Boards are being advised to reevaluate their responsibilities in cybersecurity to enhance effectiveness.

Boards of Directors are increasingly being informed that cybersecurity is now integral to business resilience and growth, necessitating their direct engagement in risk management. A recent report from Google Cloud’s Office of the CISO highlights three critical areas for board oversight: ransomware, cyber-enabled fraud, and the intersection of innovation and cybersecurity. The report indicates that ransomware attacks have evolved to become more targeted and disruptive, with threat actors exploiting identity systems, help desks, and cloud infrastructure. Notably, social engineering tactics are being employed against help desk staff, where attackers impersonate employees to manipulate support teams into resetting credentials or altering multifactor authentication settings. This approach allows them to circumvent technical defences and gain unauthorised access to accounts. The report stresses the importance of boards focusing on identity protection within their organisations, as security teams may encounter resistance when implementing stronger measures like phishing-resistant multifactor authentication.

The report also underscores that digital transformation and cloud adoption introduce new risks, with attackers seamlessly navigating between on-premises and cloud environments using compromised single sign-on credentials. Boards are advised to ensure that investments in identity controls and monitoring are aligned with these evolving threats. The second key theme of the report is cyber-enabled fraud, identified as one of the fastest-growing threats to businesses. Fraud schemes, including SMS phishing, business email compromise, account takeovers, and long-term scams involving fake cryptocurrency investments, are significantly impacting organisations. The report provides a framework for boards to oversee fraud prevention, beginning with mapping financial flows and identifying vulnerable points. Boards are encouraged to inquire whether controls such as multifactor authentication and dual approvals are being implemented for critical financial processes. High-risk transactions, such as wire transfers and real-time payments, warrant closer scrutiny. The report advocates for frameworks that deconstruct fraud into stages, enabling organisations to respond more effectively. Additionally, boards are reminded of their responsibility to ensure that fraud incidents are followed by blameless post-mortems, which can help identify weaknesses without assigning personal fault, ultimately enhancing controls and establishing financial risk thresholds. Forward-thinking financial institutions leverage fraud prevention as a strategic advantage, fostering positive customer relationships. 

Categories: Cybersecurity Oversight, Ransomware Threats, Cyber-Enabled Fraud 

Tags: Cybersecurity, Business Resilience, Risk Management, Ransomware, Identity Protection, Cyber-Enabled Fraud, Digital Transformation, Cloud Adoption, Fraud Prevention, Financial Controls