Fight Cyber-Attacks With an Executive Risk Council

Posted 2013-05-15
executive risk council

By MacDonnell Ulsch

The simple truth is this: Cyber-attacks are increasing in number, as well as in intensity and impact—and no entity is immune. Companies large and small are targeted by nation-states and organized crime, as well as cyber-attackers associated with a dizzying array of social and political causes.

Companies often say, “Why would anyone target us?” At least, that's what they say before there's a breach. After the breach, there’s another question posed by every chief executive: “Do you think we have to report this?” The answer to this question is usually "yes"—at least, it must be reported to some person or entity.

The reporting may be to a state or federal regulator in the United States or to similar organizations in foreign countries where personal information is breached. In some cases, it may be necessary to notify the U.S. Securities Exchange Commission or the U.S. Department of Defense.

In others, banks or investors may need to be notified, and the breached company’s insurer is usually on the list. Or it may be necessary to report the breach to companies under contract with the firm, especially if it involves a breach of contract.

Attacks may be from nation-states and organized crime, or from disgruntled or former employees. The targeted information can be intellectual property, trade secrets, personally identifiable information (PII) or protected health information (PHI).

Trust and reputation are irrevocably linked: If you violate the trust, you compromise the reputation. Reputation is, arguably, any company’s most valuable asset. A breached company is usually not a bad company, but sometimes that's what hackers want everyone to believe.

Without trust, the information that is the fuel of the economic engines of commerce becomes a legal, financial, regulatory and reputation liability. Result: loss of market share, market preference and dominance; loss of shareholder and stakeholder value; and loss of investor confidence, which may result in the loss of geopolitical positioning and diplomatic power. And once trust is lost, it is hard to regain.

Breaches Evolve Into Extortion

At one time, hackers seemed to be content with denying service or access to a company’s transactional system, or stealing proprietary information. While they still commit these crimes, the evidence indicates that hacking has evolved considerably. 

One evolutionary tactic is a special cause for alarm: an increase in the use of child pornography and human trafficking in breaches, in which the extortion of a company or an employee may be involved. If a hacker wants to extort a company, what better way than to threaten to defame that company or executive with the taint of child pornography or human trafficking? If the extortion demand isn't paid, the brand faces the risk of being smeared globally. If it is paid, it's likely that the demands will continue.

Another scheme is a proximity threat. In this scenario, while a company is under attack, another attacker is attempting to trick that firm's employees into logging onto a fraudulent wireless network. The goal is to download keystroke loggers onto employee computers. If there’s a local accomplice, that could increase the possibility of a physical attack.

A third evolutionary hacker tactic is Website franchising. In these cases, attackers develop a Website using a stolen corporate brand. They attract visitors to the phony site and get them to create a profile with a logon ID and password.

Often, the unsuspecting Website visitors use their company-issued email address and private passwords. This gives the criminals confidential credentials, enabling them to sell or franchise the fraudulent site to other criminals and take a share of the revenue. This generates multiple revenue sources and also provides digital chaff to complicate criminal investigations.

Organizations that fail to adequately safeguard information will feel the pain: regulatory scrutiny; fines; civil and even criminal litigation; and the loss of market value, customer base, market dominance and reputation. The list is long, and the consequences can be costly.

Build an Executive Risk Council

What can companies do to protect themselves? Here is one recommendation: Build an executive risk council. It’s not a silver bullet for cyber-defense, but it does have significant value.

Such a council brings together affected parties. For too long, security has been perceived as either an issue of guards, gates and guns, or as an IT issue. While it is both, it is also more than that.

Look at the impact of a breach, and it becomes obvious who should be involved in an executive risk council. Although companies and situations vary, here is list of the departments and functions that should be represented on the council:

Legal: A breach, first and foremost, becomes a legal issue, potentially involving regulatory considerations, breach of contracts, civil litigation and even criminal prosecutions. So it is vital to include a legal representative. For smaller companies, especially those without in-house counsel, consider working with an external legal resource that’s knowledgeable of about information management and risk.

