V I R GINIA
GREATER WASHINGTON’S CYBERSECURITY CORRIDOR _
The Greater Washington region is the hotbed center for cybersecurity. Home to the federal government, agencies, and a surging cyber-related private sector, it’s no wonder companies are flocking to the region for network security needs and access to the best minds in the country.
FBI Department of Justice
Secret Service
White House
George Washington University
Cybersecurity Policy & Research Institute
American University Kogod Cybersecurity Governance Center
Washington D.C.
Cyber Command
FORT MEADE
3rd largest military base in the US
CIA
Department of Defense
Department of Homeland Security
The MITRE Corp.
Vadata, Inc.
Computer Sciences Corp.
AT&T
Science Applications
International Corp.
Northrop Grumman Corp.
Kratos Defense & Security Solution
TASC, Inc.
General Dynamics Corp.
Raytheon Company
Ciena Corp.
ITT Exelis
KEYW Corp.
Unisys Corp.
The Aerospace Corp.
Lockheed Martin Corp.
EMPLOYS
56,000
BUILDING
600,000 sq. ft. data center
5 Million Gallons a day of cooling ability
3,000
Jobs available soon for Cyber Command Center
03 OPPTY
NATIONAL BUSINESS PARK
FORT MEADE
The Challenge
From ransomware to cyberespionage, the most common types of threats online.
As cybersecurity speeds its way to the top of boardroom agendas, companies are working to fortify their systems and networks against a potential cyberattack. But unlike securing a physical structure, attackers can sneak in at any moment, through any number of methods.
“It’s not about digging a deeper moat and building a bigger wall to keep people out,” says Sondra Barbour, executive vice president for information systems and global solutions at Lockheed Martin. “There will be an attack and they will get in somewhere.”
Indeed, the attackers do appear to be at—or already inside—corporate gates all over the world. Lloyd’s of London says cyberattacks on major companies have jumped 44 percent since 2013. Companies that collect and store a vast amount of credit card data—Home Depot, Target, and Staples among them—have been widely publicized victims of attacks. But they’re hardly alone.
The corporate networks of Sony Pictures Entertainment, Anthem, and Apple are some of the dozens who have acknowledged recent cyberattacks. Government agencies are just as vulnerable: the White House, the
IRS, the State Department were all attacked. The biggest attack of all, the Office of Personnel Management, exposed records of nearly 14 million current and former government workers.
And there’s no end in sight to the ongoing battles. Gov. Tom Ridge, the former secretary of Homeland Security, says he believes digital attacks against companies and organizations of all kinds will now be “a permanent condition of the global, economic community.”
Shawn Bray, director at INTERPOL, agrees. “You can’t govern and regulate as fast as technology changes.”
WINTER 2016 OPPTY 04
The Opportunity
Photograph by Coneyl Jay/Getty Images
Common Threats
Security experts say that when it comes to threats against companies, the digital world is not much different from the physical world. Just like there are disgruntled employees who might make off with or damage company property, the same people might act similarly in the virtual world by attempting to expose or destroy sensitive data in a company’s network. In other cases, criminals who try to steal cash or goods from companies in the physical world may siphon funds digitally as cybercriminals.
“The difference,” says Marcus Sachs, the former vice president of national security policy at Verizon and current chief security officer for the North American Electric Reliability Corporation, “is that in the physical world, you can see and touch these people and build physical barriers against them. In the cyberworld, the threats could be coming from halfway across the world, and the perpetrators are virtually invisible.”
Not only that, others point out, these hackers aren’t necessarily working on a specified time frame. “An attacker views your network with a particular goal in mind,” says Matthew Devost, president and CEO of FusionX. Even if a company is able to uncover and thwart one hack, the attackers will remain in the system until they’ve achieved their goals.
Still, even virtually invisible attackers have some common patterns. Here are some of the most frequently employed kind of attacks.
