16 minute read
The Opportunity
How much did you get paid to drive to work last month? Actor Seth Rogen made a reported $9,500 for that task when he starred in and co-directed Sony Pictures Entertainment’s The Interview—for which he also reportedly made $8.4 million for whatever he did once he arrived at work.
Advertisement
The board directors at Sony could probably have happily lived without ever knowing that tidbit. But hackers made that information—along with a plethora of financial and other confidential corporate reports—public when they cracked open the company’s data networks in late November 2014. That left the board suddenly having to answer for how the release of all of that information, including Rogen’s commuting compensation, would hurt the company. The stock price cascaded. Lawsuits were filed by Sony employees whose personal information had been exposed. And the company spent millions to find new ways to secure its data networks.
Before that attack, board directors at other firms may have simply let their technical teams handle cybersecurity issues. But the Sony breach, along with dozens of other reported breaches that have come since then, spotlighted how cyberattacks directly impact a company’s financial well-being, and hurt the company’s reputation with customers and business partners. An attack also opens a company to a variety of lawsuits (including against the board directors themselves) and regulatory actions from the Federal Trade Commission, the Securities and Exchange Commission, and others.
“Cybersecurity is too important to be left to your IT department and operations groups,” says Willie May, the acting director of the National Institute of Standards and Technology, which has developed guidelines to help companies address cybersecurity concerns. “Every executive should be able to communicate persuasively about the importance of cyberrisk management.”
Michele Hooper, president and CEO of the Directors’ Council and a board director for both United Health Group and PPG Industries, puts it a bit more bluntly:
“Directors can’t say, ‘Well, I’m not a technology expert, therefore I don’t have any responsibility around cybersecurity.’ Every director has a fiduciary responsibility for the organization in its entirety.”
There are many things boards can do to help ensure their companies are beefing up their cybersecurity as the threat levels increase. Some experts say directors should begin with these four steps.
Hackers appeared to have purchased stolen information from previous hackers in order to access 100,000 tax accounts. The operation involved an army of people who submitted more than 200,000 queries into the IRS site over a period of four months.
Incorporate cybersecurity into the company’s overall strategy, and view cybersecurity as an enterprise-wide risk.
Many boards outside of the technology industry lack members with expertise in how cybersecurity works and what the most common current threats are. Experts say that should change—fast.
“You’re required to have a financial expert head up your audit committee,” says William E. McCracken, former CEO of CA Technologies and a board director for MDU Resources Group, a diversified energy company.
“And in today’s world with all the cyberrisks that exist, every board should have a cyberexpert on the board.”
Adding a director with cybersecurity expertise is exactly what companies like General Motors, Delta Air Lines, AIG, and Wells Fargo have done as the threats have increased. Other companies have charged their audit committees with cyberrisk oversight or have established separate risk committees to oversee those concerns.
“You need to look at cybersecurity just as you do any other enterprise risk,” says Sondra Barbour, executive vice president of information systems at global solutions for Lockheed Martin and a board director for 3M. “Every part of the company needs to be a part of addressing this.”
Identify and protect the company jewels.
Corporate resources, even in the best of times, are scarce. That’s why cybersecurity experts recommend the board try to identify the most important data assets an organization has, and spend money protecting those assets first. Peter Beshar, executive vice president & general counsel at Marsh & McLennan Companies, suggests creating a “cyberbalance sheet,” one in which the company catalogs and prioritizes its assets and how well they are, or aren’t, protected.
“Your resources will always be too thin to protect everything,” says Lockheed Martin’s Barbour. “So find out what the key data is, and who has it, and focus on that.”
The SEC offers guidelines to companies who are conducting data audits. And many experts note that often the most sensitive data isn’t even in house—it’s with third-party vendors.
“Don’t only look in your own borders,” Barbour says. “What suppliers have what data? Who in your supply chain has the keys to your kingdom?”
Experts also recommend that boards consider funding a Chief Information Security Officer position if the organization doesn’t already have one. And, they say boards should closely review the top personnel in charge of protecting key corporate data.
“A lot of questions directors should ask should be about talent,” says Elizabeth Hackenson, the chief information officer and senior vice president of technology services for AES. “You need the people who have the instincts to know what to do” before, during, and after a cyberattack.
Set up regular reporting about current and future threats and the company’s readiness to deal with those threats, and make sure the threat message is company-wide.
One recent survey of top executives found that 26 percent of companies have a chief information security officer who makes an annual presentation to the board. Another 30 percent make such presentations quarterly. And 28 percent of companies with CISOs make no presentations at all.
Some experts suggest that CISOs, or some member of a cross-functional team of executives charged with evaluating cybersecurity threats regularly, make a report to the board no less than twice a year. Others say that reporting should be supplemented by an external cybersecurity audit conducted at least every two years.
