Cyber-security is the Board's responsibility, claims APMG

Boards must become fluent in the language of cyber security to improve the way their companies deal with threats, says APMG International.

The Companies Act 2006 states that directors have a legal responsibility to act within their powers and promote the success of their companies, and to exercise independent judgement, reasonable care, skills and diligence. As the severity and frequency of data breaches has increased, cyber security has become an integral part of reasonable care of a company. It is therefore critical that Board members and Non-Executive directors have a full understanding of the threat landscape and their data protection strategies.

Richard Pharro, CEO of APMG, commented: “In the wake of recent breaches, CEOs and their Boards up and down the country are taking the time to assess their own cyber security posture – and if they’re not, they certainly should be. Responsibility for cyber security stops and starts at Board level and it’s critically important that Board members, Non-Executive directors in particular, have a firm grasp of their companies’ risks and vulnerabilities. We are fast arriving at a point when it is no longer acceptable for directors to say that they don’t understand technology or cyber security, which begs the question: When does ignorance become negligence?

“Many Board directors take comfort from the fact their organisations are compliant with standards, such as ISO 27001 and PCI DSS, and believe that their compliance is sufficient for dealing with the threats we face today. Unfortunately, it isn’t. While important, compliance speaks to the state of a business at a given time, but gives little indication about risks, which must be assessed and reassessed on a regular basis,” he continued.

Earlier this year, APMG launched a new cyber defence assessment tool for businesses, CDCAT, which provides a methodology and scoring system for cyber defence preparedness. Drawing on government, military and industry standards of best practice, the assessment shows where the gaps are, and provides a detailed roadmap on how to best mitigate these factors.

“Today’s cyber threat landscape is so sophisticated that security practices cannot prevent all attacks, and, plainly, TalkTalk won’t be the last company to experience a breach of this nature. But there are clearly defined steps that businesses can take to mitigate the impact of an attack or a breach – and make a tangible difference to their cyber defence preparedness. Tools such as CDCAT make the complex world of cyber security more accessible and easier to understand, shifting the discussion away from technology towards management and business practices. This in turn helps directors to identify vulnerabilities in their systems, processes and practices and to define strategy to mitigate risks to critical information assets,” he concluded.