Corporate boards have many dimensions of responsibility. Cybersecurity can be one of the most nuanced and important areas of focus for a board, but not all board members are well versed in why and what they need to care about related to cybersecurity.
Cybersecurity is a board level topic for three main reasons:
- Cybersecurity breaches are a serious matter for any company
- Companies must be aware of cybersecurity governance, regulation and compliance
- Everyone in the company and on the board should be responsible and accountable for good cybersecurity practices
Security breaches are serious matters!
Security breaches can hurt companies financially, negatively impact brand reputation, and result in data loss (both personal and company intellectual property) just to name a few of the impacts. Unfortunately breaches that impact hundreds of millions or even billions of people are more common that we would like. Some of the more notable cybersecurity breaches you may remember are Equifax back in 2017, Adobe in 2013, and Zynga (the company that makes Words with Friends) in 2019. In July 2020, we saw key high-profile Twitter accounts compromised. You don’t want to see your company name in the news headlines due to a breach!
Cybersecurity governance, regulation and compliance
Besides security breaches, governance in cybersecurity is becoming more important. Governance describes the policies and processes which determine how organizations detect, prevent, and respond to cyber incidents. In many organizations, there is a division between the governance and management activities. Board members should be involved in evaluating security related reporting requirements and overall competence of the cybersecurity program, policies and procedures. If you are a US public company, there are additional board requirements from the Securities and Exchange Commission that you should be familiar with such as requiring written disclosure of how the board administers its risk oversight function.
Government regulations and compliance also needs to be considered. However, just being compliant doesn’t mean you are secure. Cyber legislation has been frequently proposed by Congress over the years. Almost all US states have their own laws about what constitutes a security breach and when to disclose the breach. It is important to understand the local, state and federal laws (including international laws) related to cybersecurity for where you do business.
Everyone is responsible and accountable
Everyone on the board is responsible and could potentially be held accountable for a breach both legally and financially. It is not only the CISO, CSO or CIO’s responsibility to care and do the right thing. We all have a role to play to ensure the company is protected and set up for success.
When one person doesn’t do their part, things can fall apart for a company. For instance, in August 2020, a former Uber company executive was criminally prosecuted for not disclosing a data breach back in 2016. Uber’s former Chief Security Officer was charged with obstruction of justice and concealing a felony for allegedly failing to report their 2016 breach to the Federal Trade Commission. This is the first direct example in the US of an executive facing criminal charges and jail time over how they responded to a data breach.
Evaluating your company’s cybersecurity stance
As you discuss cybersecurity on the board, how do you evaluate your company’s stance? Here are some tips you can start doing today. This list is by no way complete, but here are things you can start doing today.
- Approach – How does your company approach cybersecurity? Depending on which approach your company takes will determine how much your company is at risk and what you need to do differently.
- Passive – all threats will just go away and aren’t a big deal
- Reactive – cybersecurity responsibility is delegated to the IT department and they react as things happen internally or are seen in the news. They are always playing ‘catch up’
- Proactive – Seek to avoid issues and pay attention on a regular basis. May consult with third party companies to ensure security posture is high
- Progressive – There is extensive leadership involvement in reviewing the company’s security posture. They hold proactive frequent reviews knowing that an attack can happen at any time and may also consult with third party companies to proactively address weaknesses.
- Risk Management & Compliance – How much time and attention does senior management spend on evaluating cybersecurity risk management practices? Are they up to date on the latest regulations in their city, state, and country?
- Every company should have an effective risk management plan they are executing towards. They should be gathering and analyzing data from multiple inputs, systems and teams to ensure they aren’t at risk for a major attack. Part of managing the risks is ensuring they are compliant with the rules and regulations of the government. The company should understand and know the laws that impact them.
- Review of Procedures – How often are you reviewing your cybersecurity policies and procedures?
- Ideally you would want to review these policies and procedures at least 2x/year and when you have a major change within the company (i.e. has there been new or departure of key personnel, merger/acquisition, re-org, new regulations required, etc)
- Security Hygiene – Does the company practice good security hygiene?
- Your company should keep up to date with the latest patches/updates for all hardware and software systems as well as utilize and enable the latest features in their security software.
- Your company should be able to find the signal in the noise with their current security solutions and not have too many disparate products they don’t utilize fully.
- The company should also perform frequent backups of key data and shut off old servers and virtual machines that aren’t being used anymore.
- The suppliers and vendors to the company should follow any necessary rules and regulations to ensure they are protecting the company’s sensitive information appropriately.
- Bring in an ‘expert’ – Has the company hired reputable third-party experts to perform a risk analysis or see if they can “hack into” the company systems?
- There are third party companies who will perform penetration testing to determine how easy a “hacker” can get into your company. These companies can tell you what can be seen publicly such as do you have IP addresses beaconing out and look at detailed areas of your company to identify risks. If a third party has been brought in, what were the findings and were changes made promptly to address vulnerabilities.
- Response procedures – What is the company’s breach response protocol?
- Companies should have an incident response team and a detailed list of actions the incident response team members should take if a vulnerability or breach is discovered.
- Education – How often are you educating employees on best practices and holding simulations on what to do if a cyber related incident were to occur?
- Companies hold fire drills so they are prepared with “muscle memory” if a fire were to break out. The same sentiment holds true for cyber related incidents. It is very important that there is continuous training for all levels of employees on how to keep the company safe from breaches and cyber-attacks as well as what to do if something was to happen. You can never be too prepared.
Cybersecurity is a very important topic for the boardroom and should not be taken lightly; however, it doesn’t need to be overwhelming. Utilize these tips to get you on the right path for your company, and if you don’t have a cybersecurity expert on your board, there are experts who can provide guidance.