Technology Advisor Blog



Cybersecurity Training for Board of Directors: A Full Guide

Posted by Ann Westerheim on 4/12/24 3:04 PM

Board Meeting - Ekaru - Cybersecurity Training for Board of DirectorsThis guide will explain not only why cybersecurity training for board of directors is important, but also give you the critical questions that boards should be asking their CEOs and themselves to address their organization's cyber defenses.

As more companies succumb to cybersecurity threats, it’s critical for the highest level of leadership, the board of directors, to be vigilant. We'll also explain the risks of cybersecurity liability and how a board of directors can mitigate these security risks.

Is Cybersecurity Training for Board of Directors Necessary?

As fiduciaries, cybersecurity training for a board of directors is extremely important in today’s business environment. As technology continues to rapidly advance, so does the volume and cost of cybersecurity threats. Experts agree that by 2024, cybercrime could result in global costs of up to $9 trillion each year. Even more disturbing, 60% of businesses close within six months of a data breach. Despite the dangers, only 14% of small businesses are prepared for cyber attacks.

Many might think that the CEO is the key to ensuring network security throughout the operation, but that’s not enough. Yes, the CEO has the operational responsibility for instilling cybersecurity in all aspects of the business. However, boards have the final fiduciary responsibility for the company when investors or other stakeholders are involved.

To ensure that the businesses’ network and data are truly protected, board leadership in cybersecurity is a must. In the end, they are the ones who can truly mandate and enforce proper cybersecurity processes from the highest level.

Understanding Board of Directors’ Cybersecurity Liability

What a board of directors, and any business leader, must recognize is that cybersecurity is not just an IT issue, but a strategic business concern. Corporate giants Yahoo and Target have both experienced cyber security events that resulted in major shareholder lawsuits - resulting in a loss of customers, revenue, and reputation.

To avoid such repercussions, boards are increasing cyber awareness in organizational governance and seeking cybersecurity training for board of directors members. But how can boards ensure that their organizations are prepared to face cybersecurity challenges? In addition to launching board-driven cybersecurity initiatives, preventing cybercrime starts with recognizing the liability associated with cyber threats.

SEC Cybersecurity Compliance

The U.S. Securities and Exchange Commission (SEC) holds that a cybersecurity incident is just as material as a physical incident, such as a factory burning down. Boards must recognize that any level of cyber breach has implications for customers and profitability. Cyber threats can disrupt operations, impact stock prices, and cause investors and customers significant problems due to data theft. That’s why the SEC mandates the filing of the 8K form, disclosing the event of a cybersecurity incident.

For example, Microsoft recently filed an 8K form for an incident in which multiple internal emails belonging to top-level staff were hacked and data was stolen. Cyber experts like Ekaru believe that this is a strong indication that these staff members did not use multi-factor authentications to secure system passwords. While Microsoft followed the correct procedure of disclosing their attack via the 8K form, this indicates a massive lapse in their cybersecurity plan.

Another important compliance form that addresses corporate cybersecurity readiness is the 10K form. This requires that the business file a statement outlining the cybersecurity measures protecting the organization. Doing so provides a great opportunity for cybersecurity policy development from the board itself.

The 5-Step Cybersecurity Framework for Board of Directors

Board leadership in cybersecurity starts with understanding the 5 steps of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Everything an organization will need to create powerful network security starts with five steps.

1. Identify

Organization leaders need to identify the software, equipment, and policies needed to protect IT data and infrastructure. This includes identifying cybersecurity training for the board of directors and staff necessary to safeguard the network.

2. Protect

Leaders must create, document, and implement active measures to safeguard IT data. This includes bringing on security software, encrypting data and wifi connections, using safe passwords, and creating backup data plans. Companies must also identify technology gaps that may leave the network vulnerable and then secure them.

3. Detect

Businesses must establish protocols to monitor computers for unauthorized access and suspicious activity. There should also be training and protocols regarding identifying suspicious behaviors and when to alert supervisors.

