Dear Board Members, we are under attack!

The NASDAQ report revealed that more than 90% of corporate board members and executives said that they cannot read a cybersecurity report and are not prepared to handle a major cyber-attack.

The scenery

The most recent report has astonished wider public with the statement that, in one of the biggest data breaches ever, a hacker gained access to 100 million Capital One credit card applications and accounts! According to a court filing, former Amazon Web Services softer engineer was able to gain access by exploiting a misconfigured web application firewall. The hacked company assures its clients that it will not cost more (?) than USD100 million (!) to fix the problem.

The costs of cybercrime are, unfortunately, extremely high these days. As Panda security reported, this year we have seen how a church lost USD1.75 million in a Business email compromise (BEC) scam; two cities in Florida paid ransoms totalling over a million dollars after ransomware attacks; British Airways had to pay a fine of £183 million; and Equifax has agreed to pay up USD700 million to compensate the 147 million victims of the data breach.

Cybercrime cost the global economy a staggering USD1.5 billion in 2018 alone! This corresponds to about USD2.87 million lost every minute across the world last year. The RiskIQ’s latest ‘Evil Internet Minute’ report warns that, in 2018, individual organisations paid out about USD25 every minute due to cybersecurity breaches! The 2018 Cyber Incident & Breach Trends Reporteven suggests a more horrifying figure: the worldwide economic impact of cybercrime was at least USD45 billion in 2018!

Are we taking it seriously?

The Nucleus Cyber 2019 Insider Threat Report shows that the majority (70%) of the surveyed 400,000 employees of various organisations admitted that 60% of their companies experienced an attack in 2018.  

Yet, most small and medium businesses are seriously underestimating their vulnerability to cyberattacks, according to a new study. Despite the fact that 67% of small and medium enterprises (SMEs) were attacked last year, an astounding 66% of these organisations do not believe they are vulnerable to cyberattacks!

In fact, the size of the company does not matter – we are all under the siege! The attack vectors are becoming more versatile, showing over and over again that the human factor is still the weakest cybersecurity link. This should clearly translate in an effective strategy:  cybersecurity is not only an IT matter but should be the highest concern of all stakeholders in an organisation. However, this is not the case in many companies.

Historically, many senior leaders and executives have a very narrow view of cybersecurity either as a technical matter or in a stovepipe that was independent of organisational risk and traditional management. This perspective prevents organisational decision-makers of aptly considering how cybersecurity risks affect the business mission and function – and, ultimately, business success.

The NASDAQ report revealed that more than 90% of corporate board members and executives said that they cannot read a cybersecurity report and are not prepared to handle a major cyber-attack. Even more distressing is the fact that 40% of executives said they do not feel responsible for the repercussions of hackings.

A very recent Yahoo lawsuit should be a wake-up call for boards and executives. This high-profile data breach case suggests that the relative safety that directors and C-suite officers have previously experienced from cybersecurity-related suits – may be coming to an end. On 4 January 2019, the Superior Court of California approved a USD29 million settlement in consolidated derivative litigation. This lawsuit was brought against directors and senior officers of Yahoo arising out of two data breaches compromising sensitive information of over one billion Yahoo users.

How Boards can make a difference?

Typically, boards have three responsibilities: to get the leadership (C-Level) of the company right, to review and approve the organisational strategy and to get the risks that company faces (compliance with laws and regulations, and ‘safety’ of shareholders). In this increasingly digitally interconnected business world, none of these responsibilities can be fulfilled without considering cybersecurity risks.

Just flinging money at the mounting problem of managing cyber risk will obviously not solve cybersecurity problems. Proactive boards are now recognising the need to educate its members on the organisational cyber risk profile and ensure that sufficient expertise is available to provide ongoing insight and advice. This must be followed by regular reviews of cyber risk management plans and assessment of the company’s cyber breach readiness.

For securing organisational corporate assets, board members should understand three key points: security drivers and risks, principles of overseeing cybersecurity, and the way of assessing the company’s digital safety.

In this regard,The National Association of Corporate Directors (NACD) provides five guiding principles to consider when taking an active role in corporate security decisions. Firstly, directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

Secondly, directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. Thirdly, boards should have adequate access to cybersecurity expertise. Discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.

Fourthly, directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. Lastly, board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

As a final point, we must stress that even with the best plans in place, it is vital to acknowledge that cyber risk cannot be completely eliminated. Breaches are inevitable, but boards can mitigate risk and damages by staying informed and ensuring that, in the event of a breach, their company is prepared to respond effectively.

Advice to Chief Security Officers (CSOs)

Based on our previous notice that more than 90% of corporate executives said they cannot read a cybersecurity report, we advise CSOs to pay particular attention when communicating cybersecurity issues to the organisational boards and CEOs.

First of all, convince them that cybersecurity is not a technical/technological issue but an organisational one. Try to credibly persuade them that leadership has to coordinate issues between various business units as these units have resources and responsibilities.

Furthermore, help the board to grasp a basic understanding of cybersecurity issues, i.e. to develop a basic awareness of cybersecurity risks. I this regard, help them to understand what are crucial organisational assists that need protection.

Also, use suitable tools or frameworks that show the progress of cybersecurity activities. And, highly important, avoid cybersecurity jargon as much as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *