Page 13 - IMDR Journal 2025
P. 13
Research Article
remediation) typically far exceeds prevention costs. management, while NIST stresses multi-factor
authentication as a standard protective measure. Had SFO
● Employee Training and Awareness Human error
remains the top factor in breaches. In 2025, 95% of breaches required MFA for employee logins, stolen passwords alone
involved some human mistake. Regular, targeted training is would not have sufficed to breach systems.
crucial: simulated phishing exercises, clear guidelines on Moreover, NIST’s Detect function encourages continuous
credential handling, and enforcement of strong monitoring. With a SIEM or intrusion detection system in
password/MFA policies. SFO’s attack relied on phishing out place, anomalies (like unusual data exfiltration) could have
credentials, and BA’s breach also exploited social triggered alerts. Both breaches went undiscovered for
engineering; better-trained employees might have raised weeks; adherence to framework guidelines on monitoring
early alarms. would have caught intrusions sooner. Finally, both
frameworks emphasise Response and Recovery planning.
● Third-Party and Vendor Risk Management Both cases
likely involved external partners (contractor networks at ISO 27001 demands incident response procedures and
SFO, a cargo vendor at BA). Enterprises must rigorously vet lessons-learned reviews, while NIST calls for established
and monitor their vendors’ security practices. This includes communication channels during an incident. These might
requiring suppliers to comply with standards (e.g., ISO have led to faster mitigation when the SFO and BA breaches
27001 or NIST CSF alignment) and conducting periodic occurred. In summary, formal adoption of NIST CSF and
audits. Attackers often pivot through weak supply chain ISO 27001 would likely have led to better-prepared
links. A systematic vendor risk program is needed to map organisations. They provide a “common language” and
dependencies and set security criteria for third parties. lifecycle approach that, if fully implemented, can
significantly reduce the chance and impact of breaches.
● Regulatory Compliance and Penalties Since GDPR and
similar laws, protecting personal data is both an ethical and 2. If you were on the board, what policies would you
legal mandate. Companies must implement privacy by formulate after the breach?
design and report breaches promptly. For example, GDPR As a board director, immediate policy actions would focus
requires notifying authorities within 72 hours of detection. on strengthening governance and incident readiness. First, I
Non-compliance can lead to fines up to 4% of global would mandate a comprehensive incident response plan.
turnover. The BA case saw an ICO fine (eventually £20m) This includes clearly defining which events constitute a
for lacking basic protections. Organisations should thus reportable incident and establishing reporting chains. We
view compliance not as a burden but as part of a risk would ensure roles are assigned (e.g. CISO leads response)
mitigation strategy. and conduct regular tabletop exercises. Board members
should also require independent cybersecurity audits and
● Crisis Communication and Transparency:| In the
aftermath of a breach, how a company communicates is risk assessments. This policy would call for periodic (e.g.,
critical. Firms should have a crisis communication plan that annual) third-party reviews of security controls against
includes timely disclosure to regulators, customers, and the standards like ISO 27001 and penetration tests to uncover
public. As we discuss later, being transparent and proactive vulnerabilities.
can help preserve trust. Second, the board must establish clear security policies
In sum, the strategic implications of these breaches involve a around authentication and data encryption. For example,
enforce MFA for all sensitive systems (particularly for
shift in mindset: cybersecurity must be built into enterprise
remote logins) and require encryption of personal data at rest
strategy, with board oversight, adequate funding, and an
organisational culture that values and rewards security and in transit. Relatedly, access control policies would limit
practices. user privileges to only what is needed, reducing the “blast
radius” if a credential is compromised.
Third, I would implement a vendor security policy. Any
DISCUSSION third-party provider must demonstrate compliance with
1. How would using frameworks like NIST and ISO/IEC security benchmarks (potentially ISO 27001 certified).
27001 reduce breaches? Contracts would include audit rights and breach notification
requirements.
Frameworks like the NIST CSF and ISO 27001 provide
structured, comprehensive approaches to managing cyber Fourth, budgetary policies: cybersecurity should be treated
risk. For example, NIST’s CSF explicitly requires as an ongoing investment, not an ad-hoc expense. The board
organisations to identify and inventory their assets, threats, would allocate dedicated funding for security tools (SIEM,
and vulnerabilities. If SFO and BA had applied this rigour, advanced endpoint protection) and staffing. We would tie a
they would have systematically logged their critical systems portion of executive compensation to security metrics (e.g.,
and patch status, likely catching BA’s outdated JavaScript timely patching, incident response drill performance) to
library before it was exploited. ISO 27001 similarly ensure leadership ownership.
enforces regular risk assessments and updates to controls. Finally, a transparency policy: the board would commit to
Under ISO 27001, BA would have identified that logging the timely disclosure of breaches to regulators and
plain-text card data was an unacceptable risk. These customers, in line with legal requirements. We would also
frameworks also mandate Protective controls: ISO 27001 develop a PR strategy to manage public communication
Annexe A includes cryptographic controls and access during crises. In summary, board policies would span
4
