What are 5 questions every board should ask about cybersecurity?

1. What procedures do you have in place to manage a breach?

An ideal response will demonstrate that the company has thought through multiple scenarios. Plans for handling a breach should go beyond simply escalating the situation to the IT and legal teams, and should include customer service, public and government relations and employee communications. Board directors, management and the business’s various departments all need to understand their role within the overall plan. Multinational corporations must consider reporting requirements and account for additional coordination complexities across regions.

2. Have you tested your preparedness plans?

A table-top simulation allows a business to stress test and improve how it would handle a crisis. This exercise helps companies uncover areas where more preparation is needed. Who should be in charge of these simulations will vary from company to company. But the trials should include high-level participation across the organization, including the CEO. The group has to make sure the simulation incorporates a response that addresses affected stakeholders, taps into all relevant resources and procedures, and points out the unforeseen problems that actions in one department can cause in another.

3. Do customers understand your data collection and usage practices?

You don’t want customers to learn about the data you have from a breach notice or media coverage. Instead, your company should periodically evaluate its data collection and uses, and assess how they could be putting the business’s reputation at risk. Make sure your data story is clear and that you’re articulating the value that the usage provides to customers. Increasingly, organizations are writing their privacy policies with this in mind, clearly outlining what they collect and why.

4. How do you decide how much to invest in security - and where?

One hundred percent security is not possible and the number of possible avenues of attack alone prevents an ironclad defense. In addition, some companies may choose to take on more risk in order to improve the customer experience. In light of this, companies need to weigh the degree of security against the needs of the business. The smartest companies are thinking about security early in the product development cycle. Companies should organize security into tiers, focusing additional resources on the most sensitive data and working outward from there.

5. Are you educating employees on the best cybersecurity practices?

Increasingly, a company’s employees are seen as the weakest link in any data security regimen. They are vulnerable to “spear-phishing” attacks, when an email from what appears to be a trusted source – an individual or business – requests secure information about the company. The hope is that the recipient will reply automatically, handing over the keys to the castle in the process. Five out of every six large companies – those with more than 2,500 employees – were hit by spear-phishing attacks in 2014, according to a recent Symantec Internet Security Threat Report. That’s a 40 percent increase over the previous year.

To counteract such scams, more companies are choosing to educate employees about common cybersecurity risks. These programs should complement the use of any hard controls, such as mandatory password strength requirements. The goal should be to empower employees by arming them with basic knowledge: how to spot an attempt to breach security, where to go to ask questions, and who to inform when they identify a potential threat.