4. Respond

If a breach does occur, the board must have a contingency plan for how to contain and resolve the fallout. Details that should be addressed include notifying customers/stakeholders, reporting the incident to law enforcement, isolating the source of the breach, and identifying how the breach occurred.

5. Recover

Once the cyber threat has passed, leaders must have procedures for repairing equipment, removing malware or compromised accounts, and beginning the process of recovering data. This is also where having a data backup and recovery plan will come into play.

Today, every company is required to have a disaster recovery plan; because cybersecurity threats are just as liable and damaging, cybersecurity must factor into such plans as well. Therefore, boards should be discussing this right now, whether they’re public or private. If members aren’t IT or cybersecurity professionals, this simple framework provides a great place to start a broader cybersecurity conversation. Of course, this is where cybersecurity training and preparedness must take a central focus.

Cybersecurity Training for Directors: Requirements

Cybersecurity training for a board of directors isn’t just a good business practice, it’s required. For one thing, all cyber insurance policies require staff to be trained on how to secure vital systems and protect customer data. In the state of Massachusetts, data security laws require companies to demonstrate how they are trained and verify that they are prepared to maintain cybersecurity.

According to the SEC guidelines, while companies aren't required to have a cybersecurity expert on the board of directors, they are required to specify how they are getting cybersecurity training and who their sources are for said training. So how can boards get the training needed to champion cybersecurity throughout their organizations?

Getting Cybersecurity Training for Boards

It’s virtually impossible for anyone to read the news without seeing a new cybersecurity event. They impact everybody - there's no escaping it. Especially for a board of directors, there's a lot of money at risk with cybercrime. Therefore, having basic cybersecurity training is the first step to fostering a culture of cybersecurity awareness needed to truly protect the company. The good news is that this training doesn’t require a degree or even lengthy coursework to grasp the fundamentals of cybersecurity. Here are two resources you should prioritize.

Cybersecurity Materials: Cybersecurity for Main Street

Staying up-to-date on news and cases of cybercrime is important for remaining informed of current trends. But another great way to not only educate board members but also the entire company is by focusing on specific training materials. Many books are available for easy consumption that cover a variety of cyber topics. Just recently, Ekaru CEO Ann Westerheim, Ph.D., published Cybersecurity for Main Street: Cyber Fit in 21 Days.

Modeled after a fitness self-help book, Cybersecurity for Main Street is designed to give everyone, from board members to CEOs and regular staff, the basics of all things cybersecurity. By just explaining central concepts in plain English, Westerheim covers topics like:

  • What's a complex password?
  • Why do you need multi-factor authentication?
  • Who are cybercriminals targeting?
  • And more!

The value of using a clear, easy-to-understand book like this for training purposes is that a board of directors can circulate the material as a common text or required reading throughout the company. This literally gets everyone on the same page in regard to cybersecurity!

Professional Cybersecurity Training

Cybersecurity training for the board of directors and staff must incorporate professional guidance. After all, 95% of cybersecurity breaches occur from internal human error. You need professional training to help your company defend against both external and internal threats. To this extent, partnering with a customer-trusted cybersecurity firm like Ekaru for training is an investment that can save you thousands if not millions of dollars. You also get access to industry leaders who can guide your team on all the essential security topics. Here are just a few examples of the cybersecurity training Ekaru provides:

  • What is Personally Identifiable Information (PII)?
  • Protecting Credit Cards and Customer Information
  • Spotting Phishing Scams
  • Avoiding Phone Scams
  • Using Strong Passwords
  • Public Wi-Fi Dangers
  • Protecting Mobile Devices
  • Clean Desk Policy
  • And more

Access Ekaru Cybersecurity Training Today: Call us at 978-692-4200

How Boards of Directors Build Cyber Resilience

Cybersecurity Risk Management, Security Assessments

Educating the board, C-level staff, and employees on the risks of cybercrime is a major step in building cyber resilience throughout the organization, but it’s only the first step. Security assets and procedures must be put into place to truly secure company data. In other words, the board should work with higher leadership to define a cybersecurity risk management plan to proactively secure the IT network.