Ransomware A malware that cuts off access to data on infected machines. Cyberattackers then demand payments in exchange for releasing the data. Ransomware has also been used to hold cloud data hostage. In one recent case, the online data of a small-town police department in New England was held for ransom. And cybersecurity firm FireEye has projected that ransomware will infect data accessed by mobile devices with increasing frequency in the coming months.
Cyberespionage A particularly hardto-track form of attack where hackers —possibly from foreign governments or from competitors—gain access to a corporate network. From there they can monitor conversations, view business strategies, steal research and development materials or other intellectual property.
Cybertheft _ Theft of data, including personal information, passwords, and credit card information. Dozens of high-profile cases of this kind have
been reported in 2015 alone, affecting healthcare providers and retailers especially.
Denial of Service _ Hacking attacks intended to shut down a company’s internal data networks or those it uses to sell to or communicate with its customers. Tech companies are frequent targets of denial of service attacks. And the FBI says more than 100 banks were also threatened with massive denial of service attacks in 2015. Bring Your Own Device _ When companies open their networks to employees’ personal digital devices—laptops, mobile phones, et cetera—hackers can gain entry to those networks by infecting the employees’ devices. Internet of Things _ As companies connect more “smart” products—everything from coffee makers to cars—to the Internet, hackers are finding ways to disrupt those products’ operation.
CYBERATTACKS OF 2015 _ Anthem
Internal Attacks Exposure of proprietary data or system disruptions by current employees.
Third-party Attacks Both Home Depot and Apple experienced breaches of their systems when the networks of their suppliers, who had access to the larger partners’ networks, were compromised. Security experts believe this form of attack against smaller firms will continue to increase as large companies become more resilient to attacks within their own networks.
TALKING SECURITY
Gov. Tom Ridge discusses with Board Agenda: Cyber attendees about the importance of cybersecurity involvement at the board room level.
WINTER 2016 05
Nearly 80 million records are compromised after a breach exposed social security numbers and personal information of the US health insurer, including the CEO’s.
The Challenge
Cybersecurity is no longer just an IT problem, but the entire company’s—from the board of directors to the interns.
OPPTY 06
The Opportunity
How much did you get paid to drive to work last month? Actor Seth Rogen made a reported $9,500 for that task when he starred in and co-directed Sony Pictures Entertainment’s The Interview—for which he also reportedly made $8.4 million for whatever he did once he arrived at work.
The board directors at Sony could probably have happily lived without ever knowing that tidbit. But hackers made that information—along with a plethora of financial and other confidential corporate reports—public when they cracked open the company’s data networks in late November 2014. That left the board suddenly having to answer for how the release of all of that information, including Rogen’s commuting compensation, would hurt the company. The stock price cascaded. Lawsuits were filed by Sony employees whose personal information had been exposed. And the company spent millions to find new ways to secure its data networks.
Before that attack, board directors at other firms may have simply let their technical teams handle cybersecurity issues. But the Sony breach, along with dozens of other reported breaches that have come since then, spotlighted how cyberattacks directly impact a company’s financial well-being, and hurt the company’s reputation with customers and business partners. An attack also opens a company to a variety of lawsuits (including against the board directors themselves) and regulatory actions from the Federal Trade Commission, the Securities and Exchange Commission, and others.
“Cybersecurity is too important to be left to your IT department and operations groups,” says Willie May, the acting director of the National Institute of Standards and Technology, which has developed guidelines to help companies address cybersecurity concerns. “Every executive should be able to communicate persuasively about the importance of cyberrisk management.”
Michele Hooper, president and CEO of the Directors’ Council and a board director for both United Health Group and PPG Industries, puts it a bit more bluntly:
“Directors can’t say, ‘Well, I’m not a technology expert, therefore I don’t have any responsibility around cybersecurity.’ Every director has a fiduciary responsibility for the organization in its entirety.”
There are many things boards can do to help ensure their companies are beefing up their cybersecurity as the threat levels increase. Some experts say directors should begin with these four steps.
