Canadian boards are agging behind on cybersecurity, according to Ernst & Young’s Global Information Security Survey. Board involvement, an appropriate level of funding, and cybersecurity integration across departments are all key to improving an organization’s cybersecurity posture. This is especially important during the COVID-19 pandemic, during which sudden moves to remote work and other developments have cracked open the door further for breaches.
Cybersecurity breaches in 2019: a banner year for attackers
2019 saw a number of high-profile attacks against Canadian businesses and government organizations. The most well-known was the breach of LifeLabs, a leading medical testing provider. This breach saw private medical information about 15 million Canadians, as well as their usernames and passwords for the site, leaked onto the Dark Web. The City of Stratford, Quebec’s tax collection agency (Revenu Québec), Waterloo Brewing, TransUnion, and Freedom Mobile are just some of the other Canadian organizations that fell victim to a cybersecurity breach in 2019.
The problem with hacking, specifically in the healthcare sector, has left experts asking for the Canadian government to impose new cybersecurity standards on the healthcare sector. In 2019, a number of hospitals and health care service providers in Canada were hacked, and in 2020 eHealth Saskatchewan and Nova Scotia’s health authority were both compromised.
Additionally, the coronavirus pandemic has left additional doors open for attackers in the form of quick moves to remote work, which created a rich orchard of low-hanging fruit for cybercriminals worldwide. The Government of Canada’s Canadian Centre for Cyber Security created a COVID-19 resource page for businesses and government organizations on additional measures that should be taken during the pandemic. It also offers a fact sheet for healthcare sector organizations and special measures they should take to safeguard digital health records.
The Board is a Key Part of the Solution to Inadequate Cybersecurity
Canadian businesses are not doing well on the cybersecurity front than their global counterparts, a fact evidenced by the size and nature of the breaches that occurred in 2019. According to the Ernst & Young survey, 83% of Canadian companies are spending less than 5% of revenue on cybersecurity, as opposed to 64% of companies worldwide.
The survey identifies significant issues with cybersecurity awareness on the part of Canadian boards. 43% of Canadian boards cannot report correct numbers on their organization’s cybersecurity effectiveness, where only 24% of global boards cannot report these numbers. Both spend, and board reporting represent almost 20% gaps between Canada and the rest of the world, which is glaring and unacceptable given the significant threats of business disruption and regulatory issues that a cybersecurity breach entails.
One of a board’s primary functions as a governance body is risk management, and this is a significant risk that is currently not being managed in Canadian boardrooms. The report based on the survey examines how board involvement can improve an organization’s cybersecurity posture.
The three key areas the report names as potential areas for improvement are board involvement, increased cybersecurity spending, and an integrated cybersecurity approach across all departments. Board involvement in an organization’s cybersecurity strategy is the key that unlocks the other two areas of funding and interdepartmental adoption of cybersecurity as a central consideration.
The problem is not that board members do not recognize the threat; they do. According to Mike Maddison, Advisory Cybersecurity Leader for EY EMEIA, the problem is that they find an inability to properly articulate what the issues are and how to execute them.
Get Cybersecurity on Board Agendas and Subcommittee Briefings
If cybersecurity is not a regular item on board meeting agendas, it should be, along with reporting to KPIs developed in tandem with the Chief Information Security Office (CISO). Depending on the size of the organization, cybersecurity should either have its own subcommittee or be briefed on to an existing one, such as the Audit Subcommittee.
The CISO should also report regularly to the board on the cybersecurity profile of the organization. These reports should include:
- Findings from cybersecurity audits and remediation plans
- Current scored/rated security posture of the company
- Investigation results and recommendations from breaches
- Performance against KPIs and risk indicators
The most important thing to remember when communicating with the board on cybersecurity is that they deal, for the most part, in numbers. Saying that a particular threat may be a problem is not going to grab their attention. Itemizing the potential cost of that threat and estimating a percentage chance that the threat will occur is more in line with what a board should expect from a CISO’s report.
Regular, effective reporting from the CISO and communication between the board, CISO, and C-level management will lead to cybersecurity being elevated in importance throughout the organization in a top-down approach. As with anything, having a proper strategy and reporting mechanisms in place will automatically make cybersecurity more of a priority.
Part of improving your company’s cybersecurity is choosing software that checks all of your CISO’s security boxes. DiliTrust’s Governance suite has a board portal that allows you to hold remote board meetings with digital board books, annotated notes, and communications between the corporate secretary and board members. It is also one of the most secure board portal solutions, with numerous safeguards built-in including ISO-27001 certification for cloud data hosting. Contact us today to find out more.