Cybersecurity breaches are a growing problem for businesses around the world. A recent World Economic Forum report estimated that during 2017-2021, global cybersecurity spending will grow to nearly $1 trillion, while at the same time, the cost of cybercrimes will increase to $6 trillion. According to EY’s Global Information Security Survey (GISS) 2016-2017, 87% of board members and C-level executives lack confidence in their organization’s level of cybersecurity.

Cyber security can no longer be viewed as an IT-only issue. While the chief information officer (CIO) or the chief information security officer (CISO) continues to play a crucial role in anticipating, identifying and managing cyber risks, the chief financial officer (CFO) and board need to lead the discussion and embed an enterprise-wide risk appetite.

Clearly, with growing incidences of cyber breaches, businesses in India need to scale up their focus on cyber risks. Indian organizations are reluctant to invest in their cybersecurity architecture, despite 35% of those surveyed in GISS 2016-17 India Report, admitting to having had a significant cyber breach.

Further, 32% of the organizations surveyed do not have an agreed-upon communication strategy in the event of a significant cyber-attack taking place, while only 38% are likely to communicate to customers in the event of an attack affecting customer information.

These findings clearly point to a need for businesses in India to take a more engaged view of their preparedness for cyber security, as the pitfalls of not doing so can be devastating. According to the GISS 2016-17 India Report, 26% of Indian organizations incurred financial damage of up to $100,000 in the past year.

The preparedness level of businesses in India leaves enormous scope for taking substantial steps—for example, 55% organizations do not have, or have only an informal, threat intelligence programme. It is an area where the tone at the top, set by boards, can help bring about a transformative change. Here is what boards need to keep in mind:

Determine your risk appetite

Cyber risk cannot be completely mitigated. The reality is that every business will face cyber-attacks at some point, so it is important to establish a cyber risk appetite as part of the organization’s overall risk management framework.

What is your tolerance to cyber risk and how is that embedded across the organization? As initiatives progress around cloud, digitization and mobility, businesses need to ensure that an appropriate level of security is in place that aligns with the risk tolerance levels endorsed by the board.

Focus on protecting your critical assets

A better return on investment can be achieved by allocating capital to key areas of risk rather than taking a blanket approach across the entire organization.

For this reason, boards should ensure investments are focused on critical assets of the organization. These include M&A (merger and acquisition) data, customer data, intellectual property, financial data or sensitive company information that may sway share price. Once identified, priority should be given to heavily protecting these assets.

Insist on clear communication

Boards need to clearly understand the issues so that they know how much investment is needed and what initiatives should be prioritized.

Information should be relayed in a clear business context. Lead and lag indicators, as well as contextual information about the industry can assist boards in providing a clear picture of the current and future risks. In particular, lead indicators focusing on governance and metrics can help identify how well issues are being managed today and provide valuable insight into the potential future-state risks.

Develop an enterprise-wide response

Response to cyber-attacks should no longer be the responsibility of only the IT department. Businesses need to consider coordinating a response that involves all areas of the business, including media relations, investor and government relations, legal, operations, business, executive risk and any material third parties. Modelling around scenarios should be tested and reported to the board.

Focus on education and awareness

Cyber security is a shared responsibility. Cyber attacks enabled by human errors are a significant contributor to the overall risk organizations face, and this is something that cannot be addressed using technology alone. It is important that the entire organization and relevant third parties are aware of cyber risks they may be exposed to in their everyday work life, and educated on how they should respond to these perceived risks.

Be clear about who owns cyber within your organization

While cyber is an enterprise-wide responsibility, it is essential to have a clear owner for cyber risk within the business.

In many organizations, CFOs are increasingly becoming responsible for the overall cyber risk management strategy. This makes sense as CFOs may be best positioned to ensure that key issues around metrics and reporting are reviewed in the overall business context.

Evaluate cyber insurance

Companies are increasingly investing in cyber insurance. While cyber insurance can be a valuable investment to protect against the impact of cyber incidents, it is essential for boards and the wider business to understand what is, and is not covered. Businesses also need to ensure they have the evidence required to support claims that insurance providers are likely to require.

Do not discourage new technology

Cyber risk should not be a reason to reject the deployment of new technologies. A better response is to learn how to deploy technologies securely, embed a culture around ‘security by design’ and introduce clear business guidelines for their use.

Burgess Cooper is partner – cyber security at EY.