OPPTY 07
THE SONY REVELATION Details about how much actors James Franco and Seth Rogen made during The Interview were leaked after Sony Pictures was hacked, as well as thousands of e-mails and other sensitive information on other individuals involved with Sony Pictures.
Photograph from The Interview by Moviestore collection Ltd/Alamy; Sony Pictures by Mario Anzuoni/Corbis
Hackers appeared to have purchased stolen information from previous hackers in order to access 100,000 tax accounts. The operation involved an army of people who submitted more than 200,000 queries into the IRS site over a period of four months.
Incorporate cybersecurity into the company’s overall strategy, and view cybersecurity as an enterprise-wide risk.
Many boards outside of the technology industry lack members with expertise in how cybersecurity works and what the most common current threats are. Experts say that should change—fast.
“You’re required to have a financial expert head up your audit committee,” says William E. McCracken, former CEO of CA Technologies and a board director for MDU Resources Group, a diversified energy company.
“And in today’s world with all the cyberrisks that exist, every board should have a cyberexpert on the board.”
Adding a director with cybersecurity expertise is exactly what companies like General Motors, Delta Air Lines, AIG, and Wells Fargo have done as the threats have increased. Other companies have charged their audit committees with cyberrisk oversight or have established separate risk committees to oversee those concerns.
“You need to look at cybersecurity just as you do any other enterprise risk,” says Sondra Barbour, executive vice president of information systems at global solutions for Lockheed Martin and a board director for 3M. “Every part of the company needs to be a part of addressing this.”
Identify and protect the company jewels.
Corporate resources, even in the best of times, are scarce. That’s why cybersecurity experts recommend the board try to identify the most important data assets an organization has, and spend money protecting those assets first. Peter Beshar, executive vice president & general counsel at Marsh & McLennan Companies, suggests creating a “cyberbalance sheet,” one in which the company catalogs and prioritizes its assets and how well they are, or aren’t, protected.
“Your resources will always be too thin to protect everything,” says Lockheed Martin’s Barbour. “So find out what the key data is, and who has it, and focus on that.”
The SEC offers guidelines to companies who are conducting data audits. And many experts note that often the most sensitive data isn’t even in house—it’s with third-party vendors.
“Don’t only look in your own borders,” Barbour says. “What suppliers have what data? Who in your supply chain has the keys to your kingdom?”
Experts also recommend that boards consider funding a Chief Information Security Officer position if the organization doesn’t already have one. And, they say boards should closely review the top personnel in charge of protecting key corporate data.
“A lot of questions directors should ask should be about talent,” says Elizabeth Hackenson, the chief information officer and senior vice president of technology services for AES. “You need the people who have the instincts to know what to do” before, during, and after a cyberattack.
OPPTY 08
BOOA A O R RD MAT A T TEER S N NAC AC ACD D chai h hair r R Re e eaattha ha K Kiinng g s spepeakks s a at t B Booard a arrd d Ageennda d nd : C : Cybeber. r
SAFETY FIRST Panelists emphasize the necessity of incorporating cybersecurity as part of the company’s overall strategy.
CYBERATTACKS OF 2015 _
Internal Revenue Service
Set up regular reporting about current and future threats and the company’s readiness to deal with those threats, and make sure the threat message is company-wide.
One recent survey of top executives found that 26 percent of companies have a chief information security officer who makes an annual presentation to the board. Another 30 percent make such presentations quarterly. And 28 percent of companies with CISOs make no presentations at all.
Some experts suggest that CISOs, or some member of a cross-functional team of executives charged with evaluating cybersecurity threats regularly, make a report to the board no less than twice a year. Others say that reporting should be supplemented by an external cybersecurity audit conducted at least every two years.
“This is a rapidly changing field,” says Linda Mills, a board director at Navient and former vice president of Northrop Grumman. “You have to understand what the new risks are.”
So, too, do employees have to understand the risks. To stay ahead of cybercriminals, security firms are advising companies in ever-changing ways to create, store, and delete data so that it stays safe from internal theft or damage as well as from external threats. That can involve everything from ensuring employees do not download unauthorized software onto their work computers to requiring them not to use USB memory sticks they acquired from a third party. Those steps are simple. But committing to them is not necessarily easy.
