Getting Chief Executives to Take Cyber Risks Seriously

Amy Aixi Zhang is a project coordinator at the Berkman Klein Center for Internet & Society.

U.S. companies and government agencies suffered a record 1,093 data breaches last year. These hacks exposed personal information ranging from social security numbers to account credentials. Monetary costs for breaches are expensive; beyond the harm to personal privacy, company reputation, and loss of consumer trust, an IBM study estimated the total cost per data breach for a company to be around $4 million.

To mitigate cyber threats, companies need to invest in data loss prevention controls and cybersecurity strategies.

Properly assessing these risks and allocating resources require informed decision-making by a company’s leadership. Although some companies have hired dedicated security teams, security is no longer the exclusive responsibility of chief information security officers (CISO) or IT departments. Instead, CEOs and board members must initiate organizational improvements if companies are to protect themselves.

To convince board members and CEOs to act, they must first be convinced of the acute consequences of failing to implement proper cybersecurity measures. Cyber threats target a variety of information across all sectors. Hackers in 2013 stole payment information of up to 40 million Target customers. In 2014, the Sony Pictures compromise exposed tens of thousands of embarrassing email exchanges between actors and executives, a data breach that ultimately cost the company approximately $100 million. Then in 2016, Yahoo revealed that over one billion Yahoo user accounts were compromised.

The media’s coverage of these incidents have raised awareness, yet a recent Harvard Business Review study revealed that most board directors are still not ready to confront cyber threats. Few board directors ranked cybersecurity as one of the most important challenges. A recent cybercrime survey found that three quarters of businesses do not involve their full boards of directors in cybersecurity oversight. This misalignment should be remedied before companies can properly implement a defense strategy.

Once the danger is realized, most company directors will find that they lack the processes and expertise to adequately address cyber threats to their business. Of course, guarding against every avenue of potential attack is neither feasible, nor cost-effective. Here again, chief information security officers and IT departments are important, but CEOs must acquire a baseline level of technical knowledge to competently defend their businesses.

To start, Verizon’s 2016 Data Breach Investigation Report identified the nine most common types of data breaches: miscellaneous errors, insider and privilege misuse, physical theft and loss, denial of service, crimeware, web app attacks, point-of-sale intrusions, cyber espionage, and payment card skimmers. Reviewing the relevant industry, and targeting resources to mitigate the most likely risks would be a major step for board members.

At the same time, multiple educational institutions are building executive education programs that address this specific knowledge gap for CEOs. Attending a cybersecurity course could provide CEOs with the tools with which to develop a cybersecurity strategy.

Armed with new knowledge, CEOs will be better equipped to demand regular cybersecurity briefings from their CISOs on the effectiveness of the company’s risk management systems. One trend is encouraging. A survey by research and advisory firm Gartner revealed that 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually by 2020, which is an increase from 40 percent in 2015.

Organizations and government agencies with more cybersecurity experience have published reports of lessons learned, and guides listing critical questions CEOs must ask when assessing risk. Numerous reports exist that lead boards through a checklist of best practices for strengthening defenses, including educating employees, creating processes for monitoring, detecting and responding to breaches, and auditing suppliers and partners’ products and applications.

In the aftermath of recent cyber incidents, many company leaders were held personally accountable for the failure to prevent the breaches. After a board investigation found that Yahoo Chief Executive Marissa Mayer had failed to “properly comprehend or investigate” the breach, she was issued a pay cut. Other executives have faced more severe blowback: Sony Pictures Entertainment co-chairwoman Amy Pascal was forced to step down after its data breach. And though Target had implemented sophisticated defenses, its board of directors removed its Chairman, President, and CEO Gregg Steinhafel—a 35-year company veteran—five months after the breach was made public.

If these stories do not frighten CEOs into action, then they should also know that consumers and users rely on companies to protect their data and guard against cyber risk. It will be up to the boards to educate themselves and ask their teams to prioritize cybersecurity strategies to ensure success in this new digital environment.