Critical questions for boards to ask about cyber-security

Mike Fry at Logicalis outlines four critical questions boards must ask as part of supporting their infosec teams

Cyber-security has rapidly evolved from a potential risk to an omnipresent threat. According to Statista, over 72% of businesses worldwide were affected by ransomware attacks last year. And when attacks have the potential to cause significant reputational and financial damage, the responsibility for cyber-security cannot be contained to the IT team.

For any board member one step removed from day-to-day cyber-security operations, let’s look at the key questions to ask to give cyber-security the attention and support it needs and better protect the businesses.

1.What are the blind spots in our current approach?

Blind spots are common across most businesses. No strategy is immune to oversights, especially when facing cyber-criminals who constantly improve their techniques to infiltrate businesses.

For example, the most common type of cyber-attack, phishing, is now being supercharged by AI to make attacks harder to detect and more potent. This presents a challenge for businesses as they work out how to keep up. 

One of the most significant blind-spots in organisations is the shortage of qualified personnel. The World Economic Forum found that there is a global shortage of nearly 4 million cyber-security professionals in its 2024 Global Security Outlook report.

Most businesses struggle to hire the talent they need, and cyber-security teams need to have solutions in place to bridge this gap.

Many businesses aiming for maximum security coverage invest in multiple tools. However, with an excess of tools running in parallel, they are not being managed cohesively. This siloed approach can result in significant gaps in coverage.

An important area for board members to understand is the need for cyber-security tools to be streamlined. This approach not only ensures robust protection but ensures investments are being tunnelled into the most effective, high-impact solutions.

Lastly, over recent years businesses have grown their data footprints exponentially, and this huge growth makes it difficult for businesses to have clear visibility over their entire digital estate. This has provided criminals with larger attack surfaces, with increased vulnerabilities.

This gap in knowledge makes it difficult to assess if systems are patched and up-to-date, exposing businesses to potential breaches. By keeping an accurate, up-to-date record of inventory, cyber-security teams have a clear understanding of the assets they need to protect.

2. Do we have the right tools, people and partners?

Detection is a crucial component of any cyber-security defence strategy. It’s not just enough to protect data, real-time detection and incident response are equally important. It is key to consider whether teams have the right tools and partnerships in place to detect an attack as it happens and shut it down immediately.

One area often overlooked is the organisation’s supply chain. With interconnected systems and third-party partners, the attack surface extends far beyond the company’s direct control.

Businesses should have a clear understanding of who their suppliers and vendors are, to ensure they follow strong robust cyber-security practices. This includes checking if partners have secure systems in place to protect your shared data. The growing focus on supply chain management, as mandated by regulations such as the Digital Operational Resilience Act (DORA), highlights the need to manage the risks posed by suppliers.

3. Are we able to restore our data?

Cyber-attacks have become a matter of when and not if. So, when faced with situations where operations are disrupted, what is your business’s plan of action?

Where an attack is motivated by a ransom, businesses with robust recovery plans effectively undermine the hacker’s attempt as they can get back up and running without being held hostage. 

Even where an attack isn’t immediately financially motivated, a lengthy recovery period can have bigger business consequences than the attack’s initial impact, so a swift recovery is crucial. Are regular backups being conducted? Are they isolated from the network to prevent corruption during an attack? Having this level of preparation is critical to reducing downtime and financial losses.

4. How are we ensuring compliance?

Compliance with regulatory requirements is essential in today’s landscape and regulatory frameworks are gaining increasing importance. With updates to frameworks like the Network and Information Systems Regulations 2 (NIS2), cyber-security is now a critical concern across borders. The risk of non-compliance is multi-faceted, businesses can face financial penalties, legal consequences and severe reputational damage.

To ensure compliance remains a top priority, security teams should be implementing continuous processes that are constantly refined. Managing security is a constant journey and regular assessments against frameworks like the NCSC Cyber Assessment Framework are necessary to benchmark progress and identify areas for improvement.

Regular audits, incident response planning, and the use of the latest threat intelligence are great practices that help support teams in maintaining compliance and enhancing overall security.

Ongoing board-level vigilance

By asking the right questions, business leaders can start to feel more confident in their organisation’s stability.  By working in close collaboration with the IT and security teams, board members can ensure their organisations are well-prepared to defend against and recover from cyber-attacks, minimising both financial loss and reputational damage.

Cyber-security must become a core part of every business’s strategy - an ongoing journey rather than a one-time investment. 

Mike Fry is Security and Cloud Business Unit Director at Logicalis

Main image courtesy of iStockPhoto.com VioletaStoimenova