The total number of breached accounts has reached new records in early 2019 when Collection #1 hit the news. The mega leak showed how undeveloped cybersecurity still is, especially when we consider the fact that organizations are increasingly moving to the cloud and are yet to secure it properly.
This is a meager number once we consider the fact that around 80% of organizations have experienced a cybersecurity incident. Most of these incidents were severe enough that they were reported to the board. That can only mean that the executive boards of most companies are well aware of the cybersecurity threats they face.
So, it's clear that executive boards need to make IoT security and cybersecurity in general, a priority. Cybersecurity is no longer an IT problem as it used to be. It's a massive problem that affects the reputation of the company's brand and its bottom line. So, what are executive boards doing about it?
What is the Board Doing about Cybersecurity?
The short answer is not much. However, there is now a sizable number of companies that have at least one member of the board who is an expert in cybersecurity. Considering how crucial cybersecurity is, it's only sensible to have an expert on the board.
Despite this rising trend, only about 42% of board members recognize that cybersecurity threats are the biggest ones their companies are facing at the moment. Unfortunately, IoT is still a small subset of the overall cybersecurity problem in their eyes. Still, the general trend is positive for now, so we can expect board members to take it more seriously in the near future.
How Can We Mitigate Risks Facing IoT Governance?
It's clear that all of this still requires a lot of work. First of all, companies need to recognize the need for separate board-level cybersecurity committees that will deal with all cybersecurity threats and implement solutions that will ensure the security of IoT. At the moment, only 10% of organizations have this type of committee.
Due to the big amount of security threats facing IoT devices and the cyberspace, along with their variety of impacts, it's not enough to have a single board member specialized in cybersecurity taking decisions. The entire board members must be involved. The board needs to have actual governance over the company's security, not just a say in the matter, as regular members on executive boards do.
This can be achieved by giving them oversight into how sensitive data is handled. That way, they will be able to advise on the right course of action when it comes to security.
As cyber threats become more complex, it will become crucial to put cybersecurity governance at the highest level in the company. That is the only way to ensure they can adequately assess risks, recommend and create security measures, and enforce the changes.
Finally, it is strongly recommended to use business questionnaires and adapted tools providing quick estimation of security risks allowing to guide efficiently the Executive Board while making decisions.