From: Financial Times
By Anthony Goodman
As millions of us complete our holiday shopping online rather than deal with the melee at the mall, pause a moment to consider the dark side of the internet. Throughout 2012 board directors have told me the problem that most frequently keeps them awake at night is protecting their companies from cyber attacks.
Back in April, I first wrote about what has been labelled a “cyber cold war”, involving state-sponsored hacking of companies. Experts say the threat has since worsened.
In a speech in June this year, Jonathan Evans, director general of the UK security service, MI5, warned of the risks from cyberspace: “What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations.”
At a recent meeting of board directors of top US companies in New York, Shawn Henry, former executive assistant director at the Federal Bureau of Investigation, responsible for cybersecurity investigations, said his agents would notify companies “dozens of times a week” that their networks had been breached. After initially denying that it was possible, companies “find that the hackers have been there for months or years, unknown about and with unfettered access to day-to-day communications like e-mails.”
Company directors have also told me they are aware of foreign intelligence services planting people directly on company staff in order to extract information. The trojan horse now wears a lab coat and companies must beware geeks bearing gifts.
Mr Henry noted that “there are two types of companies: those that have been breached, and those that don’t know they have been breached”.
The motive of cyber attackers might be theft of money or intellectual property, reputational damage or actual physical harm. This month, the FT’s Bede McCarthy reported that hackers stole over €36m from 30 banks in Germany, Italy, Spain and the Netherlands. A bank director speaking at a meeting in New York warned of the potential for more serious attacks on the financial system. “I am absolutely convinced that this is where the next ‘September 11’ will occur.”
Intrusion can also take a physical form, with cyber attacks destroying computing equipment or even heavy machinery. One board director of a big European multinational told me last month: “An electrical generator can be remotely accessed and its parameters altered so that it is irreparably damaged. Look at [Hurricane] Sandy and imagine a major metropolitan area with no power and no prospect of power.”
Given the potential scale of the threat, it is surprising how many board directors are ill-informed and ill-prepared for the worst case scenarios that could paralyse their companies. A European director told me: “Too many board members think that there isn’t a problem or that it is someone else’s problem.”
Indeed, a report based on a survey of more than 100 board directors and senior executives at Forbes Global 2000 companies by Carnegie Mellon CyLab, a cybersecurity research centre, warned: “Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.”
Mr Henry told directors that boards have a critical role to play in cybersecurity: “It starts in the boardroom – the leadership sets the pace … Every board should bring in the key leaders in the organisation to talk to them.”
There are ways to defend the network, and its assets, even if it has been breached. Intruders can be detected, monitored in real time and thwarted. Though companies should be mindful of how security measures affect productivity, the most critical information can moved off the network completely. The board should ensure the company is not an easy target.
Wrestling with complex technical issues is not beyond the wit and wisdom of the board. The first place the board will turn is to the head of the IT function. Chief information officers will need to be ready for additional scrutiny. After insisting that a CIO be replaced, one American director told me: “When the CIO comes to the board, you have to understand what they are saying. We can’t take responsibility if we don’t understand.”
For other companies, the answer is to find new board members with the requisite skils or experience. One American board director told me: “Some level of technology experience is now part and parcel of the skill set any board believes it needs.”
Another option is to bring in outside experts. One board member said: “It’s like any other risk you are not comfortable with – you go and get some external help.”
This Christmas, while Santa is coming down the chimney, a cyber attacker may be making real-time changes to the nice and naughty lists creating a big reputation risk for Saint Nick. That may be the nightmare before Christmas and boards can’t afford to wait to find out what presents have been left for their companies by cyber intruders.
The writer is a partner at Tapestry Networks
Leave a Reply