More than ever before, boards are faced with the daunting task to ensure their company is protected in the event of an online attack. Just a decade or so ago, questions of digital risk rarely made it to the boardroom; instead, companies charged c-suite leaders with the duty cybersecurity. As larger data breaches have wreaked havoc on major organizations, however, board members have begun to recognize their important role in risk management for information security. In order to maintain a proactive approach, we recommend that directors ask a lot of questions—these included:
Have we analyzed risk from every angle?
It’s easy to brush off cybersecurity as simply working to keep hackers from stealing personal data from customer information databases. But the truth is that the idea of overall information security covers so much more. For instance, last year Colin Powell’s personal email was breached, which exposed Salesforce’s M&A target list. This leak caused a major headache for Salesforce; it seems that the company had not considered the risk presented by board members communicating via personal email accounts. In other words, directors need to make sure that CIOs and CTOs are examining every possible direction from which an attack could arise.
Do we understand the legal dangers of cyber risk?
Sure, a data breach can deeply injure your company’s reputation and brand identity, but the legal implications can be costly as well. Not only can your company be hit with monetary penalties from regulatory agencies, it could also suffer from class action lawsuits. For instance:
“A class action was filed against Target in federal court in Minnesota by financial institutions seeking damages for their expenses in connection with a 2013 breach that exposed payment and contact information of millions of customers. Target agreed in May 2016 to pay $39 million plus costs and attorneys’ fees, and separately settled with Visa for $67 million. Target settled a consumer class action arising from the same breach for $10 million.”
Target is just one of many companies in recent years that has been forced to distribute costly payouts to various groups after an information breach. However, just because headlines tend to mention larger companies who have dealt with information security problems, doesn’t mean that smaller organizations shouldn’t work to mitigate their own risk. A serious information breach is more likely to take a smaller company completely under.
If an attack occurred, would we be aware?
As NACD reports, “On average, it takes 146 days before an organization realizes it has been breached. In about half the cases, the breach is reported by law enforcement or third parties, not internally.” Most tech experts agree that 100% prevention against attacks is an unlikely and difficult undertaking, but companies can invest in technology and processes that will help them become aware when a threat is being made or has already compromised the organization in some way.
In the event of an attack, what does our chain of communication look like?
Every company should have an emergency plan in place in case the worst occurs regarding cybersecurity. In addition to knowing who would take the lead on responding to the attack, board members should also know how the organization will communicate both internally and externally regarding the incident. In other words, don’t get caught creating a crisis communication plan in the middle of the crisis. Establish a process you can rely on before the time comes.