By Jacob Kudzayi Mutisi
The reality is cybersecurity is not confined to ICT anymore, it is now a boardroom issue. Zimbabwean companies must be diligent and vigilant with the latest cybersecurity attack on TM Pick n Pay, Cyber Breach is a tip of the iceberg.
The company board must understand that it is not only its duty under the law, but because it has a duty of care to its customers, shareholders and stakeholders.
Cybersecurity is ever-increasing in the COVID-19 era
On one hand, businesses are going through radical transformation while on the other hand the attack surface is rapidly expanding due to more people working from home and being online more than ever.
There is increased pressure on executive teams to step-up and get a better handle on cybersecurity.
Cybersecurity has grown so large that its consequences can significantly impact a company’s valuation.
As a result, network security and data privacy are now boardroom governance concerns.
- Chamisa under fire over US$120K donation
- Mavhunga puts DeMbare into Chibuku quarterfinals
- Pension funds bet on Cabora Bassa oilfields
- Councils defy govt fire tender directive
Keep Reading
Regulators like Securities and Exchange Commission of Zimbabwe (SECZ), should respond by increasing oversight and highlighting the need for public companies to make disclosures related to the cybersecurity risks.
Zimbabwe’s boardrooms should not only devote more attention to this ever-increasing cybersecurity risks but also evaluate their company’s corporate readiness for such attacks.
In Zimbabwe and beyond, data breaches and cybersecurity attacks have proliferated over the past few years and incidents occurring at Zimbabwe’s large and reputable companies are further stressing the harsh reality that no company is safe from this modern-day threat.
Zimbabwe is a cashless society and the realm of the fight against corporate cybersecurity hacks and the mishandling of confidential data are boards of directors and their management teams whose challenge is further exacerbated by tougher disclosure requirements as required by the Cyber Security and Data Protection Bill and the speed at which the threats are evolving.
As a cashless society, what constituted a valid preventive strategy five years ago is unlikely still appropriate today.
Social engineering is now the number one crime and cybersecurity now extends beyond criminal organisations conducting targeted attacks on corporations to include personal data gathered from social media platforms like Facebook, navigation systems and home security monitoring to personal health tracking devices.
The only companies that has chief technology officer (CTO) and chief information officer (CIO) professionals on their board are telecommunications and mobile network operating (MNO) companies.
The rest still have ICT security buried within the ICT department.
The CIO or CTO is left to decide security levels in isolation of the actual business risks, he or she is trying to manage, with little access to decision-makers at board level or to adequate funding.
Unaware of the risks, business units frequently perceive ICT security simply as a cost and an obstruction and try to circumvent it.
Similarly, they plan strategy and take business decisions with scant regard for the risk consequences.
The lack of board involvement means the regime is not focused and board reporting is inaccurate.
With the COVID-19 outbreak, companies must implement new ICT corporate governance strategies and processes.
Board members, senior managers and the CIO or CTO, must understand the severity of the cybersecurity threat landscape and how cybersecurity attacks could impact the company’s business model, customers and reputation.
Having the CIO or CTO on the company’s board, makes it easier for the board to identify the damaging impacts and priorities for the business and the ICT security team.
It is not enough to simply increase the security budget, the budget must be focused on the highest priority risks.
It is essential that the appropriate ICT governance is implemented within a structure that suits the individual organisation’s corporate governance model, risk appetite and culture, business activities and specific threat landscape.
As the organisation improves its ability to manage cybersecurity risk, the cyber ICT governance process will mature and become more embedded in wider risk ICT governance, integrating with related business processes for instance resilience, business continuity, fraud and crisis management.
The increased maturity of ICT corporate governance will also enable the organisation to introduce more quantitative measurements and to exploit the use of software tools.
Cybersecurity is now a critical aspect of boardroom oversight, but an overwhelming majority of directors rate their own and their board’s knowledge of ICT risk as “in need of improvement”.
A lack of cyber-knowledge at board level can lead to overreliance on cyber experts and difficulty for directors in judging an appropriate level of involvement.
To help board members address this critical topic, the Institute of Directors of Zimbabwe, along with Zimbabwe Information and Communication Technology, the ICT division of Zimbabwe Institution of Engineers will be organising a series of roundtable discussions across the country, with the meetings focused on implications for the boardroom: how directors can effectively oversee cybersecurity risk; the necessary processes and policies to protect sensitive networks, systems and data from unauthorised access or attack; and the potential for financial and legal problems created by cyber-threats.
