Boards Can’t Afford to Be Tech-Blind Anymore - Cybersecurity

Face it — in the modern age, no board can afford to be "tech-illiterate" anymore.

We’re living in an era where a single cyberattack can shake up everything: your customers' trust, your company’s reputation, your bottom line — even your board’s legal standing. It's no longer enough to have boardrooms filled only with finance, legal, and governance experts. Today, every board urgently needs a strong IT and cybersecurity voice at the table.

And if they don’t have it yet? It's time to rethink.

The New Reality: Post-COVID Cyber Threats and Digital Risks

Remember when working remotely was something that companies discussed but did not quite implement? Well, COVID-19 changed things overnight. Organisations needed to switch quickly — implementing cloud systems, digital contracts, hybrid offices, and online sales models in weeks rather than years.

In doing so, though, many lost sight of something fundamental: security.

Now, workers commute to cafes, co-working spaces, homes — and every laptop, phone, or tablet is a possible way in for the bad guys. A 2024 Forrester report indicated that 21% of data breaches originated in attacks on off-site devices. Consider it. One misplaced patch or stolen credential, and your company might make the front page — but not for good.

And it's not merely about remote work. Even today, business transactions, customer transactions, and confidential information are being shared on millions of virtual platforms daily. The virtual world is no longer a "side hustle"; it is the business.

Cyberattacks Are Booming — And Boards Are a Step Behind

Cyberattacks are not improving; they are worsening. Weekly attacks increased dramatically in industries such as healthcare, education, telecommunications, and government, according to Check Point's 2025 Security Report.

Hackers aren't only after tech firms anymore — they're going after supply chains, nonprofits, schools, small businesses. No one is "too small" to be noticed.

Most concerning threats boards should lose sleep over?

• Ransomware attacks

• Business email compromises

• Cloud data breaches

• Software supply chain hacks

• AI-driven phishing and fake news

That's correct — now AI is hackers' new BFF. Generative AI is accelerating and simplifying the production of fake emails, convincing deepfakes, and even malware. And the most horrifying thing? Your own staff could be exposing sensitive information unknowingly by utilising open-source AI such as ChatGPT or Gemini to generate reports for work.

Why Boards Must Have Board-Level IT Expertise — And Why Delaying Is Not an Option

The board of directors' job has never been simple — but now it's significantly more complicated and high-risk than it's ever been. In addition to overseeing finances and providing strategic direction, boards now have an even greater burden: protecting the digital destiny of their organisations. In 2025, with cyber risks, AI attacks, data privacy violations, and online reputation management on the daily agenda, boards lacking profound IT capabilities are taking a risky game — a game they are increasingly probable to lose. It's no longer a question of "should we at least consider acquiring tech skills?" It's a question of how fast we can move before a breach, a lawsuit, or a reputational crisis lands on our doorstep.

The COVID-19 Digital Acceleration — And the Risks It Left Behind

The COVID-19 pandemic accelerated a global digital transformation that no industry could avoid. Almost overnight, businesses moved operations online, rolled out remote work models, adopted cloud technologies, and conducted negotiations, transactions, and service deliveries virtually. In this rush, critical vulnerabilities were unintentionally created — vulnerabilities that cybercriminals are now exploiting at unprecedented speed and scale. As of Forrester's 2024 data security report, an astonishing 21% of recent enterprise breaches were caused by breached employee devices utilised remotely. The pandemic infrastructure that was hastily established for survival has now become the new normal — and, in most instances, it was never properly secured. And while boards continue to lead strategic digital efforts like hybrid working models, online-first business channels, and digital customer interactions, they should understand that with each new point of connection there is also a new point of attack.

A Rising Tide of Cyber Threats

While that's been the case for some time now, the landscape of cyber threats itself has been transformed. Ransomware attacks are becoming targeted and costly. Email fraud and business email compromise attacks have been so sophisticated that even veteran executives are being targeted. Cloud data leaks are widespread thanks to misconfigured systems or unsecured APIs. Software supply chain attacks — having hackers infiltrate third-party vendors in order to reach larger businesses — are one of the most rapidly expanding dangers around the world. And geopolitical tensions being what they were in 2025, the dangers come not only from criminal elements but also from state-sponsored elements that see cyberwarfare as an acceptable weapon.

The Hidden Costs of a Data Breach

Compounding this complexity is the fact that AI technologies — generative AI, in particular — have brought with them a new battleground. Cyber attackers have turned AI capabilities into weapons, using them to automate phishing, generate deepfakes capable of deceiving seasoned security teams, and write malware in minutes. On the inside, staff unwittingly contribute to organisational risk by providing sensitive data to open AI platforms to prepare reports, trend analysis, or generate ideas. Without effective AI governance practices and employee training, companies are unintentionally spilling confidential data, sensitive finances, and trade secrets, presenting serious legal and reputational risks.

