Cybercrime Breaches Cost Corporate Boards Big Time: Have You Done Your Due Diligence?

February 6, 2020

Back away from the snooze button. This is a $29 million wake-up call you can’t afford to miss.

In January 2019, Yahoo’s board agreed to pay the enormous $29 million settlement to its shareholders as the result of cyberattacks that compromised three billion Yahoo user accounts. It was the first time shareholders had successfully held a company responsible for data breaches. And it is a loud warning to corporate boards that they must start paying attention to cyber risks.

But are they? Considering that over 7.9 billion records were exposed as of September 2019 — up 112 percent from 2018 — it looks like they may have their fingers in their ears.

Not only is cybercrime on the rise but cyberattacks are expected to cost the world $6 trillion annually by 2021 — and as the Yahoo case demonstrates, corporate boards are increasingly being held responsible by shareholders. It’s time for directors to get front and center in the fight against cybercrime. Taking a proactive approach and ramping up the company’s cybersecurity IQ will not only decrease a company’s risk, but can give it a competitive advantage.

If that grabs your attention, here’s what else you need to hear.

The Call Is Coming From Inside the House

Remember those slasher movies from the ‘80s when the creepy call was coming from inside the house? This is a little like that. Your greatest threat is coming from inside your organization. According to the 2019 Insider Threat Intelligence Report, insider threats are on the rise and cost companies an average of $8 million per incident. That doesn’t mean your company is crawling with spies, however.

The vast majority of insider threats (64 percent) are the result of negligence and lax employee behavior, while 13 percent come from user credentials being compromised. These numbers are a red flag, pinpointing a need for greater employee security reflex training. Many organizations are overly focused on technological fixes and blind to the human elements of data protection.

Get Personal

If security training isn’t personal, it won’t work. Want your fellow board members, management teams and employees to care about data breach? Start by teaching them how to protect their daughter’s digital wedding photos or how to keep criminals from hacking their smart homes. Once you create a culture where security is personal, negligent insider threats will decrease. This is specifically a board issue because effective training requires ample budgeting, and many boards are currently throwing vast amounts of cash at ineffective, non-personalized training. Build a program that engenders data ownership and buy-in at a personal level, and then expand it into the professional realm.

Security Isn’t the IT Department’s Job — It’s Everyone’s Job

If security falls entirely on the CISO or the IT team, it’s doomed. It would be like expecting an organization to become more inclusive when the only employee paying attention to pronouns is the inclusivity officer. A culture of ownership is vital. Boards need a representative of information offense (the CIO) and data defense (the CISO) — and the latter shouldn’t report directly to the former but to an impartial, non-technical executive, preferably the CEO.

Moreover, boards should assess new executive talent for their cybersecurity IQ (and quiz them on it). Cybersecurity IQ is a competitive advantage and companies get that advantage by having people who understand, believe, practice and share cybersecurity best practices. In addition, the IT Department is only one portion of the greater solution. For truly effective cybersecurity, your strategy should be based around the critical business activities that are at stake, not just the technology that supports it. That means that operational heads, the risk and compliance team and relevant specialists inside and outside of the organization should be included in the conversation.

Innovation Introduces Risk

Companies thrive on innovation, but the downside is that innovation and/or disruption are massive risks to security. For example, smart electricity meters on homes are a boon to electric companies, but because they’re online and connected to the grid, they can be hacked and used to access all areas of the network. Innovation is always looked at from an offensive perspective — how it can benefit an organization. Smart cybersecurity means that innovation needs to be looked at defensively, too. Budget security directly into your innovative initiatives so that you don’t pay multiples down the road when that innovation becomes a back door into your bottom line.

Hire an Outside Firm to Conduct a Penetration Test

With massive amounts of respect to internal security teams, there is no great incentive for these teams to identify, rank and report every flaw within the system. It doesn’t just make the IT department look bad, they are also generally working with a shortage of resources, which doesn’t allow them to do a complete job. Consequently, one of the best moves a board can make is to hire an external firm to perform a systems penetration test and attack simulation.

A penetration test can uncover holes in company systems and an attack simulation will expose poorly prepared human elements that lead to unintentional disclosures, user error and a lack of robust policies and procedures. The results should be presented as a prioritized heat map that ranks remediation steps from most to least important. Again, these should be organized not around the technology, but around the critical business activities that the organization provides.

We are quickly approaching a turning point: organizations are realizing that security is everyone’s business, not just the IT department’s. There is no place that recognition is more important than on the board, where directors are driving budgets, initiatives and ultimately, security culture. And everyone knows you shouldn’t sleep at the wheel.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account