“Rare are the companies that expend the resources to keep their employees at the top of their security game,” says Gov. Tom Ridge, former secretary of the Department of Homeland Security. “Employee education is lacking.”
But Ridge says employee education is a critical part of what he calls, “building a ‘culture of resiliency.’”
Accenture is one company that has built that kind of culture, in spite of the cost to create and maintain it. “We have 310,000 employees and we train them every year on information security and data privacy,” says Julie Spellman Sweet, the group chief executive – North America at Accenture. “We do some fun game-ification things in the training, but we also have a financial hit if you don’t do the training.”
SPOTLIGHT
THE ISSUE
Veteran broadcast journalist Ted Koppel spoke about the unpreparedness of the United States should an attack on the country’s power grid ever occur, as detailed in his new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.
Cyberattacks may be a very high-tech operation, but it’s still run and operated by humans, and depends on human oversight and error to be successful. One way to help secure your networks is by educating all of your employees—from the part-time intern to the board of directors—about what’s at stake.
Teaching employees how to handle network security practices should be part of any employee training. It’s vital to “get them to understand now only the techniques the bad guys are doing but their own internal psychology,” says Matthew Devost, president and CEO of FusionX. For example, if an employee receives a thumb drive at a conference or in the mail and isn’t sure of its origins, he or she should be trained to think twice before inserting it into a computer.
Training and re-training is essential to maintaining company network security, much like practicing a fire drill. In the hectic environment of the dayto-day operations, employees may forget what they learned months ago and accidentally
download something malicious onto their computers.
“One of the ways in which systems are most compromised is still phishing,” says Shawn Bray, director at INTERPOL, referring to a cyberattack in which sensitive information is obtained through a seemingly innocuous e-mail. “We’ve heard about it forever, and we’re still subject to this and still being compromised by it. It’s as simple as someone clicking on the wrong e-mail… we keep hearing it play out time and time again.”
For that reason, employees need to be constantly reminded to remain vigilant with regular training, as well as updated on the latest in cybersecurity, particularly if they may play a role in opening up a vulnerability in the system.
WINTER 2016 09
Another day, another breach. J.P Morgan Chase. Home Depot. The US Postal Service. Target. Anthem. Evernote. Sony PSN. The US military. What can be learned from those who have been victims of cyberattacks? Plenty, but only if organizations openly share information about attacks.
“These adversaries have a signature,” says Sondra Barbour, executive vice president of information systems and global solutions for Lockheed Martin, and a board director for 3M. “So you can figure them out. And that can help the next time they do something.”
Still, one recent survey found that only 25 percent of US companies are involved in the formalized process for sharing cyberattack information—through what are known as Information Sharing and Analysis Centers. The reason more aren’t sharing information, some believe, is that various US laws may explicitly or implicitly prevent them from doing so. That’s especially true among competitive companies, but can also apply to organizations of any type where there are worries about violating privacy laws and regulations.
“There is a desperate need for legislation on that front to come up with national law,” says Frank J. Cilluffo, associate vice-president of and director of the Center for Cyberand Homeland Security at George Washington University. “Right now you have 47 different state laws. Beyond that, there is a need for information sharing in terms of understanding not only between the private sector, but the government and the private sector since cyberthreats have extended to incorporate all of society.”
Currently, there’s legislation in the works that could make this all possible. The Cybersecurity Information Sharing Act of 2015
intends to gather information from companies’ and organizations’ first-hand experiences, whether it be a breach or a threat. In turn, it offers them certain immunities resulting from the actions of monitoring information and systems, protection from anti-trust laws, and exemptions from disclosure and the Freedom of Information Act.
The bill isn’t the first one to be introduced, indicating the government’s pressing desire to confront cybersecurity issues head-on. The precedence was set with the Y2K Act, when companies were scrambling to make sure their systems didn’t falter at the year 2000 because they were programmed with just the last two digits of the year. Companies feared that the machines would look at the year 00 as 1900 and not 2000.
