Major cyberattacks against organizations of various sizes seem to happen on a regular basis now. On Dec. 14, Yahoo announced the largest-ever data breach, involving around 1 billion customer accounts.
Despite the scale and harm from such attacks, there’s wide recognition that corporate leaders, especially boards of directors, aren’t taking the necessary actions to save their companies against these attacks. It’s not just an issue of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards.
“Our country and its businesses and government agencies of all sizes are under attack from a variety of aggressive adversaries and we are generally unprepared to manage and fend off these threats,” said Gartner analyst Avivah Litan, a longtime cybersecurity consultant to many organizations.
“Some organizations do a better job than others, but those efforts are almost always led by CIOs, CISOs or business line managers and not by corporate boards, CEOs and executive management throughout government and the private sector,” Litan added.
Unless senior partners, corporate boards and other senior stakeholders get their act together, the threat actors will continue to succeed.
Litan said what’s needed is a national response and cyber protection plan, but said she fears that the federal government is “way too fragmented and politicized to make any real progress towards the execution of this goal.”
Threats against national infrastructure, including the electricity grid, are “enormously serious,” she added. “Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win. I’m not sure how many more wake-up calls we need in this country.”
Litan’s worries seem to have impacted some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that discovered only 19% believe their boards have a high level of understanding of cybersecurity risks. That’s an improvement from 11% in a similar poll conducted a year earlier.
The survey also inferred that 59% of respondents find it challenging to overlook several cyber risks. The nonprofit NACD, which has 17,000 members, is working along with security awareness firm Ridge Global and Carnegie Mellon University to establish a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.
Litan suggests that education is important, but she also supports state and federal laws to require organizations to report cyber attacks so that customers and partners will know how to change passwords and make other adjustments to protect sensitive data.
At the federal level, a number of U.S. senators have backed breach notification laws, but no bills have passed congressional muster. President Barack Obama proposed such legislation in 2015.
With the January inauguration of Donald Trump as the next U.S. president, it remains a mystery whether a federal breach notification law will take effect in the next four years, or longer.