Is your Board Paying Cybersecurity Lip Service?

Cyber awareness and cyber action are two very different things. Andrew Shikiar considers how Boards can ‘walk the walk’ when it comes to cybersecurity commitment

No organisation is immune to the anxiety that the threat of cyber attack poses. Cyber breaches and attacks are hitting the headlines with a rising frequency. According to DCMS, 32% of businesses in the UK experienced a cyber breach or attack in the last 14 months.

But cyber anxiety isn’t always translating to cyber action at the Board level.

“MFA, while undeniably better than relying on passwords alone, isn’t enough”

Data released last month by Auxilion found that less than half of C-suite execs in the UK think their cybersecurity budget is adequate to protect against potential threats. At the same time, over a third (39%) feel their organisation isn’t suitably primed to respond to a cyber breach. Moreover, the likelihood of attack increases from 32% to 59% and 69% for medium and large businesses, respectively.

Whilst senior leaders are worried and numerous organisations are claiming cyber is a priority, it’s evident that this commitment isn’t truly demonstrated by senior execs in the Boardroom. But there are ways organisations can achieve true cyber resilience and bring confidence back to the C-suite and the Board.

A new threat landscape

First, it’s worth re-establishing the playing field of cybersecurity as it stands today.

Most organisations are familiar with social engineering threats like phishing emails, and many deliver cybersecurity training sessions to teams to help them spot a suspected scam and have tools in place to try and filter these out. Even better, some organisations have multi-factor authentication (MFA) in place.

But this simply isn’t enough to be fully cyber secure in today’s landscape.

What’s interesting about the rise in attacks is the different types of attacks. MFA bypass attacks, which use a combination of social engineering and other hacking techniques to bypass MFA systems, are becoming increasingly common. Big brands and cloud service providers like Uber, Reddit and Twilio have all been hit recently, making it clear that even MFA, while undeniably better than relying on passwords alone, isn’t enough when a shareable credential still underpins accounts.

There’s also a new factor to consider; the rise in generative AI tools making it far easier to automate and craft compelling phishing emails.

What if I told you these attacks could be prevented?

Navigating credential phishing and MFA bypass attacks is not an easy feat. Still, there are tools today, like FIDO security keys, that are already available and able to prevent such incidents. Many companies have embraced FIDO authentication after falling victim to attacks (e.g., Twitter, Twilio). In contrast, Cloudflare’s experience with the 0ktapus attack attests to the efficacy of these keys in preventing any real compromise.

So, if preventive measures exist, why do these attacks continue?

Less than half of Board members regularly engage with CISOs, with nearly a third encountering their CISOs solely during Board presentations. This absence of meaningful dialogue between directors and security leaders underscores the lack of proper attention and accountability dedicated to the subject. Overburdened CISOs are usually acutely aware of challenges but need more resources, funding or backing to enact substantial change. This is intensified in smaller organisations, and many IT teams can toil in isolation, unable to influence C-suite.

Getting your organisation to ‘walk the walk’

Cybersecurity cannot be perceived solely as the realm of the IT department, nor can it be relegated to reactive measures after issues arise. Whether you’re in management or hold a seat on the board, becoming a cyber champion can help change views of cybersecurity from being a technical matter to one of organisational and strategic imperative. It must be considered as critical as sales, HR, and marketing and deserves the corresponding agenda space.

It’s also important to embrace cyber-related discussions in non-technical meetings. Taking an active role in these conversations, questioning the presented information, sharing personal anecdotes, or actively commending those spearheading changes within the organisation are practical steps that directors can take to effect change.

If the threat posed by the reputational and financial damages an attack might create isn’t impetus enough to spark action, it’s also worth thinking longer term about requirements and mandates that might soon come into force. Cybersecurity best practices and phishing-resistant MFA may soon become regulatory or de facto mandates, especially for Cloud Service Providers (CSPs) who increasingly shoulder the responsibility of protecting the digital assets of others.

Having a robust internal system is going to be essential for these players. It is conceivable that customers opting for CSP providers will soon begin mandating cybersecurity best practices, such as phishing-resistant MFA. The C-suite should be driving such changes today, not reacting to the inevitable market demands around the corner.

In time, we hope the culture of fear around cybersecurity will abate in the boardroom. Business leaders at the highest level should feel confident talking about cyber to a variety of audiences and must prioritise related investments accordingly.