Boards need to take an active role in ensuring that the companies they are responsible for,have a proper cybersecurity plan in place. Data security is vital to ensuring that a company can continue to do its business uninterrupted. It is also necessary to maintain or exceed compliance with Canadian and global regulations on data privacy. What are some practical measures boards can take to make sure that the company’s cybersecurity is on the right track?
Educate Your Board on Cybersecurity
Understanding what the risks are is key to decision-making at the board level, no matter what the subject is. Have your Chief Information Officer or, where you have one, your Chief Information Security Officer tasked with training your board on cybersecurity measures. This is essential for board members who do not have a techbackground, and is even good for those that do so they are educated about the latest threats. Cybersecurity training which includes best practices for board members, such as not using personal email for board communications, should be a part of each new director’s onboarding package.
The Conference Board of Canada’s Cyber Security Board has some excellent resources if you want to do some background reading.
Reexamine Current Security Software Solutions
The collection of tools used by your IT team for cybersecurity is usually referred to as a “tech stack” in IT speak. Ask your team to reevaluate your company’s current tech stack and cybersecurity budget to ensure that they have the most cutting-edge tools to protect your company’s data. DiliTrust Exec, for example, uses many security measures to protect data both in storage and in transmission, including being certified to ISO/IEC 27001:2013. This standard ensures that DiliTrust is following best practices for data safety.
If your IT department is smaller, it may be the case that it lacks the resources for proper cybersecurity implementation. Company management should make resources available, and the company should put together a strategic plan for cybersecurity rather than rushing to implement something for the sake of having it.
There are many cybersecurity consultants in Canada who can both help you develop a plan and provide steps for its implementation. These cybersecurity consultants will also ensure that your data storage is in compliance with provincial, national and global data privacy regulations.
Investigate Your Data Sovereignty Landscape
Data sovereignty refers to the practice of trying to store the majority of your company’s data in the country in which your business is based. This is important as technically, once data crosses a border, it is subject to the laws of the land in which it resides.
Realistically, it is not possible to have complete data sovereignty. Emails, for example, may be routed through cities outside of Canada and there is no good way of stopping this practice. However, you can look at solutions such as DiliTrust Exec which allow you to transmit sensitive company data within the software solution rather than using email.
Establish Standard Reporting Metrics
The software solutions your IT department chooses should have the capacity to report on your company’s cybersecurity risk landscape and how threats are being managed. Work with your IT department to establish a high-level report that can be given to the board at each meeting and make sure each director understands how to interpret it. Level of preparedness, intrusion attempts, and security ratings are part of this comprehensive list of meaningful KPIs for a cybersecurity board report.
Establish a Cybersecurity Committee
Where your business is large enough to do so, consider establishing a cybersecurity committee which reports directly to the board. A cybersecurity committee should have directors, management, and other team members who can best inform the board about cybersecurity risks and the company’s current cybersecurity posture.
Discard the “It Can’t Happen Here” Mentality
In November 2019, the Office of the Privacy Commissioner of Canada released a report which showed that the number of online breaches in Canada had increased dramatically, with an estimated 28 million Canadians affected by a data breach within a 12-month period. Every business in Canada is a potential target.