Big problems just keep getting bigger.
In 2003, hackers succeeded in reaching their targets 74% of the time with a 20% detection rate by those being hacked.
In 2015, detection increased to 25%, but hackers were now successful 95% of the time.
What is the current thinking with respect to the obligations and best practices of a corporate board of directors in the face of this reality? This issues was discussed by an expert panel, headed by the Chief Technology Officer for Cyber Security in the Department of Homeland Security, at an October 18th breakfast meeting of the New England Chapter of the National Association of Corporate Directors. Major takeways:
Consistent with the role of boards as supervisors and not direct implementers, boards should monitor management instituting robust protection measures. Aside from having a plan for remediation and crisis control, the board should be fully involved with monitoring cyber security as part of a company-wide enterprise risk management program.
Boards should obtain outside consultative help and analysis; boards should be trained in cyber security or, at a minimum, one board member should have expertise in the space.
It may not be wise for the CIO, with responsibility for running the networks, to also have primary responsibility for security. Increasingly, companies are designating cyber security officers. It was suggested that this be a report directly to the CEO and not to the CIO.
Boards often use commercial portals for intra-board communication. These portals are safer than the open use of the internet, but they should not be treated as fully secure. Some companies are providing secure, dedicated I-Pads to board members, the only function of such device being to communicate with the board portal.
The internet of things is making life more complex. Since everything is connected, and there are no standards for manufacture or testing of devices, and since manufacturers therefore are “all over the place” (according to Homeland Security), there is a need to standardize all that is interconnected so that it can be policed and defended.
Speaking of Homeland Security, right now they are deeply focused on protecting the election functions of the various States so that the presidential election cannot be compromised.
One question from the floor raised the issue as to whether block-chain technology might be promising in terms of increasing internet security. The answer: block-chain is a promising technology, currently being studied, but it is complex and we are a long way from being able to harden our systems using it.
For boards, there are two things to keep in mind: the first is to be sufficiently acquainted with the technology of cyber security as to be able monitor; the second is to document the board’s robust process, so as to be safe from criticism (and lawsuits) when the seemingly inevitable occurs: you will be hacked.