EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Authored by - Nick Galletto, Partner EY Canada
Exponential cyber threats require Boards to proactively understand the risks, ask questions and help build organizational resilience.
In Brief
- New and evolving cyber risks continue to emerge at a remarkable pace.
- As that threat grows, boards will need to play a more active role in mitigating cybersecurity risks.
- Boards that develop a deeper understanding of cybersecurity can help organizations build much-needed resilience.
Business leaders’ knowledge and awareness of cyber risks continues to increase. Even so, 91% of World Economic Forum survey respondents believe a calamitous global cyber event is at least somewhat likely in the next two years — and that’s a serious call to action for boards of directors.
Now’s the time for boards in Canada and beyond to develop a much deeper understanding of cybersecurity and ask questions accordingly. The rapid evolution of cyber threats requires organizations to become better prepared and more resilient in withstanding cyberattacks.
How should cybersecurity transform the board’s agenda now?
Cyber risk in and of itself is nothing new. Especially in recent years, headlines have highlighted bad actors prying their way into businesses to wreak often costly havoc. That said, the nature of these threats is evolving quickly. So is the scope of cyber risk that businesses now face.
Traditionally, boards have viewed cyber risk through a relatively internal lens. They’ve focused on the security of internal operations, digging in to understand how email platforms, databases or financial platforms might be exposed. As more businesses digitally transform, boards need a more holistic understanding of cyber risk. That means thinking beyond the internal implications of cyber risk to explore any potential threats and vulnerabilities across the ecosystem in which that business operates.
From employees, customers, vendors and suppliers to third-party contractors: a digitally connected working world has removed boundaries and interconnected stakeholders across vast ecosystems. At the same time, businesses are increasingly embracing innovation and deploying emerging technologies, which can unknowingly introduce unwanted risk any number of ways.
For example, a well-coordinated cyberattack on a fully automated distribution centre could derail a business’s ability to serve customers and keep products moving. That kind of crisis doesn’t just delay deliveries, it erodes stakeholder trust across the value chain.
These threats are especially poignant in industries where cybersecurity hasn’t typically been top of mind. For instance, a manufacturer or mining company that may not store a lot of personal data or trade secrets might not be as well prepared to handle a cyberattack because it wasn’t particularly relevant to their operations in the past. Today, production and operation automation, robotics and the use of autonomous vehicles, for example, have permanently changed that reality. Therein lies the problem — and the opportunity.
Empowering boards with better insight into a specific organization’s cyber threat landscape helps weave cybersecurity right into the business’s DNA. This approach sends a clear message on the importance of proactively managing cyber risk by setting the right tone from the top — fostering greater accountability, transparency and resilience overall.
How can boards begin to reframe their approach to cyber risk? Asking critical questions across three key areas can be a positive step in a safer direction:
1. Have we aligned cyber risk to enable business objectives?
Trustworthiness isn’t any one thing. It’s an equation: the combination of credibility, reliability and intimacy or self-orientation. Trust is achieved when organizations align their words, brand and stakeholder promise. And it’s increasingly important to Canadian consumers.
Over the course of the pandemic, more than half of consumers surveyed told EY the crisis made them more aware of the personal data they share. At the same time, nearly three quarters of consumers, including Canadians, believe technology makes life better and can help solve problems. Organizations that embrace that sentiment and work to solidify digital trust can carve out a distinctive position with these customers, one with the potential to deepen relationships and create long-term value.
Boards have a part to play entrenching trust in organizational DNA by giving it clear ownership, embracing privacy- and cybersecurity-by-design, pursuing resilience and making cyber a standing agenda item at the board level.
2. Are we getting granular about operational technology and cyber risk?
Boards need a basic understanding of the cyber risks that pose a threat to the security and resilience of operations. This requires them to think beyond day-to-day internal operations and learn more about threats to business operations.
Key board considerations should include a better understanding of risks associated with process automation, electronic sensors and other Internet of Things (IoT) devices that keep business operations running smoothly. This is about drilling down into core business functions to understand the operational, financial and cyber risks associated with each area, in addition to the administrative component. Whether we’re talking about the operating technology that keeps miners safe or the equipment that keeps a production line moving: boards need a strategic map that overlays what the business does with its greatest possible threats. That map should xtend across the value chain, identifying upstream or downstream cyber risks that could throw things offline.
3. Do we have clear metrics to keep our cybersecurity approach on track?
As a concept, “what gets measured gets done” has been around for a long time. And it’s true to this day. Cyber risks change as quickly as technology. Discussing that changing landscape at the board level isn’t enough. Organizations now need a dedicated framework to show how teams are proactively identifying and detecting new threats, where third-party exposure is cropping up, how many single points of failure exist across a given ecosystem, and what visibility and tracking is taking place to manage any exposure.
In addition to identifying these risks, organizations need to simulate, prepare for and recover from an incident. Understanding the outcome, lessons learned and course of action taken then becomes a key metric organizations must embed into ongoing learning and process improvement.
All of this matters. Without that knowledge, boards could struggle to bridge understanding into action on cybersecurity. That would be a missed opportunity.
Summary
It’s time for boards to get more inquisitive about cybersecurity effectiveness. That means enabling directors with education — and empowering them to question cybersecurity through the lens of business objectives, operating technology and good governance. Addressing these areas now can help boards bake much-needed resilience right into the organizations they serve.