Beyond core company growth and profit, board directors have plenty of competing priorities they “must” attend to, such as regulatory change, the digital economy, culture, diversity, investor relations, political events like Brexit…the list goes on. And cybersecurity should be in there somewhere.
It’s tempting, even logical, to delegate some of these issues, or streamline them into a “tick-box” compliance approach, especially the more technical risks like cybersecurity. But when it comes to information security, that would be a mistake for two reasons: there has been a sudden surge in cybercrime in 2016/17 that requires a C-suite response; and the sobering fact that, year after year, failing to “own” cybersecurity has cost a succession of CEOs their job.
That roll-call of resignations grew recently: Richard Smith, CEO of global credit-scoring firm Equifax, quit in September after hackers accessed the personal data of 145 million customers—a disaster for a company whose whole raison d’être is safely managing data.
Smith is not alone. Last year, Walter Stephan was fired after 17 years as CEO of Austrian aerospace parts manufacturer FACC because of an email “phishing” scam that cost his company nearly £40m.
But perhaps the biggest victim of all was Gregg Steinhafel, who stepped down in 2014 as CEO of giant US discount retailer Target, after a massive hack attack exposed the credit card or other data of up to 110 million customers.
Learning the lessons
It’s vital that board directors learn from these failings, at a time when the cyber-threat has never been more severe. Hackers used to target single companies, but now they have gone global. The WannaCry ransomware attack in May hit roughly 200,000 organisations in 150 countries, including much of Britain’s NHS, while follow-up malware NotPetya affected 60 countries.
This prompted a warning in September from Rob Wainwright, head of European police agency, Europol: “The global impact of huge cybersecurity events such as WannaCry has taken the threat from cybercrime to another level. Major businesses are now targeted on a scale not seen before.”
Indeed, Lloyd’s of London recently calculated the cost of a likely future global cyberattack at a staggering $53bn—about equal to the damage caused by Hurricane Sandy in 2012, putting cyber-risk on a par with a full-blown natural disaster.
So how can board directors respond? Some core advice comes from one CEO who actually held on to her job despite the hackers’ best efforts. In 2015 Dido Harding survived as head of UK telecoms company Talk Talk after 150,000 customers’ bank details were stolen, because she learned one key lesson: “Business leaders want to abdicate responsibility for cybersecurity, but they can’t. And I learned that in the heat of battle.”
Her message, echoed by cybersecurity experts, is that most boards are still not taking cybersecurity seriously enough. Instead, directors should lead by example. How exactly? This can be summed up in three actions:
1. Get involved
The most important thing a director can do is to take information risk seriously in their own job. Don’t delegate: set an example on security and the rest of the business can follow.
Take core information like board packs. How many directors still access this data via unsecured private email accounts (despite the hugely damaging controversy surrounding Hillary Clinton’s use of her private email for official business)? Or worse still, on paper? And how many directors still store sensitive information in more vulnerable external systems like OneDrive, Google Drive, Dropbox or Box.com?
There are digital products available, like Brainloop, that enable management teams to securely store and share documents, internally and with auditors and other outside parties.
As Brainloop MD Mark Edge explains: “Brainloop builds in security from the ground up to protect an organisation’s most sensitive information, including best practices like encrypting the data being distributed, and functionality tailored to the permissions that each employee, business partner or board member has been given.”
Emma Sloan, deputy company secretary at Brainloop customer Thames Water, confirms: “With the Brainloop Board Portal, we are able to securely build and manage board packs from home or any other location or device. And this is a huge benefit.”
It is all about behaviour and culture: board directors who embrace cyber best practice set a standard that starts at the top and filters all the way down. Lead by example.
2. Get informed
Learn about the growing cyber-threat and respond to it in a practical, targeted way. For example, people are a key security risk for companies, and making sure employees act in the right way is just as vital as any technical response to cyber-risk. It’s known as “securing the human”, and board directors can play a key role in ensuring this happens.
Crucially, phishing scams are still the root cause of most data breaches, where staff are fooled by plausible emails into opening malware-laden documents that infect their computer, then the whole corporate network. Or employees are conned by email scams, like the one that lost FACC CEO Walter Stephan his job. (In his case it was a “whaling” not phishing email because it hooked a bigger fish.)
So, train your staff in being cyber-aware. Make sure your IT team runs regular tests across the business, to alert employees to the risk. Ensure IT knows where all your data, servers and devices are, who has access to them and how are they protected. And that they “patch” all software regularly, because most attacks are preventable. Security firm Verizon estimates that 85% of successful cyberattacks are caused by just ten known bugs that any organisation could readily patch and protect themselves from.
3. Get innovative
It’s virtually impossible to be immune to cyberattacks. Directors must simply manage the risk involved as best they can. So challenge your tech team to see what more they can do. Look back at any past breaches or attacks: what can you learn?
Test your cyber-defences with “red teaming”, where outside security experts mount live hack attacks on your network to expose weaknesses. This will help you and your cyber team understand the threats to your networks, and actively protect against them. But you also need to ensure that you are prepared for what to do after a breach.
As governance expert Lee Edge, director at GRC Edge Consulting, advises: “Deny-ability is too easy. The board should understand the key first actions required in the event of a breach and should have carried out a test. Engaging with contacts within your legal department, insurance and law enforcement should form part of your disaster-recovery testing. Know who you will be reaching out to!”
The cyber-risk is growing, and current business trends mean it will only get worse. More data is being moved outside organisations: into cloud storage; shared with customers and global supply chain partners; or held on mobile devices used by staff outside the corporate perimeter.
And there are whole new levels of risk and vulnerability from the digitisation of business: Gartner predicts there will be 20 billion “connected” devices worldwide by 2020, as e-commerce and online information sharing become ever more widespread.
All this means that organisations are increasingly vulnerable to hackers infiltrating them via an attack on one of their partner companies or customers, as happened to Target in the US. As Lee Edge warns: “Boards need to be aware of the impact of not only cybercrime against themselves but also their third parties. Third-party risk management teams should ensure they have carried out cyber due-diligence where possible.”
What is more, the cost of neglecting cybersecurity is rising, as new data protection regulations, such as Europe’s forthcoming GDPR (General Data Protection Regulation) law, come into force. From April 2018, GDPR will levy fines of €20m or up to 4% of annual turnover on businesses that fail to follow data privacy and protection best practice.
Perhaps even more significantly, it mandates reporting of breaches. So it is no longer an option to sweep this under the rug.
Yet in the face of this, fewer than half of boards are involved in their cybersecurity strategy, according to PwC. Communication is vital, with staff, IT and customers. Directors can demonstrate their leadership by “owning” cybersecurity themselves, and demand that others do the same.
This article has been prepared in collaboration with Brainloop, a supporter of Board Agenda.