Edition: International | Greek

Home » Analyses

Cybersecurity: The role of the board

A three-step process for board directors to start improving cyber-oversight

By: EBR - Posted: Friday, August 04, 2017

text size [–] [+]
Board members usually have not discussed cyber risk with the management team. It is extremely important to have a dedicated discussion that ends with consensus and commitment. The conversation should go beyond the obvious. For example, leaders at manufacturing firms should consider all possible ramifications of supply chain interruptions and communication lapses. After the initial conversation, reassessments should take place on a semi-regular basis.
Board members usually have not discussed cyber risk with the management team. It is extremely important to have a dedicated discussion that ends with consensus and commitment. The conversation should go beyond the obvious. For example, leaders at manufacturing firms should consider all possible ramifications of supply chain interruptions and communication lapses. After the initial conversation, reassessments should take place on a semi-regular basis.

MORE ON Analyses

by Mikko Niemelä*

In 2016, cybercrime cost U.S. firms more than US$17 million on average, based on a benchmark study of 237 global companies. According to a think-tank report, the global economic losses caused by cyberattacks total an estimated US$445 billion per year. The reason behind it is very simple. Various studies have estimated that between 70 and 90 percent of organisations and companies around the world just don’t have sufficient cybersecurity.

It is the board’s problem

The most common misconception is that cyberattacks are solely the IT department's responsibility. Whereas IT staff is indeed equipped with appropriate tools and experience to deter or mitigate an attack, it’s up to the CEO to make the right decisions and take adequate actions. And for that to happen, cybersecurity has to be seen as a board responsibility, and discussions about this topic have to originate from the board.

One major problem with boards, however, is that they often don’t have sufficient knowledge, tools and expertise. This is what is often referred to as one of the board’s information gaps, prohibiting effective oversight. But directors’ lack of knowledge doesn’t absolve them of their fiduciary responsibility.  In the face of board inaction, the CEO is confronted with a catch-22: In case of a successful cyberattack, the CEO will take the blame, whereas if the cyberattack is unsuccessful, the board will take credit for the proper decentralisation of responsibility.

A three-step starting point

Boards can begin taking ownership of organisational cybersecurity with a three-step process. The steps outlined below will work for nearly all organisations, but their difficulty will vary by sector. Though they may seem basic, very few boards I’ve come across have done all three.

1) Understand your organisation’s biggest risks.
2) Conduct a “fire drill”.
3) Know what you own.

Understanding cyber risk

Board members usually have not discussed cyber risk with the management team. It is extremely important to have a dedicated discussion that ends with consensus and commitment. The conversation should go beyond the obvious. For example, leaders at manufacturing firms should consider all possible ramifications of supply chain interruptions and communication lapses. After the initial conversation, reassessments should take place on a semi-regular basis.

Here are some general points about cyber risks that may aid exploration:

Risks can stem from an organisation’s public profile. If a company’s operations seem unethical—for example, the firm appears to unjustly fire people or act improperly—the probability of an attack increases.

Intellectual property is also often a reason for a hack. When a business is rich in R&D, unscrupulous actors—competitors, hackers, etc.—may mount a cyberattack to get at its secrets. 

The top three industries targeted for cyberattacks are healthcare, manufacturing and financial services. Sony Pictures, Anthem (an insurance giant) and Target are only three of the better known companies that have been the victim of a cyberattack in recent years.

Fire drills

One can compare testing a company’s cybersecurity functionality to conducting fire drills. In-depth, live testing gives an accurate sense of the organisation’s vulnerability to, and ability to recover from, cyberattacks.

Phishing emails are still the most common starting point for data breaches. Most people are aware of phishing, but don’t realise how easy it is to be taken in by these scams. A good way to signal commitment to cybersecurity is to test board members as a group to see how many of them fall victim to a simulated and targeted phishing attack. Sharing the results with management and employees spreads awareness and reduces embarrassment around the issue. It also makes everyone aware that cybersecurity is a top-level priority.

Over time, organisations can get tougher in enforcing vigilance. For example, Exxon Mobil frequently sends simulated phishing emails to employees. Those who take the bait can have their internet privileges revoked.

Knowing what you own

Often, board directors will unfairly blame IT for cybersecurity failures that actually originate from external sources (vendors, etc.). Boards that perform a cyber-exposure audit for the first time are usually shocked by how much risk resides outside the organisation itself.

Exposure in cyberspace is defined by how connected your organisation is and what its dependencies are. The more a company relies on third-party software, services, clouds and so on, the more vulnerable it becomes. Visible extranet solutions or integrations between companies are risk factors, too.

Essentially, cyber-exposure means that assets, services and processes are somehow accessible through public (and not-so-trusted) networks. It is measured by an organisation’s attack surface.  Examples of exposure points:

• Technical assets (networks, systems, online applications)
• People (email, social media, mobile)
• Information flows between systems
• Processes (maintenance, software development, banking transactions)
• Current security measures for each technical asset

Comprehending the sheer scale and dispersal of the risks should help banish the illusion that IT can manage cybersecurity entirely on its own. Directors should then realise that the final responsibility for an all-pervasive and potentially damaging issue rightly belongs with them.

Focusing on the most critical systems and most obvious findings gives you a jump-start. But remember, the only time a change in security happens is when a point of exposure is assessed and action taken to address the risk. Writing Excel spreadsheets listing the problems is not going to change anything, security-wise.

Final points to remember

The consequences of cybercrime are not limited to a one-time financial hit. The fallout can include reputational damage, in-depth regulatory investigations, long and costly litigations, and of course theft of intellectual property, just to name a few. Each of these entails damage to the company that may take years to undo, if the company is indeed able to fully recover.

To underline our point: No organisation is ever fully protected from cyberattacks, even those with the best possible safety measures. In 2016, hackers published private information on 20,000 FBI employees. Earlier this year, popular education platform Edmodo fell victim to hackers who obtained access to over 77 million user records. The list of such high-profile breaches is growing at a rate never seen before—a trend which is likely to continue.

*Mikko S. Niemelä is president and CEO of Kinkayo, a Singapore-based cyber intelligence agency. He is also chairman of Silverskin and author of Anatomy of a Cyberattack.
**First published in knowledge.insead.edu

Europe

AU-EU 2017 Summit: A summit that must make history

Amidst an unprecedented migration crisis, new security threats, and rapidly growing populations, it’s no secret that Africa and Europe need a redefined partnership that delivers jobs, growth, and security to both continents, argues Dorine Nininahazwe

Business

The Growing Importance of Social Skills in the Labor Market

Labor market rewards to performing routine tasks have fallen, while the returns to workers’ ability to cooperate and adapt to changing circumstances have risen

Editor’s Column

Greece is recovering, ’slowly but steadily’

By: N. Peter Kramer

Greece is recovering 'slowly but steadily' after eight years of crisis and recession. That was the message Prime Minister Tsipras brought to the members of the American-Hellenic Chamber of Commerce in Athens on December 5

MARKET INDICES


Live World Indices are Powered by Forexpros - The Leading Financial Portal.

Magazine

View 4/2017 2017 Digital edition

Current Issue

4/2017 2017

View past issues
Subscribe
Advertise
Digital edition

All contents © Copyright EMG Strategic Consulting Ltd. 1997-2017. All Rights Reserved   |   Home Page  |   Disclaimer  |   Website by Theratron