Nothing keeps directors and officers up at night more than the thought of having a cyber breach made public. Of course, being the victim of a breach is no party either, but experiencing a breach and then quickly resolving it is much better than having to go before the press and explain that personal and confidential data is now out in the wilds of the dark web, for sale to the highest bidder.
Cybersecurity is unique among the various challenges facing the board. More than anything else, the inner workings of the IT systems and the controls in place to protect the data stored within are so far removed from what the board members are familiar with that they feel they are at the mercy of the IT geeks who push the buttons. However, this doesn’t have to be the case. Board members can take steps to ensure they are on top of both the organization’s efforts to protect data and the way they respond when the walls are breached. Some things to consider are:
1. Recognize that it’s not ‘If’ but ‘When’
It’s easy to think that bad things happen to the other guy. Unfortunately, when it comes to the highly interconnected, dependant world of digital data and communications, every organization, no matter how large or small, is open to being the target of an attack. Instances of cyber breaches are on the rise, according to Statista, with a steady increase in the number of breaches year over year since 2011, and a steep upward trend in the past few years (2017 had almost 50% more breaches than 2016).
Traditionally, the way that IT protects itself is to build bigger and bigger walls around the data. Analysis of recent cyber breaches shows that walls alone are no longer sufficient. A more holistic approach, involving education of data workers to watch out for malicious attempts, and ensuring that the weak links such as third-party vendors are strengthened, is the new norm.
Despite protections, and given the odds, every organization should have a response plan in place so that they can calmly, confidently deal with a cyber incident when it occurs. Because it likely will.
2. Everyone plays a part in cybersecurity preparedness
According to the indictment handed down by the United States Justice Department against 12 Russian Intelligence officials on July 13th concerning their alleged role in hacking the computers of the Democratic National Committee, an email crafted to look like a security notification from Google, and personalized for the recipient, was sent to a number of Clinton campaign staff members “instructing the user to change his password by clicking the embedded link”. The DNC campaign manager diligently followed the instructions in the email. This opened a back door into the DNC’s network, and allowed the Russian team to monitor computer activity and surreptitiously extract data.
This type of attack is called spear fishing, because it involves sending out emails to many people, hoping to “spear” one of them. One is all that’s needed to gain illicit access, and it usually makes no difference how big the walls are, because the victim is already on the inside.
While there are technical ways that emails might be authenticated, the best defense is still educating the data users so that they are aware of the threats and will, at the very least, be suspicious of any email that they can’t positively identify as legitimate. Every user is responsible for an organization's cybersecurity.
3. Develop a risk managed approach to cybersecurity
Building upon the assumption that the organization will be hacked regardless of the safeguards put in place, the only practical strategy is to implement a plan to manage the risk and resulting fallout. By doing this, the board will recognize that:
- Cybersecurity should be a consideration in all decision-making activities, across the entire organization;
- Cybersecurity incidents are a cost to the organization that needs to be identified and accounted for; and
- Contingency plans to ensure business continuity in the event of a breach need to be developed and updated.
4. Protect the crown jewels
When the hackers get in, it’s better to leave them breadcrumbs. While perimeter walls play a part in the overall cybersecurity landscape, defense in depth is a much better strategy. If the corporate crown jewels, the data most valuable, can be identified, additional measures can be taken to limit and monitor access to this information. The trick here is that, in most organizations, finding the crown jewels is a major undertaking. The answer is to implement real, effective Information Governance.
Information Governance is a term often spoken but rarely followed in the boardroom. Proper Information Governance would comprise a plan to identify and manage all of the corporate information, whether it is big data residing in corporate server farms or text messages on employees’ mobile devices. It would also include periodic auditing and refresher training for the staff, to ensure that the information is continually managed. Once all the information is cataloged and classified, carving our the most important bits so it can receive added protections is child’s play.
5. Don’t try to hide it
In September 2016, Yahoo! made public that millions of user accounts had been compromised three years before in an incident senior management knew about at the time but didn’t report. The day after the confession, Yahoo! stock fell by more than 3%, and management agreed to lower their selling price to Verizon by 7.25% ($350 million). Yahoo! was also fined by the United Kingdom Information Commissioner’s Office. The Securities and Exchange Commission eventually fined Yahoo! $35 million for misleading investors (their annual filings for 2014 through 2016 did not mention anything about data breaches).
The new federal Digital Privacy Act comes into force on November 1, 2018 and will require reporting to both the federal Privacy Commissioner and all affected individuals “as soon as feasible after the organization determines that the breach has occurred”. (See our blog post for more information.) Directors and officers should be aware of these requirements and the consequences for their organizations.
The organization’s cyber response plan must include detailed reporting instructions so that both regulatory and public relations requirements are met in a timely manner. It should be vetted and tested as part of simulated data breach response exercises.