Cybersecurity has become a critical business continuity issue. There truly are only two types of companies: those that know they have been hacked, and those that do not. The operational, financial and reputational costs of breaches are rising as well. In some cases, CEOs and Board members have been forced to resign. Many boards, however, are just waking up to this risk. The following questions can provide a framework for corporate directors as they fulfil their fiduciary responsibilities.

Which assets “must” we protect?

It is critical to risk-rank data assets to identify which ones can make or break an organization. For instance, the clinical trials data of a pharmaceutical company, call data records of a telecom enterprise and patient care records of a hospital would fall in the high-risk category. How can such crown jewels be protected? The mainstream approach is to identify potential threat-actors and vulnerabilities, implement controls, and finally, thwart attacks by leveraging analytics-enabled threat-monitoring tools. Another approach—suggested by leading cybersecurity experts—is to isolate critical assets from the internet, minimize their digital footprint, and monitor them by using analogue devices and trusted human beings.

Which vulnerabilities should we be most worried about?

Influenced by technology companies’ effective marketing, business leaders spend an inordinate amount of time worrying about new-age threats and investing ever more in new security products that can help them stay ahead of tech-savvy hackers.

While it is true that organized criminals are increasingly devising new techniques, most attacks— including those at the largest corporations—are relatively unsophisticated. They succeed because organizations do not take key precautions such as encrypting critical data, implementing timely patches, monitoring access controls, segmenting the network, scheduling data backups and implementing strong password management practices.

How robust is our incidence response?

Most companies do not have a comprehensive crisis-response strategy. For instance, an EY-led cyberattack simulation exercise with 79 leading CEOs revealed that many were unsure about how to handle ransom demands from cybercriminals. The most proactive companies conduct periodic “war-games” with the board and top management to ensure that their crisis-response plans are exhaustive and robust.

Are we investing prudently in the area of cybersecurity?

Three principles should guide funding decisions. First, companies must spend more to strengthen their weakest link: people. This includes strengthening the leadership by hiring a seasoned chief information security officer (CISO) and equipping the security team with the right tools and skill sets. Second, organizations must invest in improving intrusion-detection capabilities. This includes accessing threat intelligence and enhancing SOC effectiveness by analysing log alerts in conjunction with behavioural patterns and endpoint signals.

Third, organizations could consider investing in advanced security techniques such as threat-hunting and deception technologies, which baits hackers into attacking decoy servers, thereby enabling security professionals to analyse the motives of the threat-actors, all the while protecting real data assets.

Does our board governance support cyber resilience?

Do board members set aside time to review critical cybersecurity controls, emerging risks and breach-preparedness? Do they seek external inputs to validate management’s cybersecurity assertions? Does the organization’s CISO report directly to the CEO or COO to encourage independence? Are employees, customers and third-parties regularly educated and audited to ensure they are fulfilling their cybersecurity responsibilities?

How mature are our cybersecurity practices when compared to industry-leading standards?

Organizations often benchmark the maturity of their security practices against sector-agnostic standards such as NIST and ISO27001, as well as sector-specific standards such as HITRUST for healthcare and PCI-DSS for online retailing. However, such compliance-driven approaches do not guarantee cyber resilience. Strengthening one’s security posture also requires the sharing of threat intelligence and anonymized attack data among peers—much like hackers who actively collaborate and share system vulnerabilities. Doing so enhances an organization’s ability to sense, resist and respond to attacks.

Cyber vulnerability is at an all-time high. The proliferation of internet-connected devices—many with poor security—along with the explosive growth of data, automation and outsourcing are creating exponentially higher risks. Boards that are informed, engaged and ask the right questions are perhaps the most critical line of defence in strengthening an organization’s security posture.

Ravi Venkatesan is the former chairman of Microsoft India.

Nitin Bhatt is EY’s global risk transformation leader and heads the firm’s technology sector in India.