My friend Alex Auerbach who owns the PR firm, Alexander Auerbach & Co Public Relations, and is a member of the board of directors of a public company forwarded an article to me from Boardmember.com about Cyber Risk. and why corporate board members should be concerned about it. The article addresses a couple of types of cyber crime and the general lack of attention paid to cyber crime by corporate boards and executive management.
The article discusses the 2 main areas of cyber crime
- Theft of customer and employee information for the purpose of identity theft
- Cyber corporate espionage for the purpose of obtaining competitive information and harming the firm’s revenue, profit and reputation
Both of these crimes are the result of individuals outside the organization hacking into the company’s computer systems to obtain the desired information. As mentioned in the article the first type of cyber crime, theft of customer information, is generally a one-time problem in which the company is hacked and the data stolen, however it can happen multiple times. The second type tends to be more ongoing in nature.
In addition, companies also need to guard against theft of data by internal employees, The internal employees do not necessarily need to be IT employees. With today’s sophisticated communications, offsite workforce and IT savvy employees it is more important than ever that additional precautions are taken to protect corporate data.
As the article mentions, the majority of executives and board members do not give much thought to cyber crime, although that is slowly changing. Some of the reasons it is not on the radar for executives are:
1. They assume the IT department will take care of it.
While it is true that all good IT managers today address the basics, frequently that is not adequate and there are holes in security that are not obvious. While a majority of software systems will encrypt data generally recognized as critical such as customer credit card numbers and employee SSN, there may be data in systems that are critical to your company that are not generally considered critical in nature. Also many in-house developed applications are not designed to encrypt data on the data bases. Finally, if data is extracted from systems and stored in an employee’s spreadsheet or Access file it will not be encrypted and usually not even password protected.
2. They feel there is not much risk because no one would be interested in their data.
Cyber criminals are getting more and more sophisticated and as larger companies secure their systems and data better, smaller mid-market companies become easier targets, Also all companies have competitors and in today’s marketplace many are becoming more willing to pay for competitive intelligence. This is the biggest risk from internal employees because they have a greater understanding of what data is important.
3. They are unaware of the growing magnitude of the risk and potential cost of loss
Cyber criminals have become more sophisticated and the rewards have become greater thus increasing the likelihood that any company can be a victim. With new laws regarding notification of breaches in customer and employee data, the administrative costs of a cyber crime are high. However, even at the high cost of reporting the potential for loss from corporate espionage is even greater. What would the cost to your company be if key product secrets or strategies were made known to competitors or to the public?
So as executives and board members begin to put cyber crime on their radar, what can be done about it? Just like any other type of crime cyber crime cannot be completely prevented, however, there are several steps that can be taken to reduce your chances of being the victim of cyber crime and increase your cyber security.
- Identify the most critical corporate data and focus on securing that data. For example whatever is unique about your business, provides a competitive advantage or represents a large R&D investment should be protected in systems.
- Perform an independent security assessment annually to identify risk levels. Many companies feel they are adequately protected yet have lapses in security. An independent audit by a cyber security firm can identify those lapses. Secure the breaches that represent the biggest potential threat.
- Purchase insurance to protect the company and limit liability for any breach. Majority of insurance companies today provide policies to protect against cyber crime. This is just as important today as standard property and casualty insurance.
- Perform background searches on all employees with access to critical data.
- Include IT executive representation on board of directors. The inclusion of a CIO/CTO as either a member or advisor to the board will bring understanding of cyber security options to that body.
Boardroom.com article ‘Is Your Company Prepared for Cyber Risk?’