How the C-Suite Can Fight Back Against Cyber ThreatsSenior Vice President and Assistant General Counsel on Cyber Policy at Marsh
The cyber stakes changed for the C-suite in 2017. Cyberattacks systemically paralyzed company operations, drained billions in market capital, and even led to dismissals of senior executives. It was a bad year, and two emerging trends show that things will likely get worse before they get better.
First, attacks are becoming more destructive. Most prominently, in May and June 2017, hackers unleashed the WannaCry and NotPetya attacks, which targeted known vulnerabilities and took down systems around the world. As a result, companies struggled with severe network disruptions, forcing organizations to shutter operations and, in several cases, reporting earnings losses totaling hundreds of millions of dollars. Concern is now growing that hackers will increase their ability to manipulate industrial control systems to destroy property and threaten loss of life.
Second, as the attacks grow more severe, regulatory controls are tightening. Regulators around the world have enacted mandates for companies to do more to protect data and systems. Leading the way will be the sea change introduced by the European Union’s General Data Protection Regulation (GDPR) for data privacy and its Directive on Security of Network and Information Systems for critical infrastructure, both of which take effect in May 2018. Taken together, the push for cyber regulations means that companies need to implement specific technical controls, provide more transparency to employees and consumers on how their data is collected and used, disclose cybersecurity breaches and face fines and penalties for violations.
Unlike so many other operational or financial areas, cybersecurity is not intuitive, and simply increasing the cybersecurity budget fails to solve the problem.
A new report from Marsh & McLennan and the cybersecurity firm FireEye analyzes the challenges of confronting cyber risk for boards and the C-suite. First, most senior leaders are digital immigrants who lack technical proficiency. Unlike so many other operational or financial areas, cybersecurity is not intuitive, and simply increasing the cybersecurity budget fails to solve the problem.
While immense challenges exist, MMC and FireEye provide five recommendations for the C-suite.
- Secure your cloud. Cloud computing offers powerful benefits for companies of all sizes or sectors, including scalability, flexibility, enhanced collaboration, disaster recovery, and reduced IT spending. That does not mean you can outsource your responsibility for security. Many breaches still start with weak passwords, sloppy authentication, poor certificate validation, or other bad cyber hygiene and key management. To prevent breaches, organizations must maintain strong internal security to stop unauthorized access to the cloud. Additionally, while cloud providers will provide security controls, such as data encryption, customers still must opt-in and incorporate the controls. Lastly, companies should keep programs that use trusted vendors for outsourcing and provide for the means to validate the cloud provider’s security practices.
- Spend time on patching. Patching presents problems. On one hand, most cyber exploits target known vulnerabilities that require software fixes. On the other, the patching process requires time to conduct the reviews to assure that updates will not interfere with complex IT environments. Companies need to have confidence that their process will identify the most critical vulnerabilities and shorten patch implementation for those fixes.
- Rethink the human element. The statistics are daunting. Reportedly, 91 percent of ransomware infections start with employees clicking on a spear-phishing email. Successful corporate strategies need to address the people aspect as well as processes, and technology. A good place to start is to reinvent employee training. Try supplementing or replacing email blasts with games and incentives.
- Engage with the government. Industry and government need each other more than ever. Good relationships with law enforcement and regulators might later save the victim of a cyberattack from being treated as a villain. With governments playing an increasingly active role in a company’s compliance with cyber laws, take the time to reach out to the key agencies looking into your cyber practices and responding to incidents.
- Plan, plan, plan. In stressful situations, people revert to instinct. Accordingly, there is no substitute for conducting a mock cyber exercise to establish rules of the road during a time of crisis. Senior business, IT, finance, legal, and communications executives should all be in the room together with outside forensic, communications, and legal advisers to test how their organizations will respond to a cyber crisis.
In the face of escalating risk, the C-suite will need to look at its company through a different lens. Perfection is never the goal, but companies will need to marshal the resources necessary to respond to evolving threats and limit the growth of vulnerabilities. Those companies not keeping pace with this ever-evolving risk will be quickly outgunned and fall prone to loss of data, system outages, and the surrounding consequences of failing to protect critical cyber assets. However, with the right approach, businesses can thrive in the digital economy and avoid falling into the pitfalls of cyber risk.