Mention cybersecurity these days and reactions vary from concern to all out dismay and anxiety. We are living in an era of extreme technological transformation whether it be due to the emergence of the cloud, increased mobile use, social media, or the growth of the “internet of things” or as it has sometimes called, “the internet of everything.” The side effect of this proliferation of our digital life is increased risk and the need to protect the immeasurable data that sometimes feels like it is simply “out there.”
These challenges are confounded by the fact that there is little to no precedent. We do not have guidebooks, or veterans who have seen it all before. Witness this week’s attack that was even worse than last month’s “Wanna Cry” debacle. “Wanna Cry” has been estimated to have held computers hostage in at least 99 countries. Computers infected with “Wanna Cry” malware became locked until a ransom was paid. If this is not enough, did you know that all of the following companies have had data breaches that affected the privacy of their customers or employees: Target, Sony Pictures Entertainment, Home Depot, EBay and JPMorgan (to mention just a few).
Leaders in government and all types of organizations must have a strategy to deal with this risk. They must plan, anticipate and prepare accordingly. Within the context of business as well as non-profit and educational institutions, boards of directors or trustees need to lay the groundwork for a cybersecurity framework that will protect their organization and if they can’t protect – then they must have a plan to react so that devastation can be contained.
In 2016, the Chair of the U.S. Securities and Exchange Commission (SEC) stated that cybersecurity is the biggest threat facing the financial system. “Adversaries including organized crime groups, terrorists, and nation-states, are constantly seeking to access organizations’ most sensitive and valuable information through remote-access attacks. Boards of directors and the C-suite must acknowledge and recognize this business risk, and work to detect and respond to them quickly to mitigate the consequences. The leadership must set the pace for the rest of the organization, and it starts with awareness of the threat and a sense of urgency to respond. Anything less is unacceptable,” said Shawn Henry, CSO of CrowdStrike Inc., a cybersecurity company based in California.
The weight of the responsibility to keep an organization safe from cyber threats is placed on the CEO, CIO/CTO/CSO, and the executive team. However, in the 2016 Deloitte Board Practices Survey respondents (members of the Society for Corporate Governance) “ranked cyber as the number one risk their boards are focused on.”
It is critical for every organization to go beyond a mere discussion in the boardroom of the probability of cyber-attacks to the actual implementation of a comprehensive cybersecurity governance framework that addresses all of their cybersecurity requirements. Boards must be well versed in the most up-to-date issues and cyber challenges. They must be able to properly assess threats as well as the plans, programs and talent being engaged to contain them. Earlier this year Senate introduced The Cybersecurity Disclosure Act of 2017 (or S. 536). This legislation requires companies to explain in their SEC filings whether cybersecurity expertise exists on their boards and if not why the expertise is unnecessary because of other steps taken by the company.
As more organizations rely on computers for everything, cyber criminals are invariably looking for lapses in security. Advances in technology are not limited to those on the right side of the law and there are new threats constantly. It is not enough for a board to simply listen to a report by the company’s CIO or CTO at a quarterly board meeting. Cyber planning must be an integral part of strategic planning and risk management. And by the way, the rate of obsolesce in technology is swift so even if a company has a cyber expert on their board they must ensure that their knowledge and skills be kept up-to-date.
Boards and the companies their serve must not only be aware of the flurry of cyber threats but they must be proactive and strategic in dealing with them. They cannot afford to sit idly and wait for something to happen. They must be educated and prepared. Procrastinating on this issue can have some pretty grave consequences.