Cyber-Risk Hygiene and Boards
Directors are in a great position to thwart attacks by stepping into hackers’ shoes, advises Dave DeWalt, Delta’s security director, former McAfee CEO, and private company director and investor.
When assessing cyber risks, boards may want to try and think like a cyber thief.
Directors should ask, “What’s our risk and who wants to steal whatever it is we have?” advises Dave DeWalt, chair of Delta Air Line’s safety and security committee; and vice chair and investor in privately held cybersecurity firm JASK, among other private companies. “Look at your risk from the perspective of the attacker.”
Boards are in a good position to shore up an organization’s “cybersecurity hygiene,” stresses DeWalt, who is also the former CEO of cybersecurity product producers FireEye and McAfee, and a member of the National Security Telecommunications Advisory Committee.
“Cybersecurity is a massive risk, no matter what size you are,” he explains. “Intellectual property consumer information, anything of value; you’re a target for hackers and attackers. Getting educated on the risk is job number one for any board or owners.”
A lot of private companies are naïve about their cyber risks, he notes.
While 65% of public companies are worried cyber threats, on 59% of private companies are, according to a PwC report titled, “Undaunted, but underprepared? A private company view from the 20th CEO Survey.”
“While a 6% difference may not seem significant, it means that 41% of private company CEOs are not concerned with cyber threats — perhaps leaving their business unguarded and vulnerable?” the authors write. “This is worrying, not least because private companies often have fewer resources available to them to invest in new technology and cyber security.”
So what’s the primary cybersecurity mistake DeWalt sees among privately owned and family-owned companies? “They typically underestimate the seriousness to cyber intrusions, theft and damage. Just because they are smaller doesn’t make them less of a target. Understanding your assets and how attackers would perceive your assets will determine if you are a potential target.”
For example, he adds, “even if you have minimal dollar-based assets, your data may have a much higher value and therefore very attractive to attackers.”
Too often company management and boards don’t spend time assessing potential nefarious players and many end up surprised at who cyber thieves may be and what they are looking for, DeWalt points out. “Who would have thought Facebook and Twitter and other social media might be attacked by Russian intelligence agencies? Who would have thought a next generation design of an industrial product would be stolen by the Chinese trying to improve their own industrial infrastructure?”
Figuring out what the unforeseen threats may be is “the first preventative measure” all directors should take, he maintains. This measure is of critical importance for closely held and family-owned business, because trust sometimes keeps them from casting a wide net of potential perpetrators.
“You could be a pawn in a game of chess,” being targeted by a hacker to get to a large client with sought-after customer data, for example, DeWalt notes. And, he adds, “a lot of companies miss the insider threat. Over 50% of all breaches actually occur from the inside — disgruntled employees, radicalized employees, plants from nation states.”
It’s natural, he adds, for family-owned, and even tightly held companies, to be trusting. “You think you can trust employees, well, what about the new intern? Can they be blackmailed?”
A board of directors can provide a reality check for private company management when it comes to cyber threats.
“I don’t invest in companies that don’t have boards or concepts of board,” he continues, “and the more diverse the board the better.”
When DeWalt makes decisions on investing in a private company, he looks to see if there is a board or whether there are concrete plans to create a board. “It’s mandatory,” he says. “I can’t imagine a scenario where there isn’t a check and balance [system] with a board and management. Anything of value needs a check and balance. The board acts as a balance to management and it’s of tremendous value, not just in governance, but in business value.”
To that end, what is the best way for boards to help management navigate the ever-changing cybersecurity landscape?
“The primary methodology used by internet thieves is spear phishing,” DeWalt explains. “Spear phishing is the art of sending emails (or other communications) that have malicious links or attachments that download keyloggers to steal credentials and identities. Amongst other things, boards should help ensure there is adequate training, education and tools to prevent this primary cyberattack vector.”
He suggests bringing outside experts to do a risk assessment for the board and management. And it’s also a good idea to add a board member who is also a cybersecurity expert. “In the case of Delta, that’s what I do,” he says.
But throughout the boardroom, he advises, “getting educated on the risk is job number one for any director.”
Directors should be pushing for regular reporting on such risks, he advises. There has to be time spent figuring out what’s the right amount of data needed to share with the board, data that can help them figure out if risks are being managed properly and all the avenues are being considered to fortify the organization against attacks.
Getting accurate information from management and is critical, as is keeping the amount of tech reports given to boards in check. “It’s important to have precise information according to the metrics that are agreed upon and it’s mandatory for all directors to become educated, especially if they’re on the audit or risk committee.”
Directors should be asking, he says, “about the basic building blocks of good cyber hygiene – what is the risk, what are we doing, how are we reporting what we’re doing, are we doing that quarterly or monthly to the board.”