The conversation on cyber security
is all the rage: Dealing with the threat should rightfully be at the top of the board agenda. The irony of this will not be lost on boards. On the one hand, their companies are being exhorted to embrace all things digital, or risk having their business disrupted. But the fewer the sheets of paper that clutter office desks, the greater the cyber threat. This is the unfortunate reality, but companies have no choice but to keep chiselling away.
If companies are not doing more, it is because they view it as an IT issue — and not a business issue. This mind-set needs to change, and will happen only when boards understand its substance.
First the hackers are moving faster than the defenders. Marc Sorel of McKinsey, a consultancy, validates this in terms of the growing time gap between “time to exfiltrate (get in and obtain what the hacker is after)” and the “time to quarantine (stopping the hacker once it is known the hacker is in the system)”.
Two, as more and more of the economy gets digitised, the cyber threat goes up exponentially (this may explain both the interest and the role that state-sponsored players have being taking in malware). At a firm level, as a larger portion of the supply and distribution chain get digitised and linked to the company’s operations, the more vulnerable it is to cyber threats.
Some readers may be familiar with the story about two men are walking through a forest, when they suddenly see a bear in the distance, running towards them. They turn and start running away. But then one of them stops, takes out his running shoes from his bag, and starts putting these on. When questioned whether he think she will run faster than the bear with these, the first one replies, “I don’t have to run faster than the bear, I just have to run faster than you.” This brings us to the second aspect. Cyber attacks do not necessarily happen where the attacker can get the maximum amount as ransom ware nor where the data is most sensitive, but where the systems are weakest. The WannaCry
virus first attached itself to a UK hospital, before it spread.
John Wanamaker, a department store owner, is believed to have remarked “Half the money I spend on advertising is wasted; the trouble is I don't know which half.” As boards begin to get their arms around cyber security, and sign-off on cyber security
budgets, they will no doubt be similarly troubled by whether they are they prioritising spends in the right area. And as boards wrestle with their budgets, the nature of the threat implies that even companies that have progressed with regard to setting up strong defenses, need to keep running to stay in the same place.
Many boards continue to feel uncomfortable (or fear), dealing with cyber risks vis-à-vis some of other risks the company faces. The best way to get over this fear is to familiarise itself with the risks and the response (digital resilience). Hiren Shah, a cybersecurity expert, and president and mentor of Net-Square, suggests that “just as lawyers or chartered accountants are on a board because they bring in some expertise, have someone who has run an IT department on the board or at the very least have someone with the requisite knowledge as an advisor to the board.”
It is important that issues regarding cyber security
are reported to the board and more frequently to the risk committee. Depending on a company’s digital strategy, having a separate cyber risk committee is also an option that needs to be deliberated. Direct oversight by the board will ensure companies to have systems and controls. This also assumes that someone in the company is responsible for this aspect.
Needless to add, companies need to have thought carefully about the configuration of its IT infrastructure. Its preparedness against cyber attacks must be monitored continuously and employees must have well defined access-rights and trained in best practices.
Finally, the board should not assume that just because they have built a firewall, and discussed it at every board meeting, they are protected. They need to have an emergency plan in place regarding how the company will respond if an attack is underway (the chance of which are very high), including a business continuity plan and how to recover as quickly as possible from this. This includes identifying external vendors and what role they will play, test the disaster recovery, and identify alternate means of communication.
In several markets, companies are regulatorily expected to disclose when they have faced a cyber attack
and the implications (or damages) of such an attack. In India, this is yet to take place. But as law enforcement increases its attention on cybercrimes, it is not unimaginable for capital market regulators to step up their focus on cyber security.
Till this happens boards should debate the merits of voluntary public disclosures. No company is fighting this battle alone: Each security breach risks spreading beyond a company’s boundaries and each solution strengthens the digital environment.
The writer is with the Institutional Investor Advisory Services of India