“This is a rapidly changing field,” says Linda Mills, a board director at Navient and former vice president of Northrop Grumman. “You have to understand what the new risks are.”
So, too, do employees have to understand the risks. To stay ahead of cybercriminals, security firms are advising companies in ever-changing ways to create, store, and delete data so that it stays safe from internal theft or damage as well as from external threats. That can involve everything from ensuring employees do not download unauthorized software onto their work computers to requiring them not to use USB memory sticks they acquired from a third party. Those steps are simple. But committing to them is not necessarily easy.
“Rare are the companies that expend the resources to keep their employees at the top of their security game,” says Gov. Tom Ridge, former secretary of the Department of Homeland Security. “Employee education is lacking.”
But Ridge says employee education is a critical part of what he calls, “building a ‘culture of resiliency.’”
Accenture is one company that has built that kind of culture, in spite of the cost to create and maintain it. “We have 310,000 employees and we train them every year on information security and data privacy,” says Julie Spellman Sweet, the group chief executive – North America at Accenture. “We do some fun game-ification things in the training, but we also have a financial hit if you don’t do the training.”
Spotlight
THE ISSUE
Veteran broadcast journalist Ted Koppel spoke about the unpreparedness of the United States should an attack on the country’s power grid ever occur, as detailed in his new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.
Cyberattacks may be a very high-tech operation, but it’s still run and operated by humans, and depends on human oversight and error to be successful. One way to help secure your networks is by educating all of your employees—from the part-time intern to the board of directors—about what’s at stake.
Teaching employees how to handle network security practices should be part of any employee training. It’s vital to “get them to understand now only the techniques the bad guys are doing but their own internal psychology,” says Matthew Devost, president and CEO of FusionX. For example, if an employee receives a thumb drive at a conference or in the mail and isn’t sure of its origins, he or she should be trained to think twice before inserting it into a computer.
Training and re-training is essential to maintaining company network security, much like practicing a fire drill. In the hectic environment of the dayto-day operations, employees may forget what they learned months ago and accidentally download something malicious onto their computers.
“One of the ways in which systems are most compromised is still phishing,” says Shawn Bray, director at INTERPOL, referring to a cyberattack in which sensitive information is obtained through a seemingly innocuous e-mail. “We’ve heard about it forever, and we’re still subject to this and still being compromised by it. It’s as simple as someone clicking on the wrong e-mail… we keep hearing it play out time and time again.”
For that reason, employees need to be constantly reminded to remain vigilant with regular training, as well as updated on the latest in cybersecurity, particularly if they may play a role in opening up a vulnerability in the system.
Another day, another breach. J.P Morgan Chase. Home Depot. The US Postal Service. Target. Anthem. Evernote. Sony PSN. The US military. What can be learned from those who have been victims of cyberattacks? Plenty, but only if organizations openly share information about attacks.
“These adversaries have a signature,” says Sondra Barbour, executive vice president of information systems and global solutions for Lockheed Martin, and a board director for 3M. “So you can figure them out. And that can help the next time they do something.”
Still, one recent survey found that only 25 percent of US companies are involved in the formalized process for sharing cyberattack information—through what are known as Information Sharing and Analysis Centers. The reason more aren’t sharing information, some believe, is that various US laws may explicitly or implicitly prevent them from doing so. That’s especially true among competitive companies, but can also apply to organizations of any type where there are worries about violating privacy laws and regulations.
“There is a desperate need for legislation on that front to come up with national law,” says Frank J. Cilluffo, associate vice-president of and director of the Center for Cyberand Homeland Security at George Washington University. “Right now you have 47 different state laws. Beyond that, there is a need for information sharing in terms of understanding not only between the private sector, but the government and the private sector since cyberthreats have extended to incorporate all of society.”
Currently, there’s legislation in the works that could make this all possible. The Cybersecurity Information Sharing Act of 2015 intends to gather information from companies’ and organizations’ first-hand experiences, whether it be a breach or a threat. In turn, it offers them certain immunities resulting from the actions of monitoring information and systems, protection from anti-trust laws, and exemptions from disclosure and the Freedom of Information Act.
The bill isn’t the first one to be introduced, indicating the government’s pressing desire to confront cybersecurity issues head-on. The precedence was set with the Y2K Act, when companies were scrambling to make sure their systems didn’t falter at the year 2000 because they were programmed with just the last two digits of the year. Companies feared that the machines would look at the year 00 as 1900 and not 2000.
“The reason we need this legislation is so companies can pool intelligence, and cooperation is the best way to address potential harm and get the US government to help combat the harm,” says Bruce Heiman, an attorney at K&L Gates who specializes in cyberlaw and cybersecurity. “You’re offering companies protection so that they can provide information. If they extend their hand in cooperation, they want it to be shaken, not slapped.”
Delete the tech jargon.