“The reason we need this legislation is so companies can pool intelligence, and cooperation is the best way to address potential harm and get the US government to help combat the harm,” says Bruce Heiman, an attorney at K&L Gates who specializes in cyberlaw and cybersecurity. “You’re offering companies protection so that they can provide information. If they extend their hand in cooperation, they want it to be shaken, not slapped.”
Delete the tech jargon.
When the National Association of Corporate Directors surveyed board directors last year, it found just 11 percent overall believed they had a high level of knowledge about the topic of cybersecurity. That might be because directors are often confused by the highly technical nature involved in protecting broad data networks with seemingly unlimited entry points for those who would do companies harm.
William McCracken, the board director for MDU Resources Group, says a company’s IT team sometimes hold directors as “technical hostages.”
“They sort of intimidate them,” he says. “But directors need to refuse to be held technological hostage. Do not be afraid to say, ‘Tell me that in English. I don’t want your acronym.’”
Karen Lefkowitz, vice president of business transformation and chief security officer at Pepco, also says the burden of overcoming the lack of technical expertise is one the directors have to bear. “People in the C-suite and people on boards should not be afraid of asking tough questions just because they don’t know the jargon,” she says.
WINTER 2016 OPPTY 10
BUILDING A TEAM
“You need the people who have the instincts to know what to do,” says Elizabeth Hackenson, CIO of AES Corporation.
Sondra Barbour
Prepare Your Organization for Cyber Resiliency 2016 NACD CYBER SUMMIT June 15 | JW Marriott | Chicago IL REGISTER BEFORE MARCH 1 AND SAVE $1,000 NACDonline.org/CyberSummit
Nobody wants a cyberattack on their company’s systems and networks, but even worse is to have one and not be prepared for it. “A lot has to be done in advance,” says Shawn Henry, retired assistant director of the FBI and current president of CrowdStrike Services. “Every breach I’ve worked in, the adversary was in the network for months beforehand, and in some cases for years.”
Which means that while they’re planning, your company should have been planning right alongside them inside the firewall.
One of the most important components of your strategy when battling any attack is a solid communications plan. From training employees and board members not to open links from unknown sources to handling the crisis as it unfolds, communicating information is key to making the best out of an unfortunate circumstance. Experts say that cybersecurity is akin to any crisis management, whether it be a natural disaster, a physical attack, or a terrorist attack.
Educate. It’s not enough just to provide your employees with a handbook of what not to do, though a regularly updated handbook is a good start. “Keep a low profile, monitor what’s happening, be aware, be alert,” Henry says. Teach employees about minimizing risk, from opening questionable links to posting sensitive information such as birthdates and vacation plans on social media. Rogue nation states are targeting board members because they are “key influences in policy, strategy, development, innovation, and technology.”
Board members also need to comprehend what’s really at stake when a cyberattack occurs. Henry says despite having entire companies knocked out of business, turbines threatened to blow up, computers burnt down, systems taken offline, and other critical infrastructure destroyed by hackers, there’s always someone whose biggest concern is protecting credit card information. He calls it “lack of awareness,” though it’s starting to change. Boards, he says, need to be continually educated on the risks and impact of a cyberattack.
WINTER 2016 OPPTY 12
The
Challenge
Communicating the crisis well can be just as critical as mitigating the situation.
1.
The Opportunity
CYBERATTACKS OF 2015 _ Uber
Nearly 50,000 drivers across multiple states had names and driver license numbers stolen when hackers broke into Uber’s databases.
2.
Create a communication chart. When a crisis arises, there should be a flow chart “that can kick in instantly so everyone understands who is in touch with who,” says Don Baer, worldwide chair and CEO of Burson-Marsteller. Know who will communicate with the board, the government and regulators, supply chain stakeholders, customers, shareholders, employees, the general counsel, and the press. Designate an incident leader and determine a plan for when to inform each of the different parties. If the company is global, create different plans for each office and the possible repercussions in other offices around the world.
