Table of Contents
Boards of directors are being told that cybersecurity is now central to business resilience and growth, and that they must engage more directly in the way their organizations manage risk. A new report from Google Cloud’s Office of the CISO lays out three areas where board oversight is becoming especially important: ransomware, cyber-enabled fraud, and the intersection of innovation and cybersecurity.
Ransomware is shifting to identity and help desks
The report describes how ransomware attacks have become more targeted and disruptive. Threat actors are no longer just encrypting files. They are exploiting identity systems, help desks, and cloud infrastructure. One example highlighted is the growing use of social engineering against help desk staff, where attackers impersonate employees and convince support teams to reset credentials or modify multifactor authentication settings. By doing so, they bypass technical defenses and gain control of accounts.
The report emphasizes that boards should pay attention to how identity is protected inside their organizations. Security teams may face resistance when trying to roll out stronger protections such as phishing-resistant multifactor authentication. Boards, according to the report, are in a position to set the tone and ensure these measures are adopted.
The document also points out that digital transformation and cloud adoption introduce new risks. Attackers are moving easily between on-premises and cloud environments, often using compromised single sign-on credentials to expand access across systems. Boards are advised to make sure that investments in identity controls and monitoring are aligned with this reality.
Fraud is now a boardroom issue
The second theme of the report is cyber-enabled fraud, which is described as one of the fastest-growing threats to businesses. Fraud schemes such as SMS phishing, business email compromise, account takeovers, and long-term scams involving fake cryptocurrency investments are taking a major toll.
The report outlines a framework for boards to oversee fraud prevention. It starts with mapping how money flows in and out of the organization and understanding the points where those flows can be attacked. Boards are encouraged to ask management whether controls such as multifactor authentication and dual approvals are being applied to critical financial processes.
High-risk transactions such as wire transfers and real-time payments require closer scrutiny, the report says. It also recommends using frameworks that break fraud into stages, so organizations can respond more effectively at each step. Boards are reminded that their role is to ensure that fraud incidents are followed by blameless post-mortems. These reviews should identify weaknesses without assigning personal fault, which helps organizations improve controls and set thresholds for financial risk.
“Forward-thinking financial institutions leverage fraud prevention as a strategic advantage, creating positive customer experiences and differentiating products through in-channel fraud detection. Some boards have invested in real-time fraud detection, increasing detection rates two-fold and significantly reducing false positives, thereby decreasing resource toil and improving efficiency by identifying fraud within the ecosystem and strengthening controls to minimize losses,” David Stone, Director, Office of the CISO, Google Cloud, told Help Net Security.
Innovation cannot succeed without security
The third area of focus is how boards can support innovation while ensuring cybersecurity is not left behind. The report argues that strong cybersecurity practices can help a company stand out by building trust with customers and enabling faster adoption of new technology.
Boards are urged to encourage a risk-first mindset when new products or services are developed. That means security should be considered early in the process rather than added later. The report suggests that boards push for agile reporting that connects security metrics to business outcomes such as reduced fraud or improved uptime. This kind of reporting makes it easier to adjust resources quickly as threats evolve.
The report also highlights opportunities for boards to support proactive engagement with regulators and industry groups. By viewing regulation as a driver of innovation rather than an obstacle, companies can find ways to strengthen both compliance and security at the same time.
