with contributing author Mike Del Giudice
With new cyberthreats constantly emerging, directors need to play an active part
Boards of Directors realize the importance of instituting and enforcing cybersecurity measures and enhancing them over time – all in the interest of maintaining the confidentiality, integrity and availability of the organization’s assets. It’s doubtful, however, that most Boards are administering proper oversight of their organization’s cybersecurity training, frameworks and response plans.
What’s at Risk
The stakes could not be higher. Data breaches cost billions, damage brands and reduce competitiveness. A large percentage go undetected – and when they are detected, it’s an average of 206 days after the incident occurred, according to a study by the Ponemon Institute. And a data breach costs approximately $154 for each record lost.[1]
Cyber crime victims in the past few years have included prominent corporations. For example, Target’s data breach in late 2013 potentially compromised approximately 40 million credit and debit cards, and Target reimbursed financial institutions tens of millions of dollars earlier this year.[2]
Security breaches have resulted in shareholder litigation, some of it aimed squarely at Boards. In fact, investors have brought derivative action against Target’s Board, claiming that the Board and top executives had failed to take adequate steps to prevent the breach and did not fully disclose to consumers the extent of the theft.[3]
Even though their awareness is high, however, most Boards don’t take an active role in cybersecurity. According to a 2015 survey by New York Stock Exchange Governance Services and Veracode, 10 percent of Boards talk about cybersecurity matters “only after [an] internal or industry incident,” and 8 percent “only after [a] recent string of high-profile breaches in [the] industry.”[4] Alarmingly, the survey also revealed that just one-third of Board respondents are “confident” or “very confident” in their company’s cybersecurity.
Board members may wonder what they should be doing to improve cybersecurity. A 2014 survey of directors by the Institute of Internal Auditors Research Foundation and ISACA found that 58 percent believed that they should be “actively involved” in cybersecurity preparedness, but only 14 percent said that they were actively involved and 36 percent reported being “minimally involved.”[5]
But what does “active” involvement really mean, and how can Directors achieve it?
What the Board Can Do
For the Board, cybersecurity responsibilities are governance-focused, as these tasks are part of Directors’ fiduciary duties:
- Provide guidance about their expectations.
- Communicate the right tone and message to management.
- Confirm that the company has implemented security processes and has good cyber incident response plans.
- Work with other Directors and outside entities to gather ideas for overseeing cybersecurity initiatives.
In practice, this means a Board is to provide oversight so that the organization takes adequate cybersecurity measures to cope with existing and emerging threats and, in case of an attack, enacts strong response plans. However, reaching that level of oversight requires Boards to go beyond their usual role of asking management questions.
The following are four ways that Boards can play an important role in strengthening the organization’s cybersecurity.
1. Obtain Cybersecurity Training
Board members don’t have to be experts in cybersecurity, but they need to understand the risks to the enterprise and be aware of major trends affecting cybersecurity.
This level of understanding often requires formal training. Training may be as straightforward as requesting information from associations (the National Association of Corporate Directors, for instance[6]), but training usually involves a presentation to the Board by an outside party.
Whatever the training medium, it is critical that directors gain a basic understanding of the complexities of cybersecurity. Cybersecurity is not simply a firewall, virus protection or security patches, but rather a companywide effort involving all employees. It includes the assessment of current threats, the implementation of adequate protection and response plans and the ability to evolve as new (and currently unknown) risks emerge.
Directors should keep up to date with cybersecurity-related developments, both worldwide and in their industries, and the risks and potential legal ramifications the trends present. For instance, hackers today are often organized gangs abroad and might have unofficial government backing. These gangs may be interested in more than stealing credit card numbers or customer data; some cybercriminal groups take data hostage, denying companies access and demanding ransom for the data’s return. Some hackers (and sometimes rogue governments) may want to create havoc rather than extract money.
Cyber attackers represent systematic, methodical and persistent threats that can change tactics on a dime. Approximately 317 million pieces of malware were created in 2014,[7] and, with a few command changes, hackers can use a piece of malware to create an entirely new threat. Hackers are constantly scanning networks in search of vulnerabilities – and eventually can find holes in almost any network.
Given this challenge, organizations generally have shifted from a breach-avoidance mindset to an acceptance that an incident will occur eventually. Training should provide Boards with an understanding of IT risk management principles so that the directors are better prepared to provide management with feedback on risk tolerance, with the result that all parties have the same understanding of the organization’s IT risk posture at any given time.
2. Conduct a Cybersecurity Maturity Assessment
Having an independent assessment of the company’s cybersecurity done is an essential element of a Board’s oversight duties. This assessment goes beyond an audit: Organizations need a cybersecurity maturity assessment.
Audits assess control effectiveness at a single point in time. A maturity assessment helps ascertain how well an enterprise can cope with risks that constantly change, and it evaluates the effectiveness and responsiveness of the cybersecurity controls that are in place.
