Boards and Cyber

Is there anything new that Boards of Directors of companies, large and small, have not already heard? There has been two years of information bombardment: protect only high value assets as you cannot protect everything; what is our largest risk; use multi-factor authentication; do we have a cyber plan and do we test it; does the board question management on all the above and inquire if resources are adequately deployed?

The answer, per an expert panel convened yesterday by the National Association of Corporate Directors–New England, is– yeah, there’s lots of new stuff directors need to worry about. Examples below:

COVID froze budgets; is it time to review the numerous over-lapping protections that were added, ad hoc, over time, to make sure you have correct coverage?

Early stage tech companies have valuable secrets and weakest cyber defenses; early plans for start-ups must include cyber.

While you can do business with China (Cyber is not an IT matter, it is a risk matter so just calibrate), remember that by law the Chinese government has the right to access anything on demand and without process.

In M&A, as soon as there is an announcement of an acquisition of a smaller entity, hackers attack the target, usually with weaker defenses, to plant a Trojan Horse in that entity; upon acquisition, the Horse is used to infiltrate the usually more secure acquirer. Acquirers should address defenses.

Smart buildings are a huge risk to tenants. Google ICS-CERT to learn about defense to “unguarded back doors.” Apparently your company is at risk of being hacked through a water valve (?).

Again: Directors have noses in, but fingers out, of management; these are issues about which to inquire of the C-Suite. And, third party experts abound and the panel, impressive folks but in that business of third party cyber security, recommend it.

Comments are closed.