Walking the talk: Why cybersecurity needs a seat in the boardroom

The effectiveness of cybersecurity strategies hinges on the commitment and hands-on involvement of the company’s board and C-suite

Earlier this year, BLACKPINK made waves in the international press for being the first K-pop band to headline Coachella, the popular music festival held in California. While I’ll admit that I am not an avid K-pop listener myself, we can all learn a lesson in cybersecurity from stars like BLACKPINK—particularly when it comes to brute-force attacks.

Fans would remember when the girl group shared a collection of exclusive content on Weverse, which required them to guess and crack the passwords to gain entry and access the content. Naturally, many took a trial-and-error approach to guess these secret codes, submitting various password combinations until they succeeded.

While this approach proved to be entertaining and fun within the realm of fan interactions, the same cannot be said when it is cyber criminals who are working day and night to brute force their way to access your personal credentials and sensitive data. According to Microsoft’s Digital Defense Report 2022, there has been a significant rise in password attacks, with a staggering increase of 74% compared to the previous year. The alarming surge in these attacks underscores the critical vulnerability of passwords—which remain one of the weakest cybersecurity measures in place.

Cyber fatigue is real

The frequency of cyberattacks and data breaches has reached such a level that organisations are now experiencing a state of cyber fatigue. 60% of organisations in Singapore, as reported in Cisco’s latest Cybersecurity Readiness Index, have encountered some form of cybersecurity incident within the past year.

These incidents have become so commonplace that they are no longer viewed as shocking or unexpected. Instead, they are increasingly regarded as an unfortunate yet accepted aspect of conducting business in today’s digital age. We can see this in how an overwhelming majority of companies in Singapore (85%) believe that their organisations will fall victim to cybersecurity incidents within the next 12 to 24 months, despite the high level of awareness of cyber threats.

Furthermore, with the rise of sophisticated cyber threats, Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) are recognising the critical need to protect company assets and data.  However, not everyone in their organisation is walking the talk when it comes to implementing cyber best practices—particularly their colleagues in the C-suite.

Addressing the elephant in the boardroom

There is a prevailing mindset in numerous organisations that the primary responsibility for ensuring robust cybersecurity lies with the CISO or the IT department of a company. However, Asia Pacific is witnessing the highest year-over-year increase in weekly cyberattacks during the first quarter of 2023, with an average of 1,835 weekly attacks per organisation. It is therefore evident that cybersecurity is a board-level issue that needs to be strategically addressed from the top down.

The reality is that cyberattacks are inevitable, and large enterprises and small-to-medium businesses alike will remain vulnerable targets. For instance, several high-profile cybersecurity incidents have leveraged a combination of sophisticated social engineering and other advanced hacking techniques to bypass some companies’ trusted multi-factor authentication (MFA) — a process that requires users to enter additional verification factors besides their password to log in. While attacks bypassing legacy MFA are not new, they are rapidly increasing in both volume and sophistication, both of which will only grow with the propagation of adversarial AI bots.

This current landscape not only heightens the risk of vulnerability to cyberattacks but also exposes organisations to potential non-compliance penalties and loss of customer trust, resulting in potential financial and reputational harm. While there are readily available solutions to prevent credential phishing and MFA bypass attacks such as FIDO security keys, often such tools are implemented only after a cyberattack has occurred, like in the case of Twitter and Twillio.

With so much at stake, it is clear that cybersecurity is not only an operational concern but also an essential organisational imperative that necessitates the active participation of board-level and C-suite executives.

This begs an important question: What should board directors and C-suite leaders do to effectively address cybersecurity?

Do not purpose-wash cybersecurity

The concept of purpose washing—a term that was coined around ESG—describes organisations that made verbal declarations and marketed themselves as ‘ESG-friendly’ without concrete actions to support those claims. Interestingly, the current state of cybersecurity evokes memories of the ESG landscape from about a decade ago, where companies were vocal about their commitments to bolstering cybersecurity, and yet they didn’t walk the talk. Like ESG, cybersecurity demands equal attention as a measurable, reportable business initiative.

Hence, in order to effectively address organisations’ cybersecurity, boards need to take accountability to heart and implement stronger solutions that can mitigate phishing and MFA bypass risks proactively, not reactively.

As the world becomes increasingly digitalised, cybersecurity will no longer be regarded as an optional component. Just as standards for sustainability and workplace equity reporting have been introduced in recent years, we can expect and embrace the implementation of comparable mandates in cybersecurity—with leadership on this front coming from the top.

The C-suite needs to become advocates for cybersecurity

While no business can ever achieve complete immunity to cyberattacks, C-suite business executives and board members possess the authority to reassess their priorities and establish cybersecurity as a critical business imperative. Thus, the C-suite should demonstrably lead in creating an organisation-wide habit of cybersecurity, while board executives can implement industry best practices and collaborate with other industry leaders to enhance their cyber knowledge and guidance.

Ultimately, no business leader has the luxury of letting cybersecurity be an afterthought, unless they’re ready to suffer the financial and reputational ramifications. In an evolving era of increasingly sophisticated digital threats, the effectiveness of corporate cybersecurity strategies hinges on the commitment and hands-on involvement of the company’s board and C-suite.

 Andrew Shikiar is the executive director and CMO of FIDO Alliance

See Also: