Canadian boards are agging behind on cybersecurity, according to Ernst & Young’s Global Information Security Survey. Board involvement, an appropriate level of funding, and cybersecurity integration across departments are all key to improving an organization’s cybersecurity posture. This is especially important during the COVID-19 pandemic, during which sudden moves to remote work and other developments have cracked open the door further for breaches.
Cybersecurity breaches in 2019: a banner year for attackers2019 saw a number of high-profile attacks against Canadian businesses and government organizations. The most well-known was the breach of LifeLabs, a leading medical testing provider. This breach saw private medical information about 15 million Canadians, as well as their usernames and passwords for the site, leaked onto the Dark Web. The City of Stratford, Quebec’s tax collection agency (Revenu Québec), Waterloo Brewing, TransUnion, and Freedom Mobile are just some of the other Canadian organizations that fell victim to a cybersecurity breach in 2019. The problem with hacking, specifically in the healthcare sector, has left experts asking for the Canadian government to impose new cybersecurity standards on the healthcare sector. In 2019, a number of hospitals and health care service providers in Canada were hacked, and in 2020 eHealth Saskatchewan and Nova Scotia’s health authority were both compromised. Additionally, the coronavirus pandemic has left additional doors open for attackers in the form of quick moves to remote work, which created a rich orchard of low-hanging fruit for cybercriminals worldwide. The Government of Canada’s Canadian Centre for Cyber Security created a COVID-19 resource page for businesses and government organizations on additional measures that should be taken during the pandemic. It also offers a fact sheet for healthcare sector organizations and special measures they should take to safeguard digital health records.
The Board is a Key Part of the Solution to Inadequate CybersecurityCanadian businesses are not doing well on the cybersecurity front than their global counterparts, a fact evidenced by the size and nature of the breaches that occurred in 2019. According to the Ernst & Young survey, 83% of Canadian companies are spending less than 5% of revenue on cybersecurity, as opposed to 64% of companies worldwide. The survey identifies significant issues with cybersecurity awareness on the part of Canadian boards. 43% of Canadian boards cannot report correct numbers on their organization’s cybersecurity effectiveness, where only 24% of global boards cannot report these numbers. Both spend, and board reporting represent almost 20% gaps between Canada and the rest of the world, which is glaring and unacceptable given the significant threats of business disruption and regulatory issues that a cybersecurity breach entails. One of a board’s primary functions as a governance body is risk management, and this is a significant risk that is currently not being managed in Canadian boardrooms. The report based on the survey examines how board involvement can improve an organization’s cybersecurity posture. The three key areas the report names as potential areas for improvement are board involvement, increased cybersecurity spending, and an integrated cybersecurity approach across all departments. Board involvement in an organization’s cybersecurity strategy is the key that unlocks the other two areas of funding and interdepartmental adoption of cybersecurity as a central consideration. The problem is not that board members do not recognize the threat; they do. According to Mike Maddison, Advisory Cybersecurity Leader for EY EMEIA, the problem is that they find an inability to properly articulate what the issues are and how to execute them.
Get Cybersecurity on Board Agendas and Subcommittee BriefingsIf cybersecurity is not a regular item on board meeting agendas, it should be, along with reporting to KPIs developed in tandem with the Chief Information Security Office (CISO). Depending on the size of the organization, cybersecurity should either have its own subcommittee or be briefed on to an existing one, such as the Audit Subcommittee. The CISO should also report regularly to the board on the cybersecurity profile of the organization. These reports should include:
- Findings from cybersecurity audits and remediation plans
- Current scored/rated security posture of the company
- Investigation results and recommendations from breaches
- Performance against KPIs and risk indicators
published on 2020/24/06