One of Al Pacino’s iconic movie scenes came in the 1992 film Scent of a Woman. Pacino won an Oscar for his portrayal of a blind, cantankerous, retired Army officer who teaches his young assistant (played by Chris O’Donnell) some unexpected life lessons.
Halfway through the movie, the two spend an exhilarating few minutes driving a Ferrari around Brooklyn, with Pacino confidently taking the car up to 70 miles per hour down deserted side streets, while a terrified O’Donnell occasionally yells, “Turn left… NOW!” from the passenger seat.
Unusual as it may seem, this scene serves as a metaphor whenever surveys are released showing how corporate boards approach cybersecurity. Consider such findings as:
- 39% say their company has no incident response plan, or that they are “not sure”
- 62% say they are not required to take any cybersecurity training
- 50% say they have not assessed the risks of third-party vendors
To explain why boards may be better off with a blind Ferrari test drive than with these results, let’s look briefly at the three topics.
Incident Response Plan
As the saying goes, failing to prepare is preparing to fail.
A case study on effective response planning has been drawn by juxtaposing the June 2017 cyber attack on pharmaceutical giant Merck with the July 2018 attack on the clinical laboratory company LabCorp. Merck fell victim to a NotPetya ransomware campaign that resulted in widespread disruption of its global operations. It took them months to get to back to the point that most of their sites were “largely operational,” and they absorbed hundreds of millions of dollars in impact.
LabCorp, on the other hand, met a similar threat in 2018 with SamSam ransomware, but contained the situation within 50 minutes. Despite the attack still managing to encrypt thousands of their computers and hundreds of production servers, LabCorp would go on to summarize the situation as follows:
“LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This temporarily affected test processing and access to test results. Operations were returned to normal within a few days of the event.”
The impact of having an effective incident response plan was stark.
A 2017 IDC survey of 600 organizations found that 40% had implemented only a broad incident response plan. Only 35% had plans that included notifying their board of cyber incidents, and a shocking 26% reported that they only inform the board when the breach becomes public!
That will make the board feel like it is driving blind!
When (notice that organizations no longer say “If”) the inevitable cyber attack targets your organization, preparation will have a direct influence on how well the company’s operations can weather the storm.
Japan’s deputy chief of cybersecurity strategy was in the news a few months ago for revealing in a parliament meeting that he does not know how to use a computer. When asked whether Japan’s nuclear plants are allowed to connect USB drives to critical systems, he responded that he was not sure, because he does not know what USB drives are. In fact, his very presence in such a position was summarized rather succinctly when he said, “I’m here because a Cabinet minister is needed.”
The oddity of the situation is of course inflated by the fact that his position is specifically in charge of cybersecurity. Still, company leaders in all functions should recognize that cybersecurity pervades both their company and their position within it.
By no means does this advocate making all board members into cybersecurity experts. Rather, companies should approach board members’ cybersecurity training the same way they should be approaching training for all other positions:
- Identify the cybersecurity knowledge required to fill the position effectively
- Assess the employees’ current knowledge level and identify gaps
- Provide role-based training to meet the need
- Follow up with periodic training to stay fresh and build the knowledge base
Recent years have shown us third-party vendors at the centers of the highest-profile hacks. Target’s hack of 40 million people’s personal data and payment card details, as well as Home Depot’s 50 million, were both the result of stolen vendor log-in credentials. Over $200 million in breach impact later, both companies were left struggling to rebuild their brands.
IBM and Ponemon’s 2018 Cost of a Data Breach study found that “third party involvement” is the single greatest contributor to organizations’ per capita cost from a data breach. The enduring nature of this finding, years after the 2014 Target and Home Depot breaches, places a very public burden on boards of directors to responsibly address the issue. In spite of all this, an NACD survey found the odds of boards addressing this to be no better than a coin flip.
FBI Director Christopher Wray underlined the point when addressing an NACD audience in October 2018. “A decision to enter into a particular joint venture or a contract with a particular vendor or cloud computing company may look good today. It might look even better in next quarter’s numbers,” he cautioned. “But that decision might not look so great a couple years down the road if you’re in the middle of a slow bleed of your intellectual property.”
Whether intellectual property or customer data, increased vendor involvement always equals increased risk.
“Blinding ignorance does mislead us. O! Wretched mortals, open your eyes!” – Leonardo da Vinci
As corporate boards work to fulfill their mission for cyber risk oversight, it is critical that they seek out information on risks which have been other companies’ downfalls. The trends have been positive in boards’ increasing participation in cybersecurity strategy. The three topics here would go a long way to round out that participation. Boards neglect these topics at their peril, unless of course they are the thrill-seeking type that would like to take a ride with Al Pacino.