When James Mitchell Jr. thinks about the efforts cyber attackers are making to disrupt private companies in 2023, he’s reminded of the name of a particularly terrific film. And, unfortunately, we are not talking about Much Ado About Nothing.
“It’s like the movie Everything Everywhere All at Once. It’s a unique enterprise risk where you have an attacker constantly trying to get at your digital assets,” says Mitchell, who serves as board and technology committee chair of Fora Financial and audit committee and cybersecurity subcommittee chair of Aegion Corporation. “Every minute of the day, someone’s trying to get the information. Information is a company’s biggest asset, and the attackers know it.”
Rob Lyman, advisory board member of the Military Cyber Professionals Association and former assistant deputy chief of staff for cyber effects operations for the United States Air Force, believes the focus on cybersecurity in the boardroom is growing because of an increased focus on the part of both customers and shareholders, who are concerned by the potential loss of data and the reputational risk that comes along with it.
“The concern is growing as companies evolve and become more and more technology-dependent. You’ve seen that manifest itself in conversations by the SEC and among shareholders,” says Lyman. “So that is bound to continue. And really the challenge becomes how to fold that into a firm’s ongoing discussion of strategic, business and operation risks.”
Luckily, private companies are not as big of a target for cybercrime, right? Sophisticated cyber criminals are spending their time going after the big boys? Both Mitchell and Lyman are quick to discount this popular falsehood.
Says Mitchell, “With small and medium-sized businesses, attack teams think that they have fewer assets to fight an attack. They think that privately owned businesses don’t have all the infrastructure that an AIG or an IBM has, so they’ll be easier targets. That’s an ideal reason to build up resiliency in your operations.”
And Lyman cautions that attackers will often look to infiltrate a smaller company’s data as a means to an end, the end being larger companies that a smaller private company might work with as part of their supply chain.
“You’re a path to swim upstream. There’s a perception that cybercriminals gain access through smaller businesses to swim upstream into the larger businesses and federal government networks to steal intellectual property,” says Lyman. “And whether that’s a nation-state actor or a criminal organization trying to make money through ransomware, that’s the perception out there, and smaller businesses are larger targets because they’re viewed as softer targets.”
With private companies viewed as ripe targets for cybercriminals, the question becomes what is the best way for their boards to help guard their organizations’ precious data and examine the implications for board oversight of mission-critical risks? Is it best to have a cybersecurity expert on the board? Would it be best to have a board that is generally educated on cybersecurity, but aided by a third-party cybersecurity expert or a C-suite level resource, such as a chief information security officer? To Mitchell, that board dynamic as it relates to cybersecurity is the essential question to be answered.
“Boards are obligated to understand and oversee cybersecurity risk and privacy risk. To properly mitigate these risks, it is imperative that the C-suite and the board are aligned on their cybersecurity policy and its strategy framework. You always have to evaluate your staffing,” says Mitchell. “Do you have the right people for the challenges of tomorrow? All directors need to have a continual education in cybersecurity and privacy risk management, and understand this is a real enterprise risk, because that is why boards are there: to protect against the enterprise risks of the firm.”
While Mitchell believes that directors should constantly seek out knowledge enrichment on the subject, he does not think they must become completely fluent in the language of IT. But directors should know enough on the subject to ask the right questions.
“I took about an eight-week cybersecurity course just to be able to understand the lingo and the key issues. It enabled me to ask the right questions and know what the answers should be. I may not know 100% what the answer is, but I know if the CIO is trying to give me the slip.”
If effective communication between the board and C-suite cybersecurity representatives doesn’t get you all the way to fully protected data, Lyman has another idea, and for that we return to our movie theme from the first paragraph: War Games, also known as tabletop exercises, a tool stemming from the military, which can also be used to walk through potential scenarios in the boardroom. According to Lyman, the exercise can be a useful way of discovering the information you need to protect, the largest threats to those resources and the steps the board and the company will take to follow up in the case of a cyber breach. Lyman believes tabletop exercises are “a great tool for organizations to reach a common understanding and make sure they land in a conversation about risk, not just technology and project management. It’s just a very useful construct.”
In case you still reside in the camp of “It can’t happen to us,” know that Mitchell and Lyman both believe that despite all work that is performed to the contrary, falling victim to a cyber crime is not a matter of if, but when, so it’s best to be prepared ahead of time.
“There needs to be a cross-functional team that meets about this and understands the cybersecurity risks for the company,” says Mitchell. “And reach out to your consultants in advance – forensic specialists, a PR firm and a law firm with a cybersecurity specialty for starters. These external resources should be lined up in advance, or it’s ‘Oh, well, we can talk to you in two to four weeks. We’re just that booked.’”