Everyone in a business has a role to play in managing cybersecurity risks, but the ultimate accountability to the shareholders is with the board.
Cybersecurity risks should be as prominent in board discussions as financial or legal risks. This toolkit for boards aims to bridge the cybersecurity knowledge gap among board members, giving them the tools they need to strengthen their organisation’s resilience.
The board toolkit has three main sections: creating the right environment, getting the right information to support decision-making, and managing cyber risks.
Create the right environment
1. Embedding cyber security in your organisation
Cybersecurity should be integrated into the overall business strategy and risk management processes. It involves various departments such as IT, HR, communications, legal, and procurement working collaboratively to protect data and systems. Implementing a clear cyber strategy can reduce risk, financial impact, and reputational damage.
2. Developing a positive cyber security culture
A positive cyber security culture ensures that employees view security as a collaborative effort. It encourages openness about security issues, leading to greater resilience and innovation. Leadership plays a crucial role in setting the tone, and clear communication and training are essential to foster this culture.
3. Growing cyber security expertise
Organisations should invest in developing cyber security expertise through recruitment, training, and retention strategies. This includes providing regular training, assessing current skills, and addressing gaps. A diverse workforce with a strong cyber security skill set can effectively manage risks and enhance overall security posture.
Get the right information to support decision-making
1. Identifying the critical assets in your organisation
Understanding and documenting the technical estate, including systems, data, services, and networks, is key to effective risk management. Organisations should identify critical assets that support key business objectives and ensure they are protected against vulnerabilities. Collaboration across departments is necessary to achieve this.
2. Understanding the cyber security threat
Regular threat assessments and staying informed about the cyber threat landscape help organisations prioritise their defences. This involves gathering threat intelligence, participating in information-sharing forums, and integrating threat assessments into the risk management process to focus on the most significant risks.
3. Use this information to evaluate and prioritise risks
Effective risk management involves integrating cyber security risks with overall business risks, performing regular risk assessments, and setting a risk appetite. It’s important to go beyond compliance and focus on understanding and managing actual risks to support business objectives without slowing down operations.
Take steps to manage those risks
1. Implementing effective cyber security measures
Organisations should implement a mix of technical and non-technical security measures tailored to their highest priority risks. Regularly reviewing and updating these measures, adopting a layered defence approach, and ensuring measures are aligned with identified risks is crucial for maintaining security.
2. Collaborating with your supply chain and partners
Ensuring that suppliers and partners meet cyber security standards is critical as their vulnerabilities can impact your organisation. Building strong relationships, communicating security requirements, and conducting joint threat assessments and incident response exercises can enhance overall supply chain security.
3. Planning your response to cyber incidents
A well-prepared incident response plan helps minimise the impact of cyber incidents. It involves making key decisions in advance, complying with legal obligations, restoring business operations quickly, and learning from incidents to strengthen security. Clear communication during incidents is essential to maintaining trust and confidence.