3.
Know what to say. While each situation varies greatly, it’s better to have several scenarios planned out in advance than to scramble at the last minute. “Have a playbook,” Henry says. In addition, determine how communications will be provided: offline from the hacked system and by phone, or through a separate communication channel outside standard e-mail.
4.
Ask questions. The board should always communicate its issues and uncertainties. “The board should be asking for the strategic plan and poke at that plan and make sure they feel it is adequate, and has defense and mitigation,” says Elizabeth Hackenson, CIO and senior vice president for technology services at AES. “When it happens, the board’s role is to make sure we are abiding by everything we’re abiding by, be candid… and not hide the ball. You can make it worse by minimizing or hiding it.”
So how do organizations fight a mostly invisible enemy with so many methods of attack?
To hear David Merkel, chief technology officer for FireEye, tell it, the successful ones adopt a wartime mindset. “The successful organizations have a well-defined information security program,” he says. “They’re aware of the risks and they know where those risks come from. They know that the bad guy are thinking, breathing human beings who have monetary or other motivations of a higher order that are driving them to attack the organization. They’re prepared to deal with the bad guys inside their networks.”
To ready organizations for that battle, the National Institute of Standards and Technology has developed a cybersecurity framework. It
helps organizations understand and prioritize cyberrisks, as well as detect and respond to cyberattacks. The NIST framework has been employed by companies like Apple, Chevron, and Bank of America, as well as a plethora of smaller firms.
One thing the NIST framework doesn’t guarantee is attack prevention. “There has been a notable shift in the last few years away from thinking we can completely prevent bad things from happening,” says Willie May, acting director of NIST. “The goal is a balanced approach that both protects and quickly detects when something is amiss … and emphasizes being prepared with a strong response and recovery plan.” The framework can be found at http://www. nist.gov/cyberframework.
13
COMMUNICATION IS KEY
Knowing exactly who should communicate with everyone from the customer to the media should be arranged ahead of time, says Don Baer, CEO of Burson-Marsteller.
The board directors at Target Corp. and Wyndham Hotels both found themselves forced to respond after cyberattacks on their companies in 2014—in court, that is. After cyberattacks exposed the credit card information of millions of customers at both companies, shareholders filed separate lawsuits against the directors and officers of Target and Wyndham, charging them with breaching their fiduciary duty by not acting soon enough to stop the attacks.
So how soon are board directors supposed to act when cybercriminals, “hacktivists,” or others penetrate their corporate data networks? Boards have plenty of responsibilities in the immediate aftermath of an attack, experts say, but they advise that the best time for board involvement is not when cyberattacks take place, but before they even happen.
“The vast majority of the board’s work in this area needs to be done before a breach occurs,” says Shawn Henry, retired assistant director of the FBI and current president of Crowdstrike, a cybersecurity company.
That means board directors must anticipate that attacks will happen and ensure that thorough response plans have been developed to respond to those attacks.
WINTER 2016 OPPTY 14
The Challenge
Solid preparation in response to a cyberattack is key to managing the aftermath.
The Opportunity
Photograph by Cultura/Getty Images
BE PREPARED AND BRIEF THE BOARD ON YOUR PLANS _
“Good preparation is key,” says Linda Mills, a former vice president at Northrop Grumman who is now a board director for loan servicing and government contracting firm Navient. Responding to a breach you haven’t properly prepared for, Mills says, “is like building a house at the same time you’re moving your furniture in. If you’re responding to a breach that you haven’t prepared for—something is going to fall through the floor.”
Proper preparation for directors, experts say, includes developing attack response plans and ensuring that chief information officers, chief security officers, or some other member of the executive team regularly briefs the board on the company’s preparations, in language they can understand fully.
FORM RELATIONSHIPS WITH LAW ENFORCEMENT _
It’s important to preestablish contacts in law enforcement and with outside cybersecurity firms who can be called on when attacks happen. Experts warn that after an attack is not the time to be meeting the FBI for the first time.