When the National Association of Corporate Directors surveyed board directors last year, it found just 11 percent overall believed they had a high level of knowledge about the topic of cybersecurity. That might be because directors are often confused by the highly technical nature involved in protecting broad data networks with seemingly unlimited entry points for those who would do companies harm.
William McCracken, the board director for MDU Resources Group, says a company’s IT team sometimes hold directors as “technical hostages.”
“They sort of intimidate them,” he says. “But directors need to refuse to be held technological hostage. Do not be afraid to say, ‘Tell me that in English. I don’t want your acronym.’”
Karen Lefkowitz, vice president of business transformation and chief security officer at Pepco, also says the burden of overcoming the lack of technical expertise is one the directors have to bear. “People in the C-suite and people on boards should not be afraid of asking tough questions just because they don’t know the jargon,” she says.
Nobody wants a cyberattack on their company’s systems and networks, but even worse is to have one and not be prepared for it. “A lot has to be done in advance,” says Shawn Henry, retired assistant director of the FBI and current president of CrowdStrike Services. “Every breach I’ve worked in, the adversary was in the network for months beforehand, and in some cases for years.”
Which means that while they’re planning, your company should have been planning right alongside them inside the firewall.
One of the most important components of your strategy when battling any attack is a solid communications plan. From training employees and board members not to open links from unknown sources to handling the crisis as it unfolds, communicating information is key to making the best out of an unfortunate circumstance. Experts say that cybersecurity is akin to any crisis management, whether it be a natural disaster, a physical attack, or a terrorist attack.
Educate. It’s not enough just to provide your employees with a handbook of what not to do, though a regularly updated handbook is a good start. “Keep a low profile, monitor what’s happening, be aware, be alert,” Henry says. Teach employees about minimizing risk, from opening questionable links to posting sensitive information such as birthdates and vacation plans on social media. Rogue nation states are targeting board members because they are “key influences in policy, strategy, development, innovation, and technology.”
Board members also need to comprehend what’s really at stake when a cyberattack occurs. Henry says despite having entire companies knocked out of business, turbines threatened to blow up, computers burnt down, systems taken offline, and other critical infrastructure destroyed by hackers, there’s always someone whose biggest concern is protecting credit card information. He calls it “lack of awareness,” though it’s starting to change. Boards, he says, need to be continually educated on the risks and impact of a cyberattack.
2.
Create a communication chart. When a crisis arises, there should be a flow chart “that can kick in instantly so everyone understands who is in touch with who,” says Don Baer, worldwide chair and CEO of Burson-Marsteller. Know who will communicate with the board, the government and regulators, supply chain stakeholders, customers, shareholders, employees, the general counsel, and the press. Designate an incident leader and determine a plan for when to inform each of the different parties. If the company is global, create different plans for each office and the possible repercussions in other offices around the world.
3.
Know what to say. While each situation varies greatly, it’s better to have several scenarios planned out in advance than to scramble at the last minute. “Have a playbook,” Henry says. In addition, determine how communications will be provided: offline from the hacked system and by phone, or through a separate communication channel outside standard e-mail.
4.
Ask questions. The board should always communicate its issues and uncertainties. “The board should be asking for the strategic plan and poke at that plan and make sure they feel it is adequate, and has defense and mitigation,” says Elizabeth Hackenson, CIO and senior vice president for technology services at AES. “When it happens, the board’s role is to make sure we are abiding by everything we’re abiding by, be candid… and not hide the ball. You can make it worse by minimizing or hiding it.”
So how do organizations fight a mostly invisible enemy with so many methods of attack?
To hear David Merkel, chief technology officer for FireEye, tell it, the successful ones adopt a wartime mindset. “The successful organizations have a well-defined information security program,” he says. “They’re aware of the risks and they know where those risks come from. They know that the bad guy are thinking, breathing human beings who have monetary or other motivations of a higher order that are driving them to attack the organization. They’re prepared to deal with the bad guys inside their networks.”
To ready organizations for that battle, the National Institute of Standards and Technology has developed a cybersecurity framework. It helps organizations understand and prioritize cyberrisks, as well as detect and respond to cyberattacks. The NIST framework has been employed by companies like Apple, Chevron, and Bank of America, as well as a plethora of smaller firms.
One thing the NIST framework doesn’t guarantee is attack prevention. “There has been a notable shift in the last few years away from thinking we can completely prevent bad things from happening,” says Willie May, acting director of NIST. “The goal is a balanced approach that both protects and quickly detects when something is amiss … and emphasizes being prepared with a strong response and recovery plan.” The framework can be found at http://www. nist.gov/cyberframework.
