By Jeff Welgan, Director of Executive Programs, N2K
Directors Can No Longer Ignore Cybersecurity
Cybersecurity concerns, and the consequences of cyber attacks, have rocketed from IT service rooms into boardrooms. Cybersecurity is a board issue because cyber breaches threaten businesses’ financial standing and reputations. A breach can undo decades of painstakingly won customer loyalty and public trust in a matter of minutes. In order to exercise oversight duties, board members must be prepared to understand the inevitable cyber-related issues that will challenge their organizations. Here are five cyber questions you should be asking in the next board meeting:
1) What are our company’s crown jewels? What are the potential impacts if our crown jewels were targeted by a cyberattack?
Board members should identify the company’s crown jewels—the unique assets that – if harmed, stolen, or manipulated – could potentially cripple and organization. This assets bring value to their company, such as intellectual property, personal identifiable information, trade secrets, or investment strategies. Then they should evaluate their crown jewels through the eyes of an adversary. Ask cyber questions such as, “why would a hacker target our crown jewels?” and “what business or reputational loss would occur if our crown jewels were compromised?” The damage of crown jewel robbery was recently highlighted in a 60 Minutes story, “The Great Brain Robbery,” in which the Chinese government robbed the software code of energy technology company American Superconductor (NASDAQ – AMSC), nearly putting the company out of business.
2) What are we doing to oversee the cybersecurity practices of our business partners and vendors?
Cybersecurity defense is a chain that is only as strong as the weakest link. Some of the most high-profile breaches have occurred because of weak or poor security practices at third party vendors. The Target breach (NYSE – TGT) exemplifies this point; hackers gained access to the Target network through stolen credentials of a HVAC contractor, Fazio Mechanical. Fair or not, it is the public-facing company that suffers the brunt of public wrath, not the culpable back office company or vendor. Keep in mind that proper security policies should be considered from the beginning: hold all new acquisitions to the same high security standards as your own company. Companies can exercise due care and due diligence by performing cybersecurity audits (and reviewing the results). Security due diligence can also be written into contract language. There should be explicit mention of security responsibilities in the partnership agreement, including employee vetting, incident response, and documentation.
3) What value are we getting for our cybersecurity dollars?
Just as there are financial metrics for boards to review, cybersecurity programs should be guided and monitored by metrics and data. But knowing how the effectiveness of cybersecurity programs is being measured is not enough. Board members should prompt their executive teams to justify their metrics. Cybersecurity metrics is a developing science, and board members should closely inspect this evolving and crucial aspect of cyber defense. Here are some of the top cybersecurity metrics your company should track:
Cybersecurity awareness training:
- Cybersecurity training is a must-have in any organization. Tracking the percentage of employees who complete relevant cyber awareness training can help quantify your organization’s cybersecurity culture.
Abnormalities in threat activities:
- Identification and remediation involves establishing a baseline of normal security activities that are unique to your organization. Your IT team should monitor these metrics and keep you apprised if they notice abnormalities in the data.
Effectiveness and frequency of policy reviews:
- Security policies inspire your security posture and culture. Therefore, your security policies should be closely examined and measured for both effectiveness and the frequency with which they are reviewed.
4) How are we ensuring that lessons learned from industry incidents are incorporated into our operations?
Industry incidents serve as valuable lessons learned for all organizations. Common attack methods and security lapses should be identified so defense mechanisms can be put into place. Comparing a company’s security to others’ in its industry is also a way to improve business operations. Board members should pass along the belief that strong security is a business advantage because it builds the faith of its public and business partners. By contrast, a weak cybersecurity stance can undermine trust in your organization. In an extreme case, patients using St. Jude Medical’s (NYSE – STJ) cardiac devices feared for their safety when it was revealed that the medical devices were vulnerable to cyber attacks.
5) What is our response protocol?
Cyber intrusions are inevitable. Experts agree that it’s not a matter of if a company is hacked, but when. A negative, delayed, or incomplete response to a cyber breach can damage a company’s credibility, image, and operations. It is key to ask cyber questions such as “does our company have a documented response plan?”, “how often do we practice the plan?”, and “what is our communications plan to address shareholder anxiety?” TalkTalk, an international telecommunications provider, demonstrated poor crisis communication practices and exacerbated their reputational damage following a hack that compromised more than 220 million customer emails. TalkTalk betrayed crisis communications best practices when they shut down their website and froze all social media communications, leaving their customers confused and concerned.
N2K’s Board and Executive Cybersecurity Literacy Program trains board members to ask the right questions, understand their answers, and execute proper oversight regarding cybersecurity activities. Voltaire, the French Enlightenment thinker, advised us to “judge a man by his questions.” Boards, too, will be judged in this way.
Read N2K’s other must-ask questions here.