Faster, higher, stronger… those tenets so evident in the Olympic Games might equally describe the drive for digital transformation as businesses strive to adopt technologies that will unlock better commercial performance, more efficient operations and quicker time to market. However, there is an essential fourth tenet for governance, risk and compliance (GRC) professionals: “safer”. Because there is no doubt that, as businesses restructure around digital processes and partner with numerous third-party organisations to build complex digital ecosystems, the role of cyber security is critical.
Digital Transformation and Cybersecurity Are Inextricably Bound
As businesses seek to grow more flexible and scalable by migrating core systems to the cloud and supporting the rapidly evolving “work from anywhere” culture, their digital footprint grows exponentially. The attack surface has expanded with more endpoints than ever before and employees accessing confidential customer and corporate data via home and public networks. This has created an enormous opportunity for cybercriminals to capitalise, and they haven’t been slow to respond. Industry watchers estimate that ransomware attacks have surged 151% in the UK in the first half of 2021. They claim that 14.6 million ransomware attacks were attempted — and that is just one of the many attack options cybercriminals have in their arsenal.
Malicious external threats are not the only cyber risk facing organisations and their boards. As our work and home lives become more closely intertwined, IT and governance teams must now consider deploying security measures to protect employees home offices and mobile work set-ups to prevent them from inadvertently sharing or losing sensitive data.
Effectively, data must be protected at every point in its journey through the organisation — and also when shared with authorised third parties — if the risks associated with theft or accidental loss are to be mitigated. With these risks ranging from reputational damage and operational impacts to legal compliance failure and, in the case of the theft of corporate intellectual property, competitive compromise, GRC professionals could be forgiven for wishing that the digital transformation genie could be put back in the bottle. However, competitive drivers mean the business can’t afford to be left behind, something highlighted by the pandemic, where digital laggards found themselves at a considerable disadvantage when establishing remote-working, for example.
So, how can GRC professionals work with colleagues in IT to build a cybersecurity framework that works for board business and beyond?
Choose the Right Technology to Support Processes
The first step is to examine the current processes and associated data flows to identify gaps that can be plugged through further digitisation and the use of supporting tools. For boards, the creation and sharing of confidential board materials is an excellent example. Often companies have digitised part of the process but haven’t yet found an end-to-end solution. So, we might see board packs being created as documents in a secure area on the corporate network by governance team members before being dispatched to directors via email.
There are a couple of weak points in this approach. First, version control and security challenges exist when multiple people are working on the same document. As Diligent SVP and MD Liam Healy put it: “It’s often not the final version that’s the most sensitive; it’s version ten. And if that version is leaked or sent to the wrong email account, that’s a big risk.” Yet this is easily done as team members collaborate to get the job done.
The second risk arises in the distribution phase. Email is not a secure channel through which to share sensitive information. This is even less the case when it is shared outside the corporate network with non-executive directors who may be using personal email accounts. A compromised inbox could see critical data stolen. If the lost data is subject to the stock market or data privacy regulations, its publication or illegal use constitutes a severe compliance failure.
Board-related cyber risk can be mitigated by providing governance teams with secure board management software to create, collaborate and distribute board materials. Tools such as Diligent boards also deliver version control and audit trails, enabling tracked changes and individual access and editing rights locked down to the least privilege levels.
The principle of least privilege and its related philosophy of zero trust networking are gaining currency across the cybersecurity landscape as the traditional corporate network perimeter has dissolved. If GRC professionals understand and implement this in relation to board activities, they can align with colleagues within the broader security space who follow this approach.
A Chance to Shore Up Cybersecurity Culture in the ‘Human Layer’
Alongside the technology to enhance cybersecurity, GRC professionals must also look at the corporate culture around cybersecurity. It is often said that people are the weak link in the cybersecurity armour, and securing the ‘human layer’ is the most difficult challenge due to our innate fallibility. Humans are often easier to hack than software, as is evidenced by the prevalence of successful phishing exploits and clicked ransomware links.
However, digital transformation offers an opportunity to drive home educational messages to employees at all levels — including the board — about protecting company data and staying alert to malicious messages and unsafe links. Board directors, in particular, are frequently targeted by spear-phishing or “whaling” attempts due to their authority and access to privileged information. It is, therefore, useful to refresh director training regularly. The risk to directors can also be reduced through secure board communication channels, outside of email and the corporate network, that provides assurance the messages received are genuinely from another director rather than an impersonator.
Fostering a culture of security awareness in a business that now has a higher proportion of home workers — including remotely based board directors — should also incorporate education around how sensitive company data is managed in the home. From advice on the secure disposal of printed documents to maintaining separate, secure WIFI networks for home and work use and how to safely use digital assistants such as Alexa when working, the list of issues to consider is considerable.
Managing Third-Party Cyber Risk
A business’s liability for data protection extends to its choice of technology partners. Whether a cloud service provider or software-as-a-service partner, the business must ensure the required cybersecurity standards are adhered to and regularly audited to limit third-party cyber risk.
Ultimately, while digital transformation rolls inexorably onward, cybersecurity must be an equal focus for organisations to manage the associated risks effectively. GRC professionals can play a crucial role at the intersection between risk and compliance, identifying gaps and pushing for remediation so the organisation can gain the advantage of digital transformation and fly faster, higher, stronger and safer.
WANT TO LEARN MORE?
For more on the strategic role governance leaders can play in driving a secure approach to digital transformation, check out Boards Transformed.
Board Portal Buyer’s Guide
With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.