We are living in a borderless cyberspace that is building in complexity by the day. We see the growing prowess and sophistication of cybercriminals, rapid advances in emerging technology like generative AI, and escalating international conflicts, both trade and turf, offering a stage for unparalleled cyberattacks. I often get asked by directors: “How can we become more proactive as a board?” And the answer might never have been more critical.
The answer, in short, is to stop looking at ‘cyber’ as a technology issue. Despite its definition being linked to the protection of digital devices, cybersecurity is a fundamental interdisciplinary risk that has several layers of complexity, and geopolitics and human psychology both have a part to play. It is vital, therefore, that we reframe the narrative to build digital resilience, and I use this article to offer a longer answer on how your board can achieve just that.
Cybersecurity has traditionally been explored by academics as a technology problem; however, it is in fact an interdisciplinary issue involving business, people, and culture. Human error is the fundamental vulnerability in almost every breach we see play out in the boardroom today, and for any organization, the partners in its ecosystem are both the greatest asset and the biggest hindrance to a secure, resilient, and trustworthy digital future. (WEF 2025).
Take the correlated attacks on British retailers Marks & Spencer and Co-op, and the attempted attack on Harrods in April 2025, in which cybercriminals used social engineering to trick employees into giving out passwords and login access. The ransomware attack came via email from an employee of Indian IT giant Tata Consultancy Services, which has provided services to the retailers for over a decade. The Marks & Spencer website was impacted for three months while in ‘rebuild’ mode as the chairman told members of the British parliament, losing more than £300m ($399m) to the company and having profound implications for suppliers, employees, customers, and the total food supply chain.
The human error conversation was brought to life during the coronavirus pandemic when organizations realized their digital resilience relied on employee trust as much as IT infrastructure. In an instant, teams of thousands were forced to log in across the world, using their own Wi-Fi networks and, at times, technology, to access critical and sensitive data. We saw two very different responses unfold. The first was to pause operations and prevent remote working, the second was to trust their employees to make effective decisions.
This is an important first lesson in building digital resilience, so long as trust is accompanied by effective digital awareness training and a culture that encourages people to proactively practice cyber-safe behavior and come forward with mistakes. So how does a board ensure its workforce can be trusted?
“Sending phishing emails to employees in a controlled environment is one of the most popular training exercises, testing which employees interact with a suspicious link and take the bait.”
Digital awareness needs top-down sponsorship, but it begins from the bottom up, ensuring every employee is trained on the dangers of cyber weaknesses. This can range from cyber simulations to internal phishing exercises, but while conducting this type of cybersecurity training is a well-known practice, its effectiveness depends on factors such as sensitivity to humanistic values, frequency of training, and customization.
Sending phishing emails to employees in a controlled environment is one of the most popular training exercises, testing which employees interact with a suspicious link and take the bait. While effective, these tests must be conducted in a safe culture that fosters empathy and enablement, educating staff and motivating them to protect the organization, rather than create a blame or fear culture within.
Like most things, organizations should also commit to continuous learning in small increments rather than an annual exercise. This is particularly important for IT and Financial areas, which are the primary targets for social engineering.
The story of the RMS Titanic serves as a reminder that regulatory compliance does not guarantee safety or security. Despite having 24 lifeboats, four more than required by the British Board of Trade, when the ship sank in 1912, they were still not enough to save the 1,500 casualties. Organizations must adopt a substantive approach to compliance, moving beyond a “tick-the-box” mentality and committing to meeting and exceeding expectations.
Keeping the British theme, in the fall of 2023, we saw the UK National Library fall victim to a major ransomware attack that severely disrupted its operations and compromised sensitive data. The institution decided on a strategy of full transparency, producing and publishing a detailed report on the causes and nature of the attack and its initial recovery. The report offered important lessons for government organizations, NGOs, and businesses about cybersecurity vulnerabilities and crisis management. The British Library’s report went beyond merely explaining what happened and why; it outlined lessons learned and planned changes. This comprehensive approach should be considered standard practice and could potentially be incorporated into government expectations for private companies when they experience a breach.
The attack demonstrates that even institutions with extensive security measures can fall victim to sophisticated cybercriminals. Continual investment in modernizing infrastructure, enhancing security controls, and fostering a security-conscious culture is essential. The potential costs of prevention are far outweighed by the devastating impact of a successful attack on an institution’s operations and reputation.
Breaches are inevitable in the rapidly changing environment that we work in, but directors must ask: How would we respond?
In my work with the IMD Board Program, I teach four elements of digital resilience, each of which poses critical questions for boards. These include:
To build digital resilience, boards must also consider the following:
The WEF recently found regional differences in preparedness.
The conversation about proactive digital resilience should not be restricted to your organization either. The growing complexity of the cyber landscape is exacerbating cyber inequity, broadening the gap between smaller and larger, better-resourced organizations. The same can be said for developed and emerging economies, which is why there is a host of new initiatives focusing on developing intelligence on organized cybercrime. These include the World Economic Forum’s (WEF) Cybercrime Atlas, which uses open-source research to create new insights into the cybercriminal ecosystem.
The WEF recently found regional differences in preparedness. While only 15% of respondents in Europe and North America lacked confidence in their country’s ability to respond to a major cyber incident, for Africa, this figure doubled to 36% and tripled to 42% in Latin America.
When it comes to a cyberattack, board members are always one step behind, which prompts a reactive response.
When it comes to a cyberattack, board members are always one step behind, which prompts a reactive response. However, by building digital resilience from the board down, directors can become more proactive and have a comprehensive, practiced crisis response strategy in action that will protect the psychological safety of their staff and the security of their organization.
Ultimately, we can’t teach our systems without first training the humans who use them.
To create the best customer experience, CXOs should leverage AI to build dynamic systems that adapt in real time to customer needs. We explore how leading companies are using this approach today....
For multinationals, especially in strategically sensitive sectors such as energy, finance, and technology, traditional defense policies offer inspiration as they develop robust AI strategies. ...
To truly transform, organizations must overcome strategic and conceptual pitfalls. Here is why so many leaders continue to get it wrong. ...
CHROs must lead AI adoption in HR, from performance reviews to strategy, balancing risks and rewards while enhancing organizational impact....
Explore first person business intelligence from top minds curated for a global executive audience