“Every major company should have contacts at the FBI and at the Department of Homeland Security,” says Peter Beshar, executive vice president and general counsel at Marsh & McLennan Companies.
“Don’t try to figure who those contacts are in a rushed, frenetic mode after an attack.
In addition, Beshar advises having a standing relationship with a forensic investigator. “When the Secret Service or someone else calls you on a Friday night about an ongoing attack, you shouldn’t have to figure out who your forensic investigator is and then go try to negotiate contract terms with them,” he says.
Board directors and management are also advised to routinely practice their response to various attack scenarios.
“When something happens, you have to be able to have the muscle memory to just react the way you’ve planned,” Shawn Henry says. “It has to be second nature.”
DON’T PANIC _
Knee-jerking after a cyberattack is the wrong kind of muscle memory. Even in the case of severe incidents—like the 2015 attack against Sony Pictures where e-mails from top executives, entire unreleased movies, and other sensitive corporate information was made public by stillunknown hackers—board members are advised against panicked efforts to get information from management.
“Management should discuss mitigation, further risks, and impact to customers and people with the board,” says Elizabeth Hackenson, chief
information officer and senior vice president of technology services at global power company AES. “But that has to be simple.”
Hackenson says that when attacks happen the board and management should adhere to the incident response script—the business continuity plan—and do whatever it calls for in terms of communication.
And she suggests that both the C-suite and directors should agree in advance that post-attack communications should be “in layman’s terms”—no elaborate presentations and no white papers filled with technical jargon.
MAKING A PLAN
Introducing yourself to law enforcement should happen well in advance of an attack and not after, advises retired assistant director of the FBI and current president of Crowdstrike Shawn Henry.
WINTER 2016 OPPTY 15
CYBERATTACKS OF 2015 _
Washington Post
The newspaper’s website was attacked by the Syrian Electronic Army, who rerouted parts of the website to a site controlled by the SEA.
LET THE C-SUITE QUELL THE SITUATION _
That approach keeps the board informed while also, as Henry puts it, “letting the operators do their jobs.”
“The board has to let the C-suite manage the incident,” he says.
“The security team is there to stabilize the environment. They need to be focused on that and
not responding to random questions from the board.” The questions that management does answer from the board should be posed and answered, Hackenson says, in person or on the phone—not by e-mail. “If someone is already in your network, you don’t want to expose more data,” she says.
CYBERATTACKS OF 2015 _ United Airlines
The same hackers who broke into the Office of Personnel Management and Anthem also made their way into United Airlines’ systems, obtaining passenger manifests, which includes information on flights’ passengers, origins, and destinations.
REVIEW AND REVISE THE PLAN _
Once that “someone” is out of the network and the cyberattack has been repelled, Mills says boards should review the attack and see how the response plan held up, asking these key questions.
Are we still exposed to similar risks?
Does the board need to be more educated on cyberrisks and the company’s response strategy?
Do the directors still trust the people in charge?
Do changes need to be made in our cybersecurity plans or our personnel?
That’s exactly what Sondra Barbour says her company does after every cyberattack launched against it. “We take every attack and unpack it,” says Barbour, a board director for 3M who is also executive vice president of information systems and global solutions for Lockheed Martin. “We want to know the attacker’s intent, the mechanisms we had that stopped the attack, and the places where they got through. Then we can be predictive about future attacks.”
For the board directors, that means that even once a cyberattack stops, their job of planning for a response does not.
WINTER 2016 OPPTY 16
KNOW THE DRILL Accenture’s Group Chief Executive - North America, Julie Spellman Sweet, emphasizes employee training.
TALKING CYBER Leaders of the Greater Washington Board of Trade and the National Association of Corporate Directors.
CATCHING UP Shawn Bray, director of INTERPOL (center) says technology changes faster than governance can keep up.
BUILD AND STRENGTHEN Greg Bell is the Global Information Protection and Security Lead Partner at KPMG.
