Apparently, some nice folks in Moscow decided to jam the GPS navigation of a plane carrying EC President Ursula von der Leyen over the weekend. That’s just the latest in a series of high-impact cyber attacks that have allegedly orchestrated by nation-states over the past several years. In the current geopolitical environment, boards need to be prepared to address threats like these. This Harvard Governance blog summarizes a recent report that says that boards aren’t doing enough and also offers recommendations what directors should do to help their companies address these emerging risks.

The report says that while 79% of directors at companies with international exposure view geopolitical risks as a threat, less than 10% are prioritizing the management of those risks.The report identifies several key areas on which the board should focus to help ensure that their companies are prepared to deal with these threats. Here are some specific recommendations:

– Supporting a culture of security across the organization. Foster employee awareness regarding security risks by encouraging accountability at all levels and providing continuous training and education. Demonstrate the importance of this culture by leading from the top, including considering national security risk in governance decisions and setting a responsible tone.

– Establishing a risk management framework that takes into consideration national security issues. Develop a holistic risk management framework that accounts for national security threats so that they can be properly assessed and mitigated. This framework should not remain static but instead be regularly reviewed for evolving threats and updated as needed. Beyond this framework, the organization’s policies and procedures should also compensate for national security threats.

– Strengthening protections around critical assets. Invest in protection measures like network segmentation, multifactor authentication and endpoint detection to secure critical assets and limit access if breached. Conducting regular cybersecurity program assessments is also necessary to identify vulnerabilities and allow for adaptations based on the evolving threat landscape. Critical assets can be further protected by ensuring that sensitive IP is encrypted at rest and in transit and by deploying data loss prevention solutions to prevent unauthorized data exfiltration.

The report also recommends collaborating with advisors with expertise in national security issues and complex regulatory environments, and urgest companies to develop and test a crisis communication plan that includes identifying reporting obligations in advance.

– John Jenkins