Ensuring cybersecurity is the area of responsibility of the Board of Directors

Ensuring cybersecurity is the area of responsibility of the Board of Directors
The author of the study is Ivan Klyuev, Director of ANO «Digital Youth», Graduate of the SACM certification program «Corporate Governance in the 21st Century», Certified Expert EU-NQF Level A in Corporate Governance according to European Union standards, edited by Alexander Lebedev, SACM Professor

Currently, the whole world is gradually moving into a digital environment, this is reflected at all levels of communication - from interpersonal to interstate. We see that most of the enterprises are computerized, which means that all transactions and important information are stored in computers. While the growth of the connected world is impressive, its susceptibility to malicious cyberattacks is also skyrocketing, jeopardizing the stability of our society. Attacks are getting bigger and more damaging. Without trust in digitalization, people and industrial users will not be able to embrace digital transformation and fully utilize information technology. Therefore, improving cybersecurity is one of the most important development priorities. According to a study by Positive Technologies, the number of cyber-attacks in 2021 increased by 6.5% compared to 2020. As in 2020, 86% of all attacks were directed at organizations. The three most frequently attacked industries included state institutions (16%), medical institutions (11%) and industrial companies (10%). According to statistics on mid-range infrastructure hacks in 2021, 60% of hacks go through Phishing. At the same time, if a phishing attack was not detected in time by information security services, then the probability of compromising the infrastructure is close to 100%. The main targets of cybercriminals are: personal data (33%), information containing trade secrets (21%) and user credentials (19%).

Attacks on critical information infrastructure (hereinafter referred to as CII) are becoming more frequent. A feature of modern cyberattacks is their purposefulness and focus on a specific area of economic relations or an individual enterprise. The following attack methods are the most popular among attackers: the use of malicious software, the use of social engineering methods, and hacking. In every second attack on organizations, social engineering methods were used. In Russia, on May 1, 2022, Decree of the President of the Russian Federation No. 250 «On additional measures to ensure the information security of the Russian Federation» was issued, according to which it is necessary to create a structural unit in each Russian department that performs the functions of ensuring the information security of a body (organization), including to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents, or assign these functions to an existing structural unit. In addition, according to a PWC study, 85% of consumers will not do business with a company if they have doubts about the reliability of its security system. It is difficult to talk about cyber risks without mentioning the cyber-attacks that have taken place in order to assess the possible damage to the company:

● 2020 Facebook hack is the most notorious data leak from the social network

In March 2020, the British company Comparitech reported a data breach of more than 267 million Facebook users. In August 2020, experts from Darknet Data Leakage & Breach Intelligence (DLBI) discovered the personal data of 150 million Facebook, Instagram and LinkedIn users online. After the first leaks, the US Federal Trade Commission ordered Facebook to pay a record $5 billion in fines. This is 20 times higher than the largest sanctions that were applied for data breaches. The reputation of the company itself, against the backdrop of regular leaks, was greatly shaken - as were positions on the stock exchange, which fell by about 7%.

● 2017 attack on one of the largest US credit bureaus Equifax

In 2017, an attack led to the data leakage of almost 148 million users, according to The Washington Post. Hackers stole personal data, including data from at least 209,000 bank cards, as well as documents that were used in credit disputes. In 2017, Time wrote that Equifax's capitalization fell by $4 billion. But the exact losses of the company are still unknown. In 2018, USA Today reported on 96 lawsuits against Equifax. All this is legal costs and compensation. To return to the value of the share price in 2017, the company was able after 2 years only by 2019.

● 2015 cyber-attacks on one of the largest telecom operators in the UK, TalkTalk, as a result of which the shares of the telecommunications provider fell by 12%.
● Historical hack Yahoo! - $4.8 billion

In 2013, there was a massive attack on Yahoo! The company hushed up the issue for a long time. The information was revealed only in 2016, during the preparation of the merger deal with Verizon Communications Inc. Then Yahoo! admitted the fact of hacking 1 billion accounts. In 2017, it turned out that attackers attacked all 3 billion Yahoo! accounts, writes Reuters. In addition to this hack, there was another attack in 2014, when at least 500 million users were affected. As a result, Verizon cut the original offer by $350 million. The Wall Street Journal estimated Yahoo! $ 4.7 billion. Later, another $ 80 million in compensation by court order and the costs of the trial were added to this figure. The study of the largest cyberattacks allows us to draw the following conclusions:
1. Cybersecurity is not necessarily about high technology or sophisticated computer science. Attackers use «social engineering» — non-technical methods — to force people to click on infected links or websites, or to share sensitive information. In every second attack on an organization in 2021, social engineering was used.
2. The impact of cyber-attacks on the company's value is very significant. The realized cyber-attack has a very strong effect on the decline in the value of shares.
3. 85% of consumers will not do business with a company if they have doubts about the reliability of its security system.

Thus, the importance of cyber risk management in companies is growing and is no longer the responsibility of management, but of members of the board of directors due to the fact that cyber-attacks can significantly affect the value of the company. It is impossible to protect yourself from a cyber-attack by 100%. However, by creating a good protective environment, it is possible to complicate a cyberattack for attackers, and thus, they can attack another company, moving along the path of least resistance. There are 3 levels of cybersecurity:
1. Physical Security - Responsible for physical security and access. These are doors, locks, windows, methods of access to information sources, security personnel.
2. Human security - responsible for the human factor. This is the level of alertness and awareness of the staff. This is how disciplined the guard is. The human factor is one of the most vulnerable levels, because it is through a person that well-protected information often leaks and leaks to foreign intelligence services, and this factor is given very little attention in many companies.
3. Digital security - responsible for the integrity and availability of information from virus attacks and unauthorized interference through the network.

One of the important activities for maintaining cybersecurity in the company is the development of "digital hygiene" as part of the corporate culture. «Digital hygiene» is the formation of useful habits, following which a person ensures information security on the Internet. «Digital Hygiene» includes:
● A culture of working with corporate documents: e-mail, cloud storage, instant messengers.
● A culture of working with passwords and these organizations.
● Informing and knowing about popular types of threats: social engineering, trojans, ransomware, phishing.

Thanks to the introduction of «Digital Hygiene» as part of the corporate culture, you can protect the company from cyber-attacks. However, "Digital Hygiene" is not a one-time event, but a constant work and development of habits. Thus, the digital hygiene of employees is one of the key areas of threat prevention in companies, which can reduce the risks of a cyber-attack, and it will also cost the company less than the implementation of software solutions. It is important to note that the implementation of the principles of «Digital Hygiene» and careful care of the cybersecurity of the company is the responsibility of the Board of Directors, since the creation of a cybersecure environment directly affects the value of the company, and also concerns the viability of not only a specific department, but all stakeholders. In addition, it is the Board of Directors that is to a large extent responsible for cyber-attacks and their consequences, since it is they who establish the rules of conduct and the sequence of actions in the event of a cyber threat being realized or a cyber-attack being successfully repelled. In today's digital world, of course, it is impossible to establish 100% protection against all potential threats, but systematic work at a high level can reduce the likelihood of cyber-attacks, thereby protecting company assets.


"I am confident that with time you will become leaders among business professionals, and, perhaps, return to the academy to share your knowledge and experience with new doctoral students.."

Our Newsletter


  This email address is being protected from spambots. You need JavaScript enabled to view it.
  +65 3108 0534
  +65 3108 0534
  178 Joo Chiat Road,
Singapore 427449

Keep in Touch