With cyberattacks becoming more commonplace and costly and GDPR having introduced harsher penalties for data breaches, boards are under greater pressure than ever before. Investors are increasingly demanding that directors oversee cybersecurity risks, while regulators are threatening to hold them to account. A cyberattack, therefore, may not only damage a company’s reputation, but that of its directors too if they are found to be personally liable. As if that weren’t enough, CEOs and their teams are being preyed on directly by cybercriminals using ever more sophisticated scams.
No matter how much IT teams shore up their defences, they can only hold the line so far
The number of business email compromise attacks grew by 226 percent in the final quarter of 2018, according to Proofpoint. Often known as ‘CEO fraud’, they involve emails purporting to come from a senior director and instructing funds to be transferred into a third-party account. CEOs and board members are among the key targets for such attacks, as they are the decision makers who hold the purse strings and whose details are openly available online.
Multiple lines of defence
In one case last year, the CEO of film company Pathe’s Dutch arm was sacked after authorising payments of over €19m ($21m) into a bank account in Dubai. Dertje Meijer and the company’s financial director Edwin Slutter believed they were acting on instructions from the company’s Paris headquarters and that the money related to an acquisition that was underway. Both lost their jobs but an investigation found that they were the victims of fraud and Slutter later filed for unfair dismissal.
Targeted attacks like this demonstrate the new reality of the cyber landscape. No matter how much IT teams shore up their defences, they can only hold the line so far. As cybercriminals are well aware, it is people who are the weakest link. Many of the biggest security breaches are now due to human error or insider threats, rather than technical failures.
It is clear that cybersecurity is no longer just an IT issue – it must now be recognised as a company-wide challenge, and one that needs to be overseen at the highest level. Dealing with threats like these requires a more co-ordinated approach than before. Firewalls and anti-virus software are critical, but companies also need to have the right policies and staff training programmes in place too.
Take those spoof CEO emails, for instance. While the IT department can take steps to stop them reaching an individual’s inbox, directors and staff will need to be aware of the risk and know what to look out for. Companies should have a process for reporting suspicious emails and – because criminals are becoming more cunning and it may not be possible to prevent every attack – they should have measures in place to minimise the impact.
Of course, cybersecurity is very much a new field for most directors and a recent report from the UK Government found that even boards at many big companies are unsure of its implications. The Cyber Governance Health Check 2018 found that only 16 percent of FTSE 350 boards showed a “comprehensive understanding” of the potential disruption and financial impact resulting from cyberattacks.
As cyberthreats get too close for comfort, it is critical that CEOs step into a discovery phase and bring themselves up to speed. They must familiarise themselves with the basics of cybersecurity so they are aware of the risks and can make informed decisions. Starting a dialogue with their technical team and working together to develop an integrated approach is a good starting point.
A team effort
Cybersecurity cannot be left to one department, but depends on people throughout the business playing their part – from frontline staff to the finance and HR teams. And senior staff in all departments need be aware of their cyber vulnerabilities, just as they are of their budgets. It is a good idea to create a framework that brings together all cybersecurity defence tools, such as malware protection, browser software and patch tools, with other security procedures such as staff training, granting or removing access rights.
Having comprehensive policies and procedures in place and ensuring everyone understands their roles and responsibilities is vital, as is keeping records for compliance purposes. It is also important to have monitoring in place and a system of alerts – for example, if patches have not been updated, or other procedures have not carried out. Carry out regular audits and try to achieve a recognised standard such as Cyber Essentials or ISO/IEC 27001:2005.
As cybercrime becomes more complex, CEOs need to lead the fightback. Only if boards work with IT teams to develop a coordinated approach will companies be in the best possible position to defeat the growing threat.