And yet, in spite of the expanding threats, cybersecurity fatigue is very real in the boardroom and the C-suite. When economic pressures get tighter, cybersecurity budgets are too often viewed as "optional" instead of imperative. A few board members, particularly those with no technical experience, might incorrectly believe that cyber risk was chiefly a pandemic-era issue and that the worst is behind us. This is a perilous misperception. In fact, cyber threats are not only lingering —they're growing. Each postponed investment in cybersecurity, each out-of-date policy, and each unwatched system layer on more exposure.

The economic impact of a breach is apocalyptic. Aside from the upfront expenses, which IBM puts at $4.4 million worldwide on average per breach, there can be long-term consequences: erosion of customer confidence, devastating stock prices, enhanced regulatory attention, executive departures, and multi-year class action litigation. Companies such as Home Depot, Capital One, and Yahoo have settled for hundreds of millions after reviewing prominent breaches. Individual directors in most jurisdictions may be held personally liable for not exercising adequate due diligence in managing digital risk. In an era where data is money, safeguarding digital assets is as basic as safeguarding financial assets.

Growing Regulatory Pressure on Boards

Concurrently, boards are also being increasingly pressured by regulators. In the US, the SEC has proposed new regulations that compel public firms to report "material" cybersecurity breaches in a timely manner and provide information on their board's involvement in overseeing cyber risk. The EU's GDPR regime levies huge fines on mishandling of personal data. Enforcement efforts on cybersecurity and data management are being increasingly initiated by regulators in Canada, Australia, and throughout Asia. Withholding strong board-level evidence of managing digital risks is now a distinct red flag — not only for compliance officials but also for investors, partners, and customers.

Cybersecurity Insurance Is No Longer a Guaranteed Safety Net

Piling onto this uncertainty, cybersecurity insurance, once the sure thing, is increasingly costly, restrictive, and hard to get. Insurers are making policy terms tighter, charging higher premiums, and insisting on more robust evidence of cybersecurity maturity before they will provide coverage. Boards that are unable to demonstrate a serious commitment to digital resilience can either be uninsurable or pay sky-high premiums. In most instances, having a specific cybersecurity specialist on the board can directly impact the organisation's ability to negotiate more favourable insurance terms or even qualify for coverage at all.

Why Boards Must Hardwire IT Expertise Into Governance

With this reality in mind, boards need to urgently reset their skillsets. Merely sending non-technical board members for a weekend cybersecurity bootcamp will not do. Boards need to actively integrate IT and cybersecurity know-how into their fundamental governance frameworks. This involves hiring independent board members with actual hands-on experience in IT systems, cloud security, AI governance, risk reduction, and incident response. It involves taking annual board competence reviews that cover digital risk capability as a priority item. It entails establishing standing cybersecurity committees — much like boards have audit and compensation committees — to provide regular, informed monitoring.

In addition, this IT knowledge must be integrated purposefully into all key boardroom conversations — and not isolated as a "technology problem." If it's whether to sign a new M&A transaction, expanding into a new market, entering a new digital product, or creating a customer data strategy, technology and cyber risks need to be weighed in the same discussion as financial and legal risks.

For IT and Cybersecurity Professionals: Seize the Boardroom Opportunity

For IT and cybersecurity professionals, this change means a huge opportunity. Boardrooms are increasingly seeing that digital leadership is a key competency. But IT professionals need to prepare in earnest. A technical resume will not get you on a board. You need to be able to explain how your skills benefit the organisation in terms of managing risk, driving growth, and safeguarding shareholder value. You need to know governance structures, regulatory requirements, enterprise risk management, and strategic planning. In essence, you need to position yourself not only as a technology expert but as a business-aware digital risk advisor who can lead the organisation into the future with confidence.

On the other hand, for non-IT background traditional board members, upskilling is required. Spending money on cybersecurity certifications, AI governance training, and cloud security awareness is no longer a choice. Digital literacy is fast becoming as important for directors as financial literacy has been over the past decades. Those that are not adaptable to this change will find themselves soon out of touch with the market, or worse, in the middle of a crisis they didn't anticipate.

Final Thoughts: The Board’s Role in Securing the Digital Future

At its essence, the message is straightforward: Boards are the ultimate line of defence in the age of the digital. Organisations cannot innovate, grow, or even exist without robust, reliable digital foundations. And boards cannot discharge their fiduciary responsibilities without adopting IT acumen as an essential competency. The future is for the boards that move boldly, who see technology not as an administrative function, but as a boardroom imperative, and develop the leadership capability to succeed in an era where the next great risk is a click away.