By Joshua Lawton-Belous
Let’s face it, for many of us who have sat on a company board before, regardless of if it was for a large corporation or a startup, the last thing on any of our minds was “is our company’s cybersecurity posture sufficient?” That’s nothing to be ashamed about. Corporate boards have plenty of issues that are constantly presented to them and many of them are pressing. Some issues rise to the top for no better reason than the board and its members can be held liable if they are not taken seriously.
The massive negative economic impacts of cyberattacks which have already occured ($45B globally in 2018) combined with a skyrocketing trend in the cost of attacks ($5B in 2017 — a 400% increase from 2016) resulted in the SEC releasing cybersecurity guidance for publicly traded companies in 2018. In this guidance, the SEC views the responsibility of a publicly traded company’s board, saying “… it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”
However, while the cyberattacks against large, publicly traded companies might make a board member of a non-publicly traded company feel protected by being “too small” to be worth attacking, they are unfortunately mistaken. CNBC reported in 2019 that “cyberattacks now cost companies $200,000 on average, putting many out of business.” Furthermore, Accenture reported that 43% of all cybersecurity attacks in 2018 were against small businesses and only 14% of all small businesses attacked were prepared to defend against a cyberattack. Therefore, the risks to small businesses are even greater than they are to large, publicly traded companies because not only can the costs to overcome a successful cyberattack be close to insurmountable, many small companies who are vendors to larger companies understand that there is significant risk that a breach against them could mean a loss of a contract with a larger business.
Therefore, understanding that there are significant business and liability risks to a successful cyberattack, let’s review six fundamental things that the board can require of a business to do in order to mitigate the likelihood of a cybersecurity breach.
Do a privacy and control audit: Your business needs to know where its data is stored, how it’s being stored, and who or which organizations (third-party applications, vendors, etc.) have access to that data.
Create an access and control plan that limits employee access to data: Just like how you wouldn’t let anybody in your company see your HR folder filled with employee contracts, there are some data repositories and systems to which employees should not have access. All too often, as employees move within and leave a company their access to company data does not always reflect what they need to have access to in order to do their work.
Patch your systems: While it might be annoying and time consuming to restart systems upon them being patched, it is absolutely critical to keep your systems up to date. Unfortunately, an employee’s computer can often be where the patching of systems processes fail — especially in the “work from home” environment. There are tools you can use to push and force a patch to a company computer, thereby mitigating its vulnerability.
Set up email filters to help prevent phishing attacks: You and your employees are the most valuable corporate assets but also the most vulnerable to clicking on a malicious link. In order to mitigate this risk, you need to set up certain filters in your email servers. One way to do this is to use the Global Cyber Alliance’s DMARC Setup Guide.
Prevent your employees from going to malicious websites: Employees regularly use the Internet, whether it be for personal or work-related purposes. To that end, preventing them from going to known and suspected malicious websites is paramount. A fast and easy solution (and free!) to help mitigate an employee accessing a malicious website is by using a managed protective DNS service, such as Quad9.
Use a resource that provides tools and guidance: Across the Internet there are different cybersecurity guidelines released by varying bodies. Here at the Global Cyber Alliance, we have brought together the leading cybersecurity guidelines along with instructions and free tools to help secure your business from cybersecurity attacks.
The author, Joshua Lawton-Belous, is the Global Business Officer for the Global Cyber Alliance. You can connect with him on LinkedIn and follow him on Twitter.