The Board of Directors should implement company wide security training, tools, and automation to minimize risk and increase prevention.
The pervasiveness of data breaches has firmly placed the topic of cybersecurity on the agenda of the Board of Directors. It is part of their responsibility as members of the board to understand the threat landscape, current best practices, and what the company is doing to protect the employees, customers, constituents and shareholders. This has led to the creation and administration of cyber committees, working alongside other risk committees. Having a separate cyber risk committee allows for the appropriate level of focus and oversight to be integrated into enterprise risk management and planning, without overloading the audit committee with work. The below are some of the key things the Board of Directors and the cyber risk committee need to do to minimize risk and approach security with a prevention mindset:
Induct security awareness training across all levels of the organization.
Establish reporting protocols and systems of attestation for transfer agents and third-party vendors.
Replace duplicative and legacy technology with platforms that natively work together.
Implement tools that strip malicious code and links from emails, block control-and-command exploits, and hunt for malware and confidential files on sanctioned SaaS services.
Segment different parts of your network into different risk zones. This can provide visibility regarding which users and applications are trying to move between them.
Leverage automation in your defenses to reduce the burden on security teams.
Restrict access to SaaS based tools for employees who have no business justification for using them.
Perform periodic risk assessments and/or cyber audits to determine whether social engineering or additional vulnerabilities exist; pay particular attention to the safeguards and controls around employee records.