JUN 7, 2017
The Growing Burden of Cybersecurity on Boards
On Friday, May 12th 2017, a worldwide ransomware arsenal was unleashed. Named WannaCry (or Wanna Decryptor), it targeted computers running the Microsoft Windows operating system, encrypting data and providing helpful instructions on 'How do I pay' in Bitcoin cryptocurrency to get hijacked data restored. Just a few long hours later, WannaCry was inadvertently stopped in its tracks by a 22-year-old computer security researcher in England who began studying it that afternoon (inadvertently is the scary word here, by the way). However, much damage was already done in that short amount of time. And in one day, the cybersecurity topic was once again back on top. But this time the bar had been raised...
The technical portions of this story are undoubtedly captivating with twists and turns including rumored development of this plague by the NSA (and subsequently being leaked by a faceless group called the 'Shadow Brokers'), the next phase of weaponized malware hatching and a whole host of other movie-ready flotsam and jetsam. But what happened in the background, out of sight? What were companies, both infected and uninfected, doing during all of this mayhem and fear? How were Boards mobilized? And what is this attack's legacy as it applies to leadership?
The implications of WannaCry are far-reaching on many levels:
- More and more time is being dedicated in the boardroom to the topic of cybersecurity. To some, this is detracting from the equally-important topics of strategy and governance.
- Increasing budgets are being allocated to cybersecurity in an effort to mitigate risk. These budgets are sometimes 'clawed-back' from other initiatives and can have an affect on Board unity.
- Notification and Escalation Policies Enacted (and revamped or created): Documented processes and assurances that when serious issues or allegations that could impact the finances or reputation of the organization arise, Board members will be notified in a timely manner. WannaCry not only forced notification, but also enacted rare instances of crisis management for infected as well as uninfected organizations.
- Some infected organizations had no choice but to delegate point to lower-level employees due to lack of cyber expertise and experience at the Board and C-level. This type of fragmented approach has the potential to undermine response strategy and fracture response alignment - think increased budgets, increased time, lowered reputation, etc.
- There is no doubt that the latest scourge of cyber attack sophistication will have an effect on response playbooks. The sheer size and scale of WannaCry has woken up many organizations and their Boards to the next level of attacks.
- The voracity of WannaCry, along with its long-term ability to have countless variants, has undoubtedly shocked some Boards into finally pulling the trigger on opening that technology/cybersecurity seat to assist in lowering risks as well as having presence in future breaches. Realistic Boards know it is not a question of 'if,' but 'when.'
Post-WannaCry, I've witnessed a slew of corporations issue mandates, somewhat mimicking an official audit, to their technology groups demanding assessments of policies, systems and procedures on their infrastructure in an effort to get further insight into what is commonly a 'check-the-box' risk assessment exercise. Legacy systems, which are prevalent in most established organizations, add a higher level of complexity to this exercise, especially since they typically fall into the unsupported realm. This undoubtedly could give an advantage to newer, less-established companies due to their lack of legacy systems, but when ransomware the size of WannaCry is unleashed, it has the potential to upend any company's operations, new or old, small or large - and many times requires the experience of outside experts. “We have experienced a large increase in organizations requesting cybersecurity guidance, planning and support following May’s WannaCry outbreak in their efforts to combat increasingly sophisticated malware risks,” stated Ondrej Krehel, CEO of LIFARS, a global digital forensics and cybersecurity intelligence firm headquartered in New York. “Cybersecurity efforts will definitely be a growing area of focus for many companies due to the increasing risks of ignoring potentially low probability, high-impact data breach instances."
WannaCry's 'legacy' is far from a true legacy. A legacy assumes that something is over, completed, done. Don't be fooled. This is not the case. WannaCry is more of a 'precursor' than a legacy. It has once again fortified the need for adaptability and a change in leadership approach being applied to combat it. WannaCry should be considered an 'early adopter' in an upcoming long chain of more sophisticated attacks... and leadership as well as Boards need to be prepared - so they don't WannaCry.
|What will you consider when creating your Board's cybersecurity strategy?
Reach out for help creating a solid Board cybersecurity strategy.
Mark A. Pfister
Chairman & CEO
Integral Board Group
About the Author: In addition to sitting on numerous Boards, Mark A. Pfister is a certified Board Director and advises public, private and non-profit boards in efficient and effective operations. He is the inventor of the 'Board as a Service' (BaaS) engagement model and an expert project/program manager frequently consulting on strategic global initiatives in their initiation and operational phases....... << read full bio here >>
Have Mark join you for his National Speaking Tours:
'Building an Effective Board For Your Company' shows business owners and leaders the immense value of creating an experienced 'go-to' team - and most importantly, how to do it via a step-by-step roadmap.
'The Strategy of Strategy' guides you through the 2500+ year history, evolution and next phase of Strategy - and why it is so relevant to you personally as well as your business. Build and leverage your own strategy to see how these focused efforts will help you thrive and reach your full potential. (speaker video)