Cybersecurity is an ongoing issue with continued recent news of attacks and companies suffering losses. While security threats will continue, what is surprising is that despite repeated warnings, many companies still do not have adequate planning in place. It is essential to elevate the conversation and the focus to the board level and then make certain that a company can react in the face of an attack - either internal or external.
Recently, a series of articles and blogs about the discovery and development of a new malware has been circulating in the media. Beyond cybercrimes at public utilities, hacker attacks by recognized groups, such as Anonymous, have been targeting private companies for years, putting bank accounts, financial markets and personal privacy at risk. There are also myriad stories of data loss in the news: Card Systems is out of business after 40 million customers were potentially exposed; TJX stores incurred a large financial impact after 45 million customers had their credit card accounts exposed; Bank of America had 1.3 million people exposed due to a missing backup tape; Eli Lilly disclosed confidential information in an email to approximately 700 people regarding Prozac, more than 6 million LinkedIn passwords were stolen, etc. Such events result in potential for losses by the consumer, which triggers a chain reaction by affected companies involving costly public relations, increased audits, the need for additional resources, and improvements in technology. Most importantly, it also diverts the management team's attention away from core business developments.
Despite the evidence and damage of cyber attacks, many companies still have no plans or resources allocated to deal with information technology security. As the former CIO of a company that suffered a significant attack years ago rightfully suggests, "you only get enough attention after it happens." Clearly, companies have finite resources, and the CEO must weigh the costs of investing in security versus the costs of other initiatives. However, after a serious data breach, the ultimate cost is much higher.
Companies can avoid major crises with the right level of investment and leadership. One of the most overlooked aspects of information security is that the majority of the incidents occur because of human behavior rather than because of technology itself. As a result, most of the required investments will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening: such investments are usually more affordable than new technology.
It is critical that CEOs, in partnership with their CIOs, elevate the discussion on information security. Measurement of return on investments for security projects is almost impossible to calculate, but CEOs can make more informed decisions, and protect the company's integrity and brand by discussing the following points with their CIOs or security officers:
Cybersecurity on the board's agenda
The discussion of cyber security is critical to risk management and therefore must be a topic of discussion at the board level. Allocating funding, developing a response plan, and performing an external audit should have board oversight and must be on each company's board agenda.
The right level of funding for security initiatives
Funding all security initiatives can be time-consuming and costly. CEOs need to focus on projects that ensure that the organization maintains adequate levels of controls that guarantee it is consistently performing the documented activities, meeting regulatory compliance requirements it is exposed to, reducing the organization's reputation risk by keeping it out of the media, newspapers and blogs, impact the reduction of ongoing audit issues, and finally, ensure an acceptable and clear recovery procedures.
The response plan for a cyber attack
Despite concerted efforts to protect themselves, organizations are always at risk of suffering some type of cyber attack. The management team, in cooperation with the board of directors and the audit committee, needs to ensure there is a well-documented, actionable, understood and tested response plan. Organizations need to protect their customers and clients, and most importantly ensure a trusted relationship, which can easily be damaged when products or services become unavailable or a data breach is poorly handled.
The external information security audit
It is highly recommended that organizations execute a yearly information security audit by external providers and in partnership with the CFO and the audit committee. However, it is critical that results are thoroughly reviewed, ownership assigned and progress constantly monitored. The audit should also provide a benchmark against competitors and an understanding of the organization's position on the adoption curve for security technologies.
Top CEOs need to take the time to understand the risks related to information security and ensure that appropriate responsibility is designated for mitigating these risks. Additionally, companies need to develop and cultivate a security procedure. A recent report by Verizon, suggests that 97 percent of data breaches last year were avoidable. In general, people think of cyber attacks as highly-sophisticated, but the reality is that many companies have not yet taken the basic steps to lock their own front doors.
Information security has always been important to General Atlantic, both from an investment perspective as well as in supporting our portfolio companies' security initiatives. For further discussions on information technology security, please contact your GA team.
Contributed by Mauro Bonugli, a Vice President in GA's Resources Group.