Directors and executives want to believe their companies are adequately protected against cyber threats. ISACA’s recent survey of leadership teams reinforces the notion that most corporate leadership teams recognize cyber risk is a material threat to their businesses. As the research points out, 55% of respondents agree that their organization’s leadership team or board is doing everything it can to safeguard the organization’s digital assets. But, does this perception represent reality?
In a recent study conducted earlier this year by NYSE Governance Services and Diligent, 381 directors of public companies were surveyed regarding their secure communication practices and their level of awareness of how those practices might impact the company’s level of cyber risk. The results were sobering – and indicate a disconnect between what directors and executives believe about cyber security and the cyber risk created by their own communication practices.
To illustrate this point, consider that 92% of respondents use personal email accounts – including unsecured systems like Yahoo! Mail, Gmail, and AOL – at least occasionally to conduct board business. While 74% reported using secure board communication software to receive and transmit sensitive documents, 54% regularly download these documents onto personal devices or drives. Even when companies use secure board communication software, only 8% ask the IT, IS or data security team to sanction directors’ communication methods. Worse still, 62% indicated their company doesn’t require directors to participate in any cyber security training, and in ISACA’s new research, only 15% of respondents expect their organizations will fund an increase in cyber security training for board members in the next year.
Why does this matter? The job of a director requires access to extremely sensitive company data. Yet, directors don’t often receive direct oversight from the IT or data security team. Hackers have clearly figured this out. Consider this report on China’s APT 10 hacking group, which specifically targets corporate directors as an easy entry point to high-value information. Even someone as sophisticated as former Secretary of State Colin Powell, a director of Salesforce, was successfully hacked when a slide deck for an upcoming Salesforce board meeting was stolen from a personal email account. The data from the slide deck was leaked to the Wall Street Journal in advance of the board meeting, negatively impacting both Salesforce’s business strategy and its share price.
Meanwhile, a number of new regulations are cracking down on corporate negligence on cyber security and data privacy, and are holding directors and executives responsible for breaches. In March 2017, new regulations took effect with the New York State Department of Financial Services that require board members (or senior officers) to personally certify that the company has adequate cyber security programs in place, and that those programs are regularly tested and reviewed. While this regulation is at the state level, it applies to any financial services firm – and any vendors serving those firms – that conducts business in New York. Another case in point is the EU’s new General Data Protection Regulation (GDPR) – set to take full effect in May 2018. This new regulation includes fines as high as 4% of annual worldwide turnover in the event of a major breach, as well as potential jail time for the directors or executives who are responsible. GDPR doesn’t just apply to EU companies; rather, any company that stores, processes, or accesses the data of EU citizens is liable.
Both of these regulations reinforce the idea that directors and top executives hold the ultimate responsibility for overseeing cyber security and risk management for their organizations. Not only must they be aware of the cyber security programs and risk profile of their companies, they must also set the right tone for the rest of the company’s employees – demonstrating by their adherence to secure communication policies and practices that cyber security is important enough to warrant the regular time and attention of the company’s leaders.
This all begs the question … why are corporate leaders so bullish on their level of cyber security? Perhaps one culprit is the approach we generally take to raising cyber security issues in our boardrooms. Most board discussions on cyber risk include a “briefing” by the CSO/IT security team on what the company is doing to secure customer data and internal systems. Rarely do these briefings include a review of director communication methods, raising directors’ awareness of their own cyber risk, and training on how to handle sensitive data.
It’s time for us to help directors understand their real level of cyber risk and provide them with the secure tools, training and support to keep their communication – and our companies’ data – safe. An easy first step is to provide this article to your directors and add some time on the next board meeting agenda to discuss it. Get directors’ concerns out in the open. Only by candidly reviewing what’s happening now – and what should be happening – can any change be implemented.