The board directors at Target Corp. and Wyndham Hotels both found themselves forced to respond after cyberattacks on their companies in 2014—in court, that is. After cyberattacks exposed the credit card information of millions of customers at both companies, shareholders filed separate lawsuits against the directors and officers of Target and Wyndham, charging them with breaching their fiduciary duty by not acting soon enough to stop the attacks.
So how soon are board directors supposed to act when cybercriminals, “hacktivists,” or others penetrate their corporate data networks? Boards have plenty of responsibilities in the immediate aftermath of an attack, experts say, but they advise that the best time for board involvement is not when cyberattacks take place, but before they even happen.
“The vast majority of the board’s work in this area needs to be done before a breach occurs,” says Shawn Henry, retired assistant director of the FBI and current president of Crowdstrike, a cybersecurity company.
That means board directors must anticipate that attacks will happen and ensure that thorough response plans have been developed to respond to those attacks.
BE PREPARED AND BRIEF THE BOARD ON YOUR PLANS _
“Good preparation is key,” says Linda Mills, a former vice president at Northrop Grumman who is now a board director for loan servicing and government contracting firm Navient. Responding to a breach you haven’t properly prepared for, Mills says, “is like building a house at the same time you’re moving your furniture in. If you’re responding to a breach that you haven’t prepared for—something is going to fall through the floor.”
Proper preparation for directors, experts say, includes developing attack response plans and ensuring that chief information officers, chief security officers, or some other member of the executive team regularly briefs the board on the company’s preparations, in language they can understand fully.
FORM RELATIONSHIPS WITH LAW ENFORCEMENT _
It’s important to preestablish contacts in law enforcement and with outside cybersecurity firms who can be called on when attacks happen. Experts warn that after an attack is not the time to be meeting the FBI for the first time.
“Every major company should have contacts at the FBI and at the Department of Homeland Security,” says Peter Beshar, executive vice president and general counsel at Marsh & McLennan Companies.
“Don’t try to figure who those contacts are in a rushed, frenetic mode after an attack.
In addition, Beshar advises having a standing relationship with a forensic investigator. “When the Secret Service or someone else calls you on a Friday night about an ongoing attack, you shouldn’t have to figure out who your forensic investigator is and then go try to negotiate contract terms with them,” he says.
Board directors and management are also advised to routinely practice their response to various attack scenarios.
“When something happens, you have to be able to have the muscle memory to just react the way you’ve planned,” Shawn Henry says. “It has to be second nature.”
DON’T PANIC _
Knee-jerking after a cyberattack is the wrong kind of muscle memory. Even in the case of severe incidents—like the 2015 attack against Sony Pictures where e-mails from top executives, entire unreleased movies, and other sensitive corporate information was made public by stillunknown hackers—board members are advised against panicked efforts to get information from management.
“Management should discuss mitigation, further risks, and impact to customers and people with the board,” says Elizabeth Hackenson, chief information officer and senior vice president of technology services at global power company AES. “But that has to be simple.”
Hackenson says that when attacks happen the board and management should adhere to the incident response script—the business continuity plan—and do whatever it calls for in terms of communication.
And she suggests that both the C-suite and directors should agree in advance that post-attack communications should be “in layman’s terms”—no elaborate presentations and no white papers filled with technical jargon.
Making A Plan
Introducing yourself to law enforcement should happen well in advance of an attack and not after, advises retired assistant director of the FBI and current president of Crowdstrike Shawn Henry.
LET THE C-SUITE QUELL THE SITUATION _
That approach keeps the board informed while also, as Henry puts it, “letting the operators do their jobs.”
“The board has to let the C-suite manage the incident,” he says.
“The security team is there to stabilize the environment. They need to be focused on that and not responding to random questions from the board.” The questions that management does answer from the board should be posed and answered, Hackenson says, in person or on the phone—not by e-mail. “If someone is already in your network, you don’t want to expose more data,” she says.
CYBERATTACKS OF 2015 _ United Airlines
The same hackers who broke into the Office of Personnel Management and Anthem also made their way into United Airlines’ systems, obtaining passenger manifests, which includes information on flights’ passengers, origins, and destinations.
REVIEW AND REVISE THE PLAN _
Once that “someone” is out of the network and the cyberattack has been repelled, Mills says boards should review the attack and see how the response plan held up, asking these key questions.
Are we still exposed to similar risks?
Does the board need to be more educated on cyberrisks and the company’s response strategy?
Do the directors still trust the people in charge?
Do changes need to be made in our cybersecurity plans or our personnel?
That’s exactly what Sondra Barbour says her company does after every cyberattack launched against it. “We take every attack and unpack it,” says Barbour, a board director for 3M who is also executive vice president of information systems and global solutions for Lockheed Martin. “We want to know the attacker’s intent, the mechanisms we had that stopped the attack, and the places where they got through. Then we can be predictive about future attacks.”
For the board directors, that means that even once a cyberattack stops, their job of planning for a response does not.
