WP Why Cybersecurity Needs to be a Part of Your ESG | Imperva

Why Cybersecurity Needs to be a Part of Your ESG

Why Cybersecurity Needs to be a Part of Your ESG

What is an ESG?

Environmental, social, and corporate governance (ESG) documentation is a way to visualize and evaluate how an organization is working for the betterment of social goals and how that organization is responding to the cry for greener, more aware, and more responsible, sustainable investing. The ESG looks at how the organization responds to the community and our environment, and how they embrace the call for a more health-conscious workplace.

An integral part of modern accountability is cybersecurity. Organizations can’t rely on cyber insurance to dig them out of an inevitable problem but must (be seen to) be proactively protecting and securing their users, staff, and supply chain data. Cybersecurity, and regional compliance, are for the betterment of social goals – and as such, they should now be included in any company ESG.

The call for business transparency

According to Deloitte, 65% of survey respondents say they want to buy from purpose-driven brands and services that advocate sustainability. Customers are looking towards the likes of ethical banking, and ESG reporting has become a requirement by investors, directors, and other stakeholders in financial services and fintech companies – where software and applications are being created to automate and improve the financial trading and transactions for organizations and their consumers.

The same is true of government agencies, energy, and public utility companies, as there is a greater call to be more transparent about their ESG efforts as the topic of renewable energy, ethics, community support, data protection, and public safety have become common news headlines in the last decade. When ransomware attacks on oil pipelines and malicious attacks on water pumping stations hit the news, customers and investors become quickly aware of the need for organizations to take responsibility for the protection of their potential cyber vulnerabilities.

Sectors such as technology and retail, especially online retail, are taking notice. 50% of C-level executives who work in the fashion and textile industry say consumer demand has moved their business to source more sustainable materials, and to create more ethical products. Shareholders are aware that consumers are more attracted to brands with sustainable practices and products.

People are also justifiably shy of sharing their data, and naturally protective of their personal information. A company that can wear its security credentials with pride, as part of their public or private ESG, is far easier to trust and eminently more socially responsible than one that does not.

A growing number of customers want to spend their money with businesses that are part of their community, are inclusive, and fight gender and racial bias in the workplace. Businesses need to offer a green alternative, be shown to genuinely care about their customers, and guarantee the confidentiality and integrity of their personal data. Investors want to invest in organizations that champion social justice, commit to regional data standards, and produce safe and sympathetic products while still maintaining a competitive price. These are the businesses that will stand out in the marketplace of the future.

Environmental, social, and corporate governance through cybersecurity

“A lack of data protection is a threat to society.” I’ve read this sentence to myself several times, thinking at first this might be overly dramatic and untrue. It is, I believe, a fact. In a world where government leaders are calling on businesses of all sizes to protect their most valuable asset – data – not doing so is ignoring best practices and skirting around social responsibilities.

Any data breach can have a significant impact on people, organizations, partners, investors, the supply chain, and communities. The knock-on effect of a data breach or cybersecurity incident has the potential to impact a large number of people. Not protecting organizational data to the best of a business’s ability, in the modern age, is considered careless – even litigious. A cybersecurity breach can also impact an individual’s well-being. Mentally, physically, and financially, impacting their personal reputation. Non-inclusion of (at least) the very basics of a business data protection policy in an ESG is now an obvious omission.

News sites regularly document attacks by bad actors targeting healthcare institutions, such as the WannaCry ransomware attack, which jeopardized patient care when it targeted Britain’s National Health Service (NHS). Such media documented and mainstream attacks are making the general public more aware of the rising threat landscape. As a result, there is a clear demand for transparency around organizational use and the protection of confidential data. Trust between an organization and its customers, employees, and third parties, is more important than ever.

ESG cybersecurity best practices

As a part of an organization’s ESG, it will be the cybersecurity team leader’s responsibility to document current practices and to address issues of concern with solid and quantifiable security solutions. The days of enterprises simply declaring “We have cybersecurity insurance” are over. Where applicable, organizations might consider addressing additions to the following aspects of their data management plan.

Stating regulatory compliance with regional requirements (e.g., GDPR, CCPA, POPI, Australia’s Privacy Act, PIPEDA, or GLBA) shows a willingness to meet best practices and is a publicly expected set of standards. Mentioning compliance in an organization’s ESG is a common business practice that offers reassurance that they are managing sensitive data responsibly and in line with state and government regulations.

If organizations provide general awareness training for staff, such as against phishing attacks or for best security practices, this is something worth documenting. Making staff familiar with the dangers of clicking on untrusted links, opening unsolicited emails, and interacting online are fundamental components of cybersecurity awareness. Over two-thirds of organizations train employees in cybersecurity best practices, and showing a proactive approach to employee education and accountability is an essential part of business readiness.

While it’s not essential to provide specifics, for obvious security reasons, if an organization is able to say that they are protecting data from malicious or accidental damage and can quickly restore data in the event of damage or loss through having a disaster recovery plan in place already, this is worthy of mentioning. Being cognizant of ransomware practices and the basics of how the organization is actively mitigating against them is information that an organization should be proud to announce in its ESG documentation.

Organizations need to be seen to be preventing employees from becoming insider threats by considering the restriction of access rights for users, accounts, and activity to only those resources needed to conduct legitimate activities. Having Data User Behaviour Analytics in place can also be a convincing part of any public data security documentation. Any data breach can come from within, often unintentionally, and a motivated security-first approach to this is worthy of illustration.

Show how you are protecting your customers’ data by creating a list of your current threat protection assets and how they support others. Document how, without going into too much detail, the organization is securing a user’s personal information, guaranteeing safe transactions, and preventing the likes of account takeover. If you utilize a WAF to prevent web attacks, or real-time attack detection and prevention from your application runtime environment to protect against nefarious supply chain code, mention them here. If you can say that your API endpoints are protected (as they are published) and shield your applications and users from zero-day exploitation, this is a strong testimony of responsible cybersecurity practices. The ability to detail that a business has control over third-party JavaScript code – preventing client-side attacks, reducing the chance of supply chain fraud, and mitigating data breaches – shows that an organization genuinely cares about its social responsibilities and that its ESG is more than just a box-ticking exercise.

Organizational standouts

An organization should consider how they responsibly respond to the new threat landscape. What difference will your cybersecurity posture make to the end user, your staff, to your investors and shareholders, and to those who engage with your business?

Ask what else you do that helps you stand out from your competitors. Do you conduct red team exercises? Do you have a forward-thinking security team training program? Can you, perhaps, showcase individual team experts or cybersecurity champions? How have you invested your budget for the betterment of all concerned?

As an extra element, how are you considering the environment in your day-to-day data practices? Do you use solar power or a green energy supplier? Are you carbon offsetting servers, using sustainable cloud services (like AWS), or do you recycle outdated computer equipment? While these may not be directly related to day-to-day cybersecurity, they still make great support content for any ESG.

For most organizations, showcasing environmental, social, and corporate governance (ESG) is now standard, and supporting the organization’s marketing function with ongoing documentation for stakeholder-facing evidence and credentials is something the CISOs of the future will have to embrace.