Risk: Some companies have a chief risk officer, but many that don’t have the chief financial officer serve in that role. Every breach results in a cost to the company—that’s a post-breach consideration. It is also important to have the CFO on the council because that officer can be influential in making budget available for preventative measures.

Security: Information security must contain three specific characteristics: physical security, technical or logical security, and administrative security. The regulators refer to these aspects of security, and each should have equal measure. In many companies, a wide gulf exists between physical security and technical and administrative security. This is a weakness that increases the likelihood of breach success, particularly when an intrusion involves physical penetration of the target company.

IT Infrastructure: Technology infrastructure is vital to the council because just about every activity the company engages in involves a computer, a tablet, a smart phone, the network, the Internet, servers, etc. IT touches everything, so be sure the CIO or CTO is included in the council.

Information and Records Management: Most environments currently are a mix of paper and electronic records, which magnifies the risk. So a records management executive should be included.

Business Continuity Planning/Disaster Recovery: BCP/DR is critical to the council, and the absence of their representative on the council may result in increased risk impact. BCP/DR should include issues such as workplace violence, terrorist attacks, natural disasters, utility outages and other factors.

Marketing and Sales: Although these functions are not often included in risk councils, it is important to remember that marketing and sales are intimately related to the company’s reputation. In the event of a breach, it is necessary to address this issue with customers.

Human Resources: Get the entire employee base onboard with the security message. HR is often the organization that has the greatest reach to all employees, so it needs to be part of the risk management and prevention solution.

Privacy: Someone on the council should have responsibility for making sure that information privacy is understood and that the associated policies are in place. Also, remember that privacy includes not only employee and customer information, but intellectual property and trade secrets as well.

Internal Audit: A representative from internal audit will add substantial value, making certain that the internal audit plan embraces the full scope and dimension of the risk. Also, the internal audit function has direct linkage to the audit committee of the board of directors.

Corporate Communications: Developing a media response plan before a breach takes place is fundamental and should be part of every company’s corporate governance initiative. If perception is reality, then perception should not be left for others to define, lest that become the reality.

Alliance Management: Strategic-alliance and joint-venture partner relationships are at risk in the event of an inadequately managed breach. Having an alliance management executive participate in the council allows for proper messaging (working with corporate communications) to the various companies that may have skin—and risk—in the breach.

Compliance: A compliance representative is critical, particularly if the breach involves PII or PHI. Depending on the size of the company, compliance may be part of the legal office. If not, someone from compliance will be able to convey to the council the regulatory requirements associated with managing data and what to do in the event of a breach.

Senior Management: The more senior the title of the executive sponsor, the better. For smaller organizations, it may be the CEO. But whether it's the director of internal audit, general counsel or CFO, the executive sponsor should have direct access to the board and to the executive management team. This is invaluable for budgetary approvals. A council member will have a strong understanding of the need to prevent breaches and reduce the impact of one.

The goal of an executive risk council is to reduce to the lowest degree possible the impact of a breach. The council needs to understand the fundamentals of cyber-threats, and how to defend against legal, financial, regulatory and reputation risk, and risk impact.

This forces the team to confront the impact of potential losses associated with a cyber-breach, such as loss of market share, sales, company value, market positioning and dominance, customer and alliance concerns, investor confidence and even insurability. While an executive risk council may not be a silver bullet against hackers, t it is a good starting point for building awareness where it counts.

All companies targeted by cyber-attacks face one great commonality: compromise of reputation, that is, reputation risk. The best advice is to always “think post-breach” and “act pre-breach.” An effective executive risk council can help reduce the impact of a potentially devastating cyber-attack, and maintain that ever-important bond of trust, which defines an organization's reputation.

MacDonnell Ulsch is the CEO and chief analyst of ZeroPoint Risk Research in Boston. He is the author of the book THREAT! Managing Risk in a Hostile World.