[BreachExchange] How To Stay Ahead of Cyber Breaches, the Boardroom’s Biggest Fear

[Destry Winant]

http://www.brinknews.com/how-to-stay-ahead-of-cyber-breaches-the-boardrooms-biggest-fear/

Few events pose more sudden and systemic risks to corporate leadership
than a significant cyber event. And the threat is only growing.

If reputations are gained by the teaspoon and lost by the gallon,
cyber is exponentially more threatening. The onus of managing risk in
every corporation ultimately falls on the CEO and the board of
directors. Effective CEOs, therefore, are thoroughly plugged into
cybersecurity operations, those systems and procedures that, in
today’s lexicon, are aimed at mitigating the risk of company
communications being disrupted.

I know from conversations with CEOs and general counsels across the
country that their biggest fear—besides being impugned on social
media—is having their cyber systems hacked, their “state secrets”
exposed and exploited, or worse yet, their external and internal
communications operations dismantled or gutted. When you can’t tell
the world you’ve been hacked because your email system is completely
down, you’re in trouble.

Corporate Compliance Complicates Cybersecurity

Many board members don’t live in the world of disrupted
communications, cyber ambushes, NGO assaults, blowups on Twitter, and
the like. So, what’s the appropriate role for board members when it
comes to these issues? The board’s responsibility revolves around
recognizing risk—and ensuring that the company is taking appropriate
action and installing sufficient backup systems to minimize that risk.

GDPR is a classic example: Hundreds, if not thousands of American
corporations are operating under the mistaken impression that they
don’t have to comply with the EU’s new privacy regulations. Yet if
companies depend on the creation or processing of data (and these
days, what company doesn’t?), there’s a strong chance that they’ll be
subject to GDPR and the ongoing efforts of the EU and other government
entities around the world to crack down on hacking and privacy
violations.

Under GDPR, every data-driven company must appoint a designated data
protection officer. Data protection best practices, moreover, now
point to the creation of a board-level cyber risk committee, as well
as toward the assurance of personal employee-level cybersecurity
discipline among board officers themselves, since they’re often the
target of phishing. Finally, board members in the U.S. should keep in
mind that the U.S. Cybersecurity Disclosure Act of 2017 requires
board-level cybersecurity expertise.

The “European model” for anti-hacking and privacy protection is the
way the world is going. Smart companies and board members need to stay
a step ahead.

How Can Companies Stay Ahead?

Former Department of Homeland Security Secretary Tom Ridge, now chair
of Ridge Global Cybersecurity Institute, argues that protecting
against cyber incidents is everyone’s responsibility, from the people
in the boardroom to entry-level employees. “Board members who are not
as experienced with cybersecurity need to see it at the forefront of
financial risks that could impact their bottom line,” says Mr. Ridge.
“We need to have more information-sharing and more conversations about
cyber risk at the board level, and not just within companies’ IT
departments.”

How can companies keep their board members attuned to the risks
inherent in disruptive communications without intimidating or
depressing them?

The answers aren’t easy, but there are constructive steps that
perceptive companies can take to keep board members plugged in.

First and foremost is to provide board members with a steady diet of
articles and expert commentaries on the changing cyber climate. Don’t
saddle them every other day with a 100-page treatise on the latest
cyber-hack nightmare. That will turn them off. Instead, email or text
them quick and easily digestible news summaries and samples of how a
nasty hack was averted—or, on the flip side, how company X was hurt by
a sluggish response to a cybercrime.

When a respected business outlet runs a story about the dangers
inherent in disrupted communications, make sure your board members see
it—with key passages highlighted. That way they’ll be less shocked if
and when the hazards hit you. And perhaps they’ll be more inclined to
help you undertake preventive measures now, during peacetime, and not
wait until it’s too late.

Second, consider adding board members to internal task forces on your
areas of greatest vulnerability. They’ll see firsthand how seriously
risk management is being handled by the company. And they’ll develop a
greater appreciation for how rugged the real world of disrupted
communications can be these days.

Third, show your board members the efforts you’re making to strike
down the silos. When a disrupted communications crisis hits, you’re
going to need everyone on board right away: from the general counsel’s
office and public affairs to the folks in information technology and
human resources. If they haven’t worked together in a crisis
environment—even a simulated one—it could lead to a lack of trust and
backbiting.

Managing risk these days is managing disrupted communications—and the
way-too-easily-disrupted world that comes with it.