A company’s level of cybersecurity maturity can range from nonexistent to optimal. Although dysfunctional or nonexistent cybersecurity operations are unacceptable for any company, not every organization wishes to spend the time and resources required to reach the highest level of maturity. Instead, each company must figure out how much risk it is willing to tolerate and its appropriate maturity level.
The maturity assessment helps Boards push management to figure out where on the risk spectrum the organization wants to reside. The maturity assessment also helps Boards provide direction and input to help management define a roadmap that guides the company toward greater maturity.
3. Oversee the Cybersecurity Program
Oversight starts with the Board’s determination of whether the company has a framework in place for building adequate cybersecurity defenses and responses. A cybersecurity framework can provide an organization with a starting point. The National Institutes of Standards and Technology cybersecurity framework[8] is a voluntary tool that can assist the Board by providing guidance on controls to consider for the organization’s cybersecurity program. The framework can help directors judge how their companies evaluate risk, provide guidance on controls to consider to manage risk and monitor the organization’s risks and controls, for example.
One way for Boards to monitor risk is to work with management to define key risk indicators (KRIs) for the IT organization. KRIs allow management to provide simple dashboards that summarize the cybersecurity risk posture for the organization at that time, and they can provide an early warning when risks are not being managed at an acceptable level. Boards can help determine the KRIs that are tracked and the criteria used to measure the status of current risks.
Another component essential to monitoring risks is strong cybersecurity-related employee communication and training. According to estimates, negligence on the part of personnel is involved in more than 80 percent of data breaches.[9] Employees are prime targets of phishing and spoofing attacks and may download viruses and malware, inadvertently exposing sensitive corporate and client data.
Most companies train employees on cybersecurity at least annually. Boards can insist on more frequent, targeted training modules that focus on individual security issues. Single-topic training modules make it easier for employees to understand individual issues, while increased training frequency helps raise awareness.
4. Support Cyber Incident Preparedness
Boards set the proper tone for the company, showing management and employees that cybersecurity is a corporate priority. As part of their governance duties, Boards need to confirm that risk management is adequate across the entire enterprise – and that the company is measuring the effectiveness of its security framework and defense measures. Most important, Directors need to see that the effort is being allotted the necessary staff, budget and attention.
A Board should also be involved in seeing that a comprehensive incident response plan is in place – that is, that the plan doesn’t exist only on paper – and confirming that the plan is tested and revised over time.
Directors need to know their roles in a response plan and be prepared to react accordingly to an incident. They also should be prepared for how all involved parties – including customers, third parties, regulators and law enforcement – are likely to react to a breach.
In the aftermath of an attack and the reaction to it, the Board should review how the company responded and see that improvements are made.
Try to Enjoy the Journey
As is true for many Board responsibilities, cybersecurity is an ongoing journey, not a destination. Directors can envision cyber threats as unethical competitors that release new product offerings every day: More than 99 percent of the products wouldn’t affect the company’s competitive position, but eventually one could cause an enormous hit to the company’s revenue, reputation and even legal standing. There’s simply no endgame in cybersecurity.
[1] Bill Rigby, “Cost of Data Breaches Increasing to Average of $3.8 Million, Study Says,” Reuters, May 27, 2015, http://www.reuters.com/article/2015/05/27/us-cybersecurity-ibm-idUSKBN0OC0ZE20150527
[2] Robin Sidel, “Target to Settle Claims Over Data Breach,” Wall Street Journal, Aug. 18, 2015, http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013
[3] Meghan Rohlf, “Taking Stock of the Target Data Breach,” Byte Back, May 14, 2015, http://www.bytebacklaw.com/2015/05/taking-stock-of-the-target-data-breach
[4] “Cybersecurity in the Boardroom: A 2015 Survey,” NYSE Governance Services and Veracode, 2015, https://www.veracode.com/sites/default/files/Resources/Whitepapers/cybersecurity-in-the-boardroom-whitepaper.pdf
[5] Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” Institute of internal Auditors Research Foundation, 2014, https://na.theiia.org/special-promotion/PublicDocuments/GRC-Cybersecurity-Research-Report.pdf
[6]“Cyber-Risk Oversight Handbook,” National Association of Corporate Directors, June 10, 2014, https://www.nacdonline.org/Resources/Article.cfm?ItemNumber=10688
[7] Kevin Haley, “2015 Internet Security Threat Report: Attackers Are Bigger, Bolder, and Faster,” Symantec’s Security Response, April 14, 2015, http://www.symantec.com/connect/blogs/2015-internet-security-threat-report-attackers-are-bigger-bolder-and-faster
[8] “Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology, Feb. 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
[9] Elizabeth Weise, “43% of Companies Had a Data Breach in the Past Year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197