpower, or legal means to reclaim them. Like most companies, the task and the perceived assurance are given to them by top audit firms and Vulnerability and Penetration Testing (VAPT) reports who certainly need help renewing their knowledge of the ever-evolving information security field.

In his article, David mentioned that top financial institutions with millions in budget still have known vulnerabilities meaning that vulnerability exists not because of a lean budget but occurs when executives relinquish their oversight function of customer data or information to big audit firms. Due to their large clientele, these firms don’t have the time to review and thoroughly improve on vulnerabilities using current technologies.

While indictments of the leading audit firms are now commonplace with fines for negligence and lack of thoroughness in certain parts of the world, financial compensation cannot fix the damage to reputation most times. Board members and their appointed officers must up their games by educating themselves on how best to protect the customers’ data entrusted to their care.

It remains the sole responsibility of the board members and their appointed officers to protect the data obtained from customers, even after the company’s demise. They are responsible for ensuring that appropriate policies, procedures, and processes are in place to prevent and respond to security incidents.

Findings have revealed that businesses face enormous risks associated with information compromise or leakage data with the introduction of artificial intelligence (AI). AI is redefining how we work around the globe, accessing more data than ever. Once data is compromised anywhere, AI can help enhance its manipulative tendencies to mimic the intellect, and tone, and act in the capacity of the owner of such data without their knowledge. AI can also keep track and delete logs and traceable records which can result in extensive financial damages and likely imprisonment for the data owner.

A deliberate and conscious effort must be made by top decision-makers in the organization for skilling and re-skilling all members of staff on cybersecurity. All hands must be on deck with the view to ensuring the total security of data. The organization’s drive to improve employee understanding of the risks to information security can help organizations reduce their security risks and protect their data in various ways.

To iterate, investing in the latest security technologies and educating employees on cybersecurity is necessary to ensure that information security remains a priority. It will create awareness of cybersecurity threats among all members of staff. Since everyone in the organization is aware of the existence of a likely threat to the IT infrastructure, there will be spontaneous readiness to combat the threat and then, as a result of the consciousness of the threat within the organization, everyone is also ready to follow a line of processes and procedures to secure the IT infrastructure.

Corporate organizations need not just adopt readily available Information Security Strategy (ISS), a blueprint for protecting the IT infrastructure, data, and personnel from security threats, for certification or compliance but take care to adjust it to fit specifically into the company’s needs. ISS have different implementations across sectors, organizational structure, staff strength, and maturity.

It typically includes a comprehensive assessment of the organization’s adopted security posture, a risk management plan, and a detailed list of security policies and procedures. Organizations must implement and regularly update a tailored strategy to meet their needs.

The plan must include measures for testing, monitoring, and responding to security incidents. The goal of the strategy is to ensure the security and confidentiality of data, the integrity of systems and applications, and the availability of services.

CHATGPT recommended that management should ask the team the following questions as a start to improving their information security landscape:

What security measures are currently in place?

What threats is the organization vulnerable to?

What processes and procedures are in place to prevent and respond to security incidents?

What training and awareness programs are available to help employees understand and adhere to security policies?

What technologies are available to protect the organization’s information assets?

How is the organization’s security posture monitored and tested?

What steps should be taken to ensure compliance with applicable laws and regulations?

How does the organization’s security posture compare to that of its competitors?

What are the costs associated with implementing and maintaining a secure environment?

How can senior managers ensure the organization’s security measures remain updated and effective?

The prevailing notion that the cost of protecting an asset should be equal to or less than the cost of the asset can be dangerous to customers. The cost and consequence of customer personal data getting into the wrong hands may last a lifetime.

Businesses should emphasize the importance of information security despite the need to make a profit. A responsible approach is critical for protecting customer data, customer trust, and compliance with industry regulations.