The need for cybersecurity awareness and literacy runs from the IT department to the Board and to everyone in between. Many organizations have security awareness programs and are actively trying to make cybersecurity training a metric that gets reported all the way up to the board. So what should the board be asking at its next meeting when that metric gets reported?
How important is cybersecurity awareness?
Human error is still the leading contributor to all security incidents according to the Verizon’s 2016 Data Breach Investigations report. In fact, 63% of confirmed data breaches involve using weak, default, or stolen passwords. Additionally, phishing messages were opened 30% of the time, up from 23% the year before.
Further, the board should ask whether the C-Suite is doing the same cybersecurity awareness as the rest of the company. According to a recent Ponemon study on management of risk through training and culture found that only 45% of companies make cybersecurity training mandatory for all employees. Even more concerning was of those companies, almost 30% made exceptions for C-suite and C-level executives.
There are 2 issues if management isn’t doing cybersecurity awareness and practicing a good cyber security awareness posture.
- The management team has access to some of the most high value and sensitive information in a company. This would be the cream of the crop to a hacker.
- If the first step is to institute a culture of security across the entire enterprise and maintain effective communication between boards, management, and security leaders, training should be mandatory for directors and officers to set an example that security is taken seriously across the enterprise.
Cybersecurity awareness matters. It starts at the top with the cyber literate board understanding what questions to ask and determining how the Board can help management build a culture of security from the top down.