In most organizations, the IT department oversees cybersecurity responsibilities. It's a logical designation: the technological know-how required to mitigate cyber threats from entering the organizational ecosystem is highly specialized and ever-evolving.
But this approach often leaves organizations exposed to unnecessary risk that can induce reputational harm, result in business downtime and even affect key organizational stakeholders, including executives and board members. While the IT and/or IS departments should be part of the cybersecurity gatekeepers in any organization, a broader approach will lead your organization to a much better outcome when—unfortunately, not if—a cyber incident occurs for the first (or likely) second time.
Just as with other areas of organizational risk management, directors should include cybersecurity in their oversight responsibilities.
Developing a comprehensive and proactive Incident Response (IR) plan reduces the possibility of a painful postmortem, in which the board reviews what went wrong, what should have happened and how organizational damage could have been minimized.
While industries such as banking, finance, public sector entities and industries with significant amounts of high-value personal data have long been the target of cyberattacks, no sector or organization is now free from risk. Malware and ransomware attacks may not always result in sensitive data being accessed, but they present a high-value opportunity to threat actors.
Figure 1. Dark web sample.
T-Mobile is among the most recent high-profile companies to deal with ongoing cyberattacks. The telecom company has been attacked not once, but twice in 2023. In January, a cybersecurity incident exposed the personal data of more than 37 million customers. A more recent April incident affected 836 customers, marking the ninth data breach T-Mobile has experienced since 2018. From an organizational standpoint, this goes well beyond exposed data: T-Mobile had just settled a $350-million class action suit for a 2021 data breach, promising to invest $150 million to upgrade its data protection and the brand itself has been tarnished.
Data breaches, malware and other cyber threats may not be felt by consumers immediately, but they do quickly lead to a loss of consumer and employee trust.
So how can your organization improve incident preparedness and resiliency? From the top down.
Massive accelerations in technology have exposed organizations to increased cyber vulnerabilities, including cloud computing, employee remote access and even the apps and platforms used by customers. This requires boards to also understand the implications of how this technology can expose their organizations to risk.
Board directors already understand the concept of risk as part of achieving strategic financial goals, but cyber risk needs to be viewed differently. It doesn't fit squarely into traditional risk management frameworks. It's ever-changing and hard to calculate. The best way to mitigate the risk is to establish an organization-wide plan with input and oversight by board members.
Cyberattacks can cause deep damage to an organization. From a strategic standpoint, it's a holistic issue that needs to be addressed at the board and C-suite level because a successful cyberattack can stop a business from operating, resulting in lost profitability, incurring significant recovery time and cost and creating significant collateral damage in the process. Think about that again: a cyberattack can stop a business from operating. Sit up and pay attention.
Most aspects of a cyberattack cannot be controlled, but a well-crafted incident response game plan starts with help detecting and possibly stopping a cyberattack, but continues forward in the process, offering step-by-step guidance to mitigate negative effects, avoid common pitfalls and return to normal business operations.
Preparedness and proactive direction created collaboratively with leadership and an incident response expert, is instrumental in thwarting cyberattack damage. Having guidance and an established process in place takes the acute pressure off the executive team as well as the incident response team addressing the issue. The worst time to starting creating a plan to address a cyberattack is in the throes of an incident.
Although Board members typically have significant financial prowess, they are often unfamiliar with technology and cybersecurity issues. This lack of cyber literacy is not uncommon, especially with the speed at which technology advances. Board members are often chosen for their leadership, financial and executive decision-making experience, not their technological and operational knowledge of cybersecurity risk.
There are three easy ways to create better engagement from board members in cybersecurity concerns:
Without this background and expertise, board culture may default to a more hands-off approach to organizational tech direction.
Internal cybersecurity teams are constantly disseminating outside information in an effort to keep the organization safe from cyberattacks—this approach also works well in engaging board members. Use outside resources, including third-party experts, law enforcement personnel and even input from members of organizations that have dealt with cybersecurity attacks to improve your board's knowledge of the issues. External specialists can also provide guidance and augment limited knowledge at the board level.
Many underestimate the value of having Board expertise with years of cyber risk management experience, opting instead to have existing Board members attend a lecture or two and assume they have the knowledge it takes to expertly help the Board consider true risk.
I recently had a Board member ask me directly, “How can I get up to speed on cyber risk so my Board has that expertise? Watch Tik Tok videos?" The answer to that is no.
When you're looking for new Board members, how much financial or executive experience do you look for? Someone who took a couple of classes? Or someone who has been involved for years?
Consider the benefit of Board members with experience in the cybersecurity industry.
Live demonstrations of how the organization's cybersecurity works, or tabletop exercises, can help provide a framework for understanding. What may seem confusing on paper or in a presentation will be much more relevant if board members can see it in action. Tabletop exercises also present a terrific platform for engaging with the tech team and creating a supportive relationship as part of the IR plan development. Instead of generic directives, board members will be better able to create a plan that is practical and makes sense in action.
The more board members can engage with relevant cyber information, the better leadership and guidance they will provide to the organization in crafting a solid IR plan. It will help them challenge processes and ideas, making the plan stronger and more resilient in addressing the unknowns that will occur.
ZeroDay Law can assist organizational board leadership in developing an IR plan that mitigates the damage caused by cyberattacks. We have deep experience in cybersecurity law and corporate incident response management – from helping prepare to directing the response effort when an incident hits. We ensure that our clients are prepared for more than the IT-related components of a cyber incident by creating a comprehensive plan that includes the right strategic, legal and operational response for each unique organization.
Contact us to learn more about how we can help your organization.