The conversation on cyber security is all the rage: Dealing with the threat should rightfully be at the top of the board agenda. The irony of this will not be lost on boards. On the one hand, their companies are being exhorted to embrace all things digital, or risk having their business disrupted. But the fewer the sheets of paper that clutter office desks, the greater the cyber threat. This is the unfortunate reality, but companies have no choice but to keep chiselling away.
If companies are not doing more, it is because they view it as an IT issue — and not a business issue. This mind-set needs to change, and will happen only when boards understand its substance.
First the hackers are moving faster than the defenders. Marc Sorel of McKinsey, a consultancy, validates this in terms of the growing time gap between “time to exfiltrate (get in and obtain what the hacker is after)” and the “time to quarantine (stopping the hacker once it is known the hacker is in the system)”.
Two, as more and more of the economy gets digitised, the cyber threat goes up exponentially (this may explain both the interest and the role that state-sponsored players have being taking in malware). At a firm level, as a larger portion of the supply and distribution chain get digitised and linked to the company’s operations, the more vulnerable it is to cyber threats.
Some readers may be familiar with the story about two men are walking through a forest, when they suddenly see a bear in the distance, running towards them. They turn and start running away. But then one of them stops, takes out his running shoes from his bag, and starts putting these on. When questioned whether he think she will run faster than the bear with these, the first one replies, “I don’t have to run faster than the bear, I just have to run faster than you.” This brings us to the second aspect. Cyber attacks do not necessarily happen where the attacker can get the maximum amount as ransom ware nor where the data is most sensitive, but where the systems are weakest. The WannaCry virus first attached itself to a UK hospital, before it spread.
John Wanamaker, a department store owner, is believed to have remarked “Half the money I spend on advertising is wasted; the trouble is I don't know which half.” As boards begin to get their arms around cyber security, and sign-off on cyber security budgets, they will no doubt be similarly troubled by whether they are they prioritising spends in the right area. And as boards wrestle with their budgets, the nature of the threat implies that even companies that have progressed with regard to setting up strong defenses, need to keep running to stay in the same place.
Many boards continue to feel uncomfortable (or fear), dealing with cyber risks vis-à-vis some of other risks the company faces. The best way to get over this fear is to familiarise itself with the risks and the response (digital resilience). Hiren Shah, