Far too often, the Board and senior leaders are considered as prime targets for hackers since they have access to highly sensitive data with very little IT oversight. Not only does cybersecurity training ensure that the Board remains knowledgeable on the topic of cybersecurity, but the Board will also be aware and confident of important business decisions in the event of a cybersecurity incident, should it occur.
What should be presented to the Board?
There is a plethora of topics that could be included when the Board is being trained on cybersecurity. However, it’s quite possible that a tremendous level of technical details on an organization’s cybersecurity program could be left out. To avoid this, a designated Chief Information Security Officer (“CISO”) should present the training to the Board in an understandable manner. The topics that should be emphasized and considered include the following:
Examples of cybersecurity organizations that support cybersecurity awareness:
In recent years, more and more organizations have joined the Financial Services Information Sharing and Analysis Center (“FS-ISAC”). This industry is dedicated to reducing cybersecurity risk in the global financial system, which allows other financial institutions to share their ideas on anticipating, mitigating, and responding to cyber threats. US-Cert, DHS Automated Information Sharing Program, Center for Internet Security (“CIS”), and Infragard are among others that are being used as well.
Are there other topics that should be presented?
Other than cybersecurity strategies that an organization has or is preparing to implement, there are other important factors that should also be considered when the Board is being trained. These topics should include the following:
Different types of cyber-attacks: The Board should be educated on the different types of cyber-attacks. The top 8 most popular cyber-attacks are listed below:
Best practices to reduce risk: The Board should be informed of the proper ways and best practices of reducing the risk and threats the organization faces on a day-to-day basis. Some obvious examples of this include:
Changes in regulatory issues and impacts: Due to the high scrutiny of cybersecurity, regulatory examiners have updated new laws and regulations that financial institutions must abide by as of specific dates. It is vital that the Board is informed of these new and upcoming laws in order to be aware of what’s to come and what its organization has done in order to meet these requirements.
Just as it is essential for the Board of Directors to be provided with adequate cybersecurity training, it is also imperative to keep in mind that employees should be receiving training on, at least, an annual basis. Attackers are and will continue to find more and more ways to lure organizations’ employees in providing information in order to gain access to networks or critical information. With the proper security awareness training in place, an organization’s executives as well as its employees will be equipped with the knowledge needed to protect the organization from all forms of cyber-attacks and defend it from the disaster of a security breach.
Leave a Reply.
OnCourse is a blog dedicated to providing an informative and fresh look at matters that affect the banking and financial industry, including the direction of risk, compliance matters, audit, and more.
Questions? Suggestions? Comments?
Email us at OnCourse@acxellrms.com