The importance of Cyber risk awareness in an Organization Effective corporate governance in any organization rests on five pillars: leadership strategy and culture; structure and performance, risk; management information and control; and transparency and reporting.
One critical pillar that has the propensity to affect the other pillars and shake the integrity of the organization is RISK and its effective management. The significance of Risk Management in Corporate Governance cannot be over-emphasized.
The literary meaning of Risk is “a situation involving exposure to danger; that is possibility of something unwelcome or unpleasant happening”. It would interest you to know that the Chinese definition of Risk is a combination of danger (crisis) and opportunity thereby indicating that Risk involves doses of danger, uncertainty, and also opportunity. Every organization has to take steps to manage the dangers of risk-taking to maximize the inherent opportunities for gains.
In today’s reality of a VUCA business environment combined with the fast-paced adoption of digital technology solutions for business efficiency; organizations are now obliged to take greater risks for competitive advantage by digitizing their processes and transactions to ensure that the company stays on top and achieves its objectives.
There is a wide spectrum of risks that can affect an organization’s efficiency when not assessed keenly and managed adequately. However, one risk spectrum that is of increasing concern in recent times is CYBERSECURITY RISK MANAGEMENT.
With the dawn of digitization, Cyber-attacks have become a global business risk that has the potential of crippling any organization irrespective of size, or geographical location. Cyber-attacks and their effects can diminish huge capital investments, hamper economic growth, threaten national security, and destroy hard-earned investors’ confidence.
The fact states that Cyber security is no longer the responsibility of the I.T. guys who come and run malware scans and update network software on the organization’s computers. Cyber security is no longer a function designated to a certain department with employees recruited and trained to offer Tech support to the entire organization.
It is also not enough to ask employees to sign an agreement or request management to endorse a policy on how company-sensitive information should be kept private and safe.
Cybersecurity is now a cross-departmental responsibility that requires executive leadership and employee participation because the vulnerability of one officer of the company is a risk to the entire organization.
Information is a fundamental element of all businesses. Organizations share information, store information, and communicate information. Such information could be customer information, tax information, employee information, and banking information of the business. When this information becomes compromised it can be a hard hit for the organization.
An Organization is an information Hub and every officer and employee of the organization is an information steward. The nucleus of an Organization’s corporate strategy, trade secrets, customers, policies, and partnerships are formed and connected by information. Note that on the internet, there are no borders. Hence, information or data freely shared for legitimate purposes may be intercepted and manipulated for fraudulent and criminal purposes using novel technologies.
Why should organizations pay attention to Cyber Security and Cybersecurity Risk Management?
According to a widely accepted estimate deduced by SciNetDev.net, cybercrime costs the world economy the sum of US $ 500 billion per annum.
Microsoft in its 2014 Cybercrime news report estimated that about one-half of all adults connected to the Internet were victims of cybercrime. One in Five businesses globally has been a victims of cybercrime and 20% of all small and medium-sized enterprises (SMEs) have been hit by this menace.
The reliance on digital mediums to collect and process data has resulted in an ever-increasing need to infuse cybersecurity as an essential factor for business continuity. The sad reality is that 90% of African businesses are operating online unguarded. They have not implemented even the barest minimum cyber security protocols that can safeguard their online activities.
Even though the internet penetration rate in Africa is lower compared to the rest of the world, the African continent is not spared in the Cybercrime losses.
In 2013, research on Cybercrime in Africa conducted by International Data Group Connect indicated that each year, cybercrime cost the South African economy an estimated 573 million dollars. For the Nigerian economy the cost was estimated at 500 million dollars, and for the Kenyan economy, 36 million dollars.
With the astronomic increase in Africa’s youth population and the predictions that Africa’s mobile phone users may reach over 504 million in 2025 (49% penetration rate); this Cybercrime peril is not going away soon. The proliferation of internet-enabled smartphones and devices is a catalyst that will continue to drive the exponential growth of cybercrimes in Africa.
Annually, there are astronomic rates of reported cyberattacks targeted at company executives and the board. Company executives are easy prey, as they are perceived to possess unfettered access to companies’ data within the organization. Board-level executives are also strategic custodians of the personal details of wealthy and influential contacts that can be mined for fraudulent gains. Board-level executives are the whales of the cyber ocean.