One of the first things that boards of directors should do to achieve this is to simply have the business undergo a cybersecurity assessment. A thorough security assessment will identify the unique security risks the company faces, and even more importantly, reveal system weaknesses that can be reinforced to fortify the network’s security.

Schedule Your Free Cybersecurity Assessment

Cyber Risk Management Dashboard

Again, the board of directors cannot be idle with looming cyber threats; instead, they must be aware of all threats and issues that occur so that they can respond immediately. To this extent, creating a cybersecurity dashboard is highly effective for both real-time visibility and accountability.

By using the NIST cybersecurity framework to build a dashboard, every board member can quickly see where cyber threats may lie and how they are being mitigated. This is also a great resource to be featured in 10K filings, simultaneously showing how the organization is defending against cyber threats and serving as a guide for other company-wide security policies.

Dashboards can be structured in different ways around the individual company. Generally, board members will want to organize an audit committee and establish a process for supervising the dashboard, as well as procedures when incidents or risks need to be addressed.

5 Cybersecurity Questions Every Board of Directors Must Ask Their CEO

One of the most crucial components in a full-scale, integrated cybersecurity plan is the CEO. After all, the CEO reports to the board of directors and is responsible for orchestrating the mission and administration of the business. But how can the board ensure that the CEO is prioritizing cybersecurity effectively? Here are some starting questions:

  1. Is there a coherent map of all the data and technology systems used by the organization?
    This is very simple: you can’t protect what you’re not aware of. All technologies and data must be under surveillance and have adequate permissions and software defenses in place.
  2. Is security patching being conducted regularly?
    Boards ought to understand how and if all the systems are being patched. This is a simple, free opportunity to introduce a basic level of security throughout the various business computers. Cybersecurity training for boards of directors will emphasize the creation of a patch policy for the company to help protect against new cyber threats that emerge.
  3. Where does the data flow in the organization?
    CEOs should be able to report permission requirements and outline how data flow is monitored and stored effectively using safe, compliant protocols.
  4. What data needs to be protected?
    Businesses must account for the personally identifiable information that is entrusted to them by customers. Several regulations, such as the General Data Protection Regulations, must be followed to safeguard mission-critical data that, if stolen, could be used to harm or extort individuals. The board must ensure that there are contingencies in place to both protect this data and respond effectively should a data breach occur.
  5. What would be the impact of losing the data or losing network access?
    This is probably the toughest question any board member can ask. However, it is essential to know what would happen if mission-critical data became unavailable or network access was cut off. Odds are, it would necessitate the company shutting down to deal with the breach completely. The board of directors needs the CEO to provide concrete details on what's being done to prevent such an event from occurring, as well as the rapid recovery/response plan should an incident arise. This is also where communications need to be looked at, including how the incident is reported and addressed.

Cybersecurity Is a Company-Wide Priority

Cyber threats and data theft are major issues that aren’t going away, and these are things all businesses face. Big government can't solve it. Big tech can't solve it. These are issues that really require everyone's participation, especially the board of directors of a company. No matter the size or industry of an organization, cybersecurity training for boards is paramount because it emphasizes the importance of cybersecurity throughout the organization.

What’s more, cybersecurity training for the board of directors gives these top-level leaders the insight they need to ensure that their company is taking all safety precautions necessary to protect their data and vital IT systems. While training is necessary, it’s not enough.

Cybersecurity training must be paired with the implementation of actionable cybersecurity processes and tools. To do this effectively, boards of directors and business leaders should seek the aid of qualified cybersecurity specialists to implement truly powerful network security.

Ready to get the quality cybersecurity training for the board of directors, as well as the insight needed to defend your business? Contact Ekaru at ​​(978) 692-4200.

Topics: Cybersecurity training for a board of directors

Subscribe by Email





    Most Popular Posts



    Browse by Tag

    See all tags...


    Posts by Month

    See all months...


    Connect With Us



    Older Blog Posts

    For older Ekaru blog posts, go to ekaru.blogspot.com.