Cybersecurity myths every board member should dismiss

Although the majority of board of directors (BODs) view cybersecurity as a business risk, only four out of 10 organizations feature cybersecurity on the quarterly boardroom agenda. Having a cybersecurity blindspot at the board level can lead to some serious consequences from an overall strategy, insight, and governance perspective. In fact, one of the biggest proponents for modern-day cyberattacks and breaches is probably the lack of knowledge and oversight of leadership teams on cybersecurity-related issues.

While there is no shortage of alarming headlines about cyber risks, here are five common myths board members would be wise to dismiss.

MYTH 1: CYBERSECURITY IS ONLY RELEVANT FOR CERTAIN BUSINESSES

Cybersecurity is often perceived as something that is only required by certain types of companies, namely regulated industries such as government, healthcare, and banking. Some wrongly assume that cyberattacks only happen to enterprises of a particular size, scale, or value.

Contrary to popular belief, small businesses and mid-market businesses are frequently attacked and are more likely to experience a breach than larger organizations. Ransomware operators are opportunistic, targeting any organization that has valuable data, from non-profits to NGOs, from manufacturing units to schools, and even houses of worship. Ransomware scams spare no one.

MYTH 2: BUSINESSES THAT DEPLOY TECHNICAL CONTROLS ARE FREE OF RISK

It’s commonplace to assume that if an organization has made reasonable investments in cybersecurity controls, they are protected from most cyber threats. The reality is that 82% of cyberattacks have nothing to do with failure in cybersecurity systems or software; most security breaches can be traced back to the human element (phishing, stolen credentials, human error) and these typically go undetected by technical controls because they originate from legitimate sources such as employees or trusted partners.

MYTH 3: CYBER RISKS ARE NOT A BOARD ISSUE

Cybersecurity teams aren’t known to be great communicators and often get too involved in technical aspects rather than developing soft skills that can convey cyber risks in business terms. On the flip side, board members assume that security is best left alone to IT and is not worthy of board attention. Studies show that board members are often only updated on cybersecurity issues after the fact, when an incident has occurred.

BODs must realize that the law is increasingly making them accountable for cybersecurity oversight—the Home Depot $17.5 million data breach settlement required the board to assume day-to-day digital oversight. There have been instances (e.g., Target) in which key executives were personally held accountable for cyberattacks and data breaches. The SEC is even planning to introduce new rules that mandate disclosure of a board member’s expertise in cybersecurity.

MYTH 4: ATTACKS ON SUPPLIERS AND PARTNERS ARE NOT A MAJOR CONCERN

One reason why threat actors target small to mid-sized organizations is because small businesses are usually part of the supply chain ecosystem of larger enterprises. Attacks on Solarwinds, Log4j, Kaseya, and Codecov are recent examples of attacks in the software supply chain that led to the compromise of thousands of businesses worldwide. In fact, software supply chain attacks tripled in 2021.

When agricultural equipment giant AGCO was hit by a ransomware attack, it had a downstream impact on the global supply of agricultural equipment production. The ransomware attack on Colonial Pipeline last year triggered fuel shortages and panic buying across the eastern seaboard.

MYTH 5: CYBERSECURITY IS TOO TECHNICAL FOR STAFF TO GRASP

Cyberattacks leverage natural human weaknesses (judgment errors, biases, careless online behavior, weak passwords, poor software patching, etc.) as a means of gaining a foothold in victim networks. One wrong click, one downloaded attachment, or one scam on social media is all it takes for attackers to compromise users.

Business leaders must consider the importance of training all employees on how to spot social engineering scams and malicious communications, alerting them on the latest tactics and techniques used by threat actors and providing them with procedures to contact security teams when something suspicious occurs. Finally, board members must equip themselves with the right knowledge and training so that they too can set the right tone in support of the organization’s security culture.

One of the key responsibilities for BODs is to strategically manage risk, which now includes an ever-evolving and expanding threat landscape. The myths mentioned above likely only scratch the surface; however, they provide a strong case for boards to make cybersecurity an integral part of their overall purview and accountability.

Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.