Why cybersecurity should be a board priority

Companies need to acquire more cybersecurity knowledge at all levels; every executive team must have a Chief Information Security Officer.

Cybercrime is a very profitable sector. Coupled with geopolitical evolutions, with certain countries conducting cyberattacks, companies that have increasingly digitized core processes are becoming very vulnerable.

If cybersecurity is inadequate, the consequences can be severe. Consider ransomware, malicious software that encrypts files on a computer and demands a ransom to release them, or deepfake fraud, such as at a British engineering firm where an employee recently transferred 23 million euros based on false images of the CFO, made with artificial intelligence. You only need a photo and a few seconds of speech to make a deepfake.

There are other ways criminals are using AI. They used to send poorly written English-language phishing emails on a large scale to gain access to computer systems. Now, they can almost automatically send highly targeted, well-written emails based on (profile) data found online.

European legislation

Companies must therefore be more concerned with cyber security than ever. However, in practice, this often leaves much to be desired. Companies will have to do better quickly. Boards also have to catch up in the field of cyber and technology knowledge.

From October 18, 2024, NIS2 will introduce legislation that will make the board and management liable for cybersecurity. For non-compliance, fines can amount to 10 million euros or 2 percent of global annual turnover, whichever is higher. That’s why it is essential for companies to acquire sufficient knowledge of cybersecurity in-house, and not just on the board. The executive team must include a Chief Information Security Officer (CISO), and the board must give the CISO the mandate to roll out a cyber policy throughout the organization.

Protecting critical business processes

A good cyber policy not only integrates into all strategic initiatives and crisis management of the company but also strengthens the supply chain. How vulnerable is the company's ecosystem? What are the consequences if a supplier becomes a victim of cybercrime? And what happens to your customers if your company itself suffers a cyberattack?

The board must make enough resources available to protect its critical business processes from an impactful cyberattack. Has the company taken the proper measures to protect them? Is there a monitoring system that quickly warns if there are signs of a cyberattack? Does the company have sufficient capacity and knowledge to respond?

Awareness and training

Corporate culture and awareness are crucial and require constant attention. Boards must also endorse its importance. Every cyberattack involves people; they are the first line of defense. Awareness and training are crucial for preventing, responding to, and recovering from a cyberattack. For example, if you work in finance and get a strange request from the CFO to transfer money, pick up the phone to confirm.

Companies can take out cyber insurance to cover, among other things, the damage caused by unauthorized access to IT systems. However, that insurance is becoming increasingly difficult to obtain. A few years ago a simple report was sufficient, but nowadays the conditions are much stricter. Companies that are not very advanced with their cyber security policy no longer receive insurance.

At EY, we can help clients implement a complete cyber strategy. Our experts help companies identify cyber risks, determine priorities, ensure a long-term improvement path and monitor progress.