ThinkTWENTY20

Boards of Directors have been getting the message from the news media. News last year highlighted numerous instances of data theft, such as 

• - A data breach at Revenu Quebec of the names and social insurance numbers of 23,000 employees. 
• - A Manitoba-based insurance company was hit by ransomware by a gang that threatened to release customer information   unless it was paid
• - The city of Stratford, Ont., acknowledged paying the equivalent of $75,000 in bitcoin following an attack in April. 
• - Wirelesss Carrier Freedom Mobile blamed a third party for hosting an unprotected database with personal and credit card information on thousands of their subscribers.
• - TransUnion Canada said attackers compromised a Winnipeg leasing company to get access to personal information on some 37,000 Canadians; 
• Other victims included Toronto’s Michael Garron Hospital, the Government of Nunavut and the city of Woodstock, Ont.

All of these incidents make it clear that Boards need to take the risks seriously. And many do. However, their efforts often lag tremendously behind the relentless march of technology. While the bad actors are employing advanced techniques to find and extract sensitive data, the boards are often mired down with the basics of security, such as developing a cybersecurity policy, and having data backup and recovery procedures in place. Internal audit reports have shown this for years. These are essential, but having policies and procedures in place do very little to address the real issues. 

There needs to be a policy but it needs to be backed up with proper budgets and infrastructure to enable implementation of it. There needs to be procedures but they need to be reinforced with ongoing testing of their effectiveness. And there needs to be a process for changing all this to deal with new technology developments, which are happening constantly.

Boards of Directors need to expand their traditional role in security matters to address the challenges of cybersecurity. For more on this, check out this reference as well as this one.