How UK Boards Can Build a Cyber Security Culture

Building a cyber security culture is one of the critical factors in protecting a UK company from hackers, threats and data breaches. The leadership for building such a culture should come from the board, but most boards are not rising to the challenge.

UK boards fail to build a cyber security culture

More than a quarter of UK businesses surveyed by SolarWinds pointed to lack of user competence as one of the main reasons cyber security was inadequate at their organisations. Many IT professionals cite a lack of organisational strategy as the most common barrier to adequate threat protection.

The same research found that 23 per cent of UK organisations had experienced misuse of company systems, further demonstrating the need to make good cyber security practice a cultural fact across companies.

What is a cyber security culture?

Here’s how the European Union Agency for Network and Information Security (ENISA) defines cyber security  culture:

“The concept of Cyber security  Culture refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cyber security and how they manifest themselves in people’s behaviour with information technologies. Cyber security  Culture encompasses familiar topics including cyber security awareness and information security frameworks but is broader in both scope and application, being concerned with making information security considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions.”

UK boards clearly need to understand what elements make up a cyber security culture in practice. First, UK boards must have a complete understanding of exposure, according to a report by the London office of PwC.

“Many organisations fail to understand properly why they might be targeted; what might make them vulnerable, and how a successful attack might impact them.

The understanding needs to extend beyond the enterprise. It must reflect relationships that could make them a target and the complexity of digital connections that could cause them to be vulnerable: suppliers, service providers, partners, cloud services, critical data feeds, staff and customers to name a few. It must also reflect what data the organisation manages, why and where.”

Building this understanding, and ensuring it stays current, is the most effective defence against cyber security risks.

UK boards must get the cyber security skilled resources they need

To maintain the understanding needed for cyber security , boards must both build skills at the board level and ensure that skilled resources are available throughout the company.

“Effective cyber security requires capable skilled resource that is empowered and resourced to shape an organisation to be secure,” continues PwC. Boards need to be confident in the capability of their security function and its leadership, their ability to drive a broad response to cyber security across the whole enterprise, and rapid access to wider capability when required.”

Not only must boards take a direct role in building management-level skills, but boards must ensure that at each touchpoint for cyber security, the necessary skill set is there. This may mean conferring regularly and directly with the CISO to review cyber security issues at every level.

For boards to be effective in this area, they themselves require sufficient capability to probe, challenge and support management. Board-level time needs to be devoted to drilling into detail, since that is where significant issues can lie. Capable non-executives are required, potentially supported by a board sub-committee with additional expertise.

Boards must embed cyber security in the organisational fabric

But there is also an internal element, as ENISA points out:

“Culture is also unique to each organisation, and to create a robust and sustainable CSC requires an in-depth knowledge of the organisation, its overall culture, strategies, policies, employee practices and processes. To be successful, a CSC needs to be embedded in the organisational culture and it should take into account employee needs and practices. If CSC programmes and activities become too burdensome, there is a risk of employees resisting or ignoring CS messages, technologies and practices being implemented. CSC must be formed with employees, rather than imposed upon them. That said, there is also a clear need for visible and vocal buy-in from senior management to provide legitimacy to, and a clear signal on the importance of, an organisation’s CSC programme,” the ENISA report shows.

Boards Must Also Make a Thoughtful Review of Law and Regulations

There is a large body of regulation regarding cyber security, and boards must master that which is relevant to their entire organisation, not just to their geography.

“Cyber security cuts across an increasingly complex legal and regulatory environment globally. Industry regulation, data protection regimes, national security legislation, reporting requirements and product liability are a few examples of legal and regulatory environments that need to be understood, and a considered global response developed and maintained,” points out PwC.

To build a culture of cyber security at the board level, and to enable board members to master the complex technical and legal aspects of it, a solid governance support is required. A high-quality board portal can provide both the security needed at the board level and the library of materials, access to experts and rapid communication that board members require to build their own cyber security  culture, and to integrate it throughout their organisation.

Diligent Governance Cloud helps UK boards to build a cyber security culture

Diligent, as the long-standing market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent clients gain a strategic partner that truly puts security first.

In order to maintain up-to-date knowledge and expertise, all members of Diligent’s Security Team are active participants in the information security community. This means that they are aware of nearly anything that hackers have available, ready to thwart all of the most sophisticated techniques of attack.

Diligent has established a security programme based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cyber security framework is based on NIST standards.

Diligent Boards™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel only and is verified by two-factor authentication.

Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data.