Computer with threat alert
Industries: Technology

Cyber risk continues to be a major concern for businesses of all kinds. According to Forbes, global cybercrime damage costs are expected to grow by 15% per year over the next two years, reaching USD $10.5 trillion annually by 2025. And it’s not just a problem in the United States. According to Statista, 72.7% of all organizations globally fell prey to a ransomware attack in 2023. These statistics serve as a sobering reminder that implementing a strong cybersecurity governance plan is critical to protecting investors and customers from the downside risk and damage a data breach can cause. This is especially important for technology companies, which continue to be a prime target for cyberattacks.  

According to Sophos, one in two organizations in the IT, technology and telecommunications industries dealt with ransomware attacks between January 2022 and March 2023. Recent ransomware targets in the IT, technology and telecoms sector include Taiwan-based PC manufacturer Acer, which received one of the largest ransom demands on record at the time (USD $50 million) from the REvil gang. But it’s not just the major tech players who are at risk. Managed Service Providers (MSPs) are also ransomware targets. For example, the owner of ITRMS, a small MSP based in Riverside, Calif., has described fielding multiple such attacks over the years, against both his own firm and his clients. 

There is some good news in the tech sector: According to a recent report from S&P Global, corporate boards are increasingly taking responsibility for cybersecurity, with the tech sector ranking highest among all industries in this regard.

The importance of cybersecurity governance for technology companies 

If you’re a technology company planning to reassess your cybersecurity policies this year, governance will be critical to your success. With a robust cybersecurity governance process in place, a company is better prepared to effectively mitigate risks, address threats, and meet regulatory and compliance responsibilities.  

Cybersecurity governance means that the board and management understand the cybersecurity program, are involved in decisions, and actively participate in risk acceptance, mitigation or transfer. According to a CSO Online article, governance, risk and compliance must be integrated with cybersecurity. “CISOs are already blending technical with business considerations to manage cybersecurity within their organizations; integrating GRC means adopting broader responsibilities and a risk-based approach,” the article states.  

Cybersecurity governance rests on three fundamental pillars: What are you doing? Is it enough? How do you know? Let’s take a closer look at these pillars and what they mean.  

Download exclusive insights: A white paper on materiality and cybersecurity

The three pillars of cybersecurity governance for technology companies 

What are you doing?

First, you should fully understand the cybersecurity governance plan and model you currently have in place. That means you should:

  • Apprehend the data you’re collecting and how you’re collecting it. 
  • Ensure you store the minimum amount of data you need to run your company. 
  • Understand regulatory compliance obligations. 

Is it enough? 

Your cybersecurity governance plan should constantly evaluate risk and ensure you are comfortable with that risk over time. Suppose you determine that your residual risk is too high. In that case, it may be time to make additional investments in security and controls to reduce or transfer that risk, such as investing in cybersecurity insurance. Some things to consider include: 

  • Do you understand your risks? 
  • Are you meeting compliance obligations? 
  • Do you have controls in place to ensure only certain people have access to and can modify specific data? 
  • Do you have redundancy, backup, recovery and resiliency plans? 

How do you know? 

Knowing you are prepared is about having the right monitoring processes and a clear understanding of how you would react to various cybersecurity events. Ask yourself:  

  • Do you have appropriate monitoring to detect a cyber breach should one occur, and has a third party validated that it functions as intended? 
  • If an attack succeeds, do you have established processes in place to help you recover? 

Start building a cybersecurity governance plan today  

BPM offers Cybersecurity Assessment Services, including penetration testing and incident assessment support. Our independent team evaluates your company to identify your information security weaknesses. We help you understand where threat actors are most likely to strike. Then, we work with you to build a methodology to manage cybersecurity risk and develop risk-prioritized recommendations and controls. This allows you to respond to and monitor an attack should the worst occur.  

If it’s been a while since your technology company has evaluated its cybersecurity governance plan, contact us to help ensure you are ready to handle whatever cybersecurity threat might come your way.

Contact us today to get started.


Nick Steiner

Related Insights