The risky six

A surprising phenomenon occurred in 2020. The unforeseen stressors of the COVID-19 global pandemic and a forced work-from-home (WFH) model exposed cybersecurity vulnerabilities in organizations around the globe as well as board and management overconfidence in the cyber resiliency of their companies. How could this happen in an age of acute cybersecurity sensitivity when boards have made the battle against cyberattacks a top priority?

The pandemic didn’t create new vulnerabilities; it simply brought existing ones to light. It can be argued the fault is not on the boards or executive leadership alone, but in the fact every organization faces a myriad of ever-evolving risks. Yet, one thing is certain: the task of becoming and remaining cyber resilient is nearly impossible if boards do not have a clear-eyed understanding of their organizations’ cybersecurity strengths and weaknesses. Practitioners and researchers from Ernst & Young LLP or EY and the Institute of Internal Auditors (IIA) conducted extensive analysis to determine the root cause of how and why boards get a skewed picture of their organizations’ ability to protect themselves from cyber-related risks.