What should organizations do differently?
Cyber security is everybody’s business. The same way you guard your physical self against danger and harm is the same way you should guard your online self on the Cyber streets. The COVID-19 pandemic exacerbated the brutality of Cybercrimes because everyone globally suddenly mutated to being online, connecting online, shopping online, studying online, doing business online, etc. All these online transactions involve sharing of information.
The organization must be proactive and vigilant in the cyber landscape to stay safe.
Knowledge is power
Cybersecurity education for all employees, executives, and board members is the primary defense strategy for combating Cybercrimes. Periodic and continuous cybersecurity education is paramount to ensuring that the entire organization remains informed and abreast of the emerging threats and technics of Cyber hooligans. A pliable employee who is unaware of cybersecurity can fall victim to phishing attacks, which could expose the organization to the risk of data loss, monetary loss, and irreparable reputational damage.
Fortify Your Organization’s Cybersecurity architecture.
Organizations can no longer shy away from investing in advanced and up-to-date systems that offer robust protection and are less prone to being compromised in an attack.
It is also important to prioritize cybersecurity as a company-wide goal, which should be embedded in the overall governance, risk, and compliance strategy of the organization.
Organizations must implement a detailed, well-structured, and incontrovertible cybersecurity response plan that can be deployed in response to a breach or potential threat. A rapid response plan is the game changer that reduces the likelihood of long-term damage. A cybersecurity response plan offers immediate action steps that could prevent uncontrollable escalation.
Enhance Cyber Expertise on the Board
Having a tech-savvy board is critical to sustaining discussions on Cybersecurity in the Boardroom that engender consistent actions aligned towards protecting the organization from attacks. According to a recent report published by the Diligent institute, ‘Beyond the C-Suite: Trends in Director Skill Sets,’ it was discovered that the appointment of directors with a traditional background (a former or current CEO, CFO or COO) still accounts for the majority of new directors since 2019 in the U.S., U.K., and Australia. However, there is a gradual shift to new appointees with other backgrounds, such as technology.
Future Forward boards and organizations have learned to appreciate the worth of having tech-inclined expertise on their team. Such expertise can help the organization dissect cybersecurity challenges and make appropriate recommendations.
Lead by example
Diligent, a Board Governance company in its recent publication in 2021 “Assessing your Cyber Risk score” encouraged boards to lead by example by ensuring their activities are optimized for security.
“A good board leads by example, making sure that their communications are secure and protected. By embedding cybersecurity in their processes, they illustrate the importance of such an approach to the organization as a whole. Cybersecurity needs to be viewed as an enterprise-wide risk management issue – and not just as a problem for the IT department. “
Conclusion
“In the 21st century, there is not a single major business decision that does not include cybersecurity considerations. Cybersecurity needs to be woven into the entire process, from R&D through manufacturing through public relations. That’s the message about cybersecurity: We’re all in this together.” Larry Clinton – President, Internet Security Alliance
About me: Celine Okoroma-Vincent is a Corporate-Commercial Lawyer, Chartered Corporate Governance and Compliance Professional.
Her professional function is to help Business owners and Corporations develop and implement the right corporate governance structures that engender business growth and sustainability; while managing their prompt compliance with internal policies and external regulatory authorities.
Celine advises and supports businesses on governance, risk, and compliance; collaborating with them to set up policies, processes, and structures that produce outcomes of long-term growth, sustainability, efficiency, and resilience.
She currently works as Head of Governance and Compliance with Paraclete Consulting.
End notes
[i] Obat-Olowu ‘Risk Management as a Strategic tool for Corporate Governance. ICSAN Journal of Corporate Governance and Administration, JCGA Vol. 1, pages 46-52, 2018[ii] Science, Cybercrime in Africa: Facts and figures. Fassassi, Akoussan, July 2016. Available at:[https://www.scidev.net/sub-saharan-Africa/features/cybercrime-Africa-facts-figures/][iii] https://news.microsoft.com/stories/cybercrime/[v] GSMA – The Mobile Economy Sub-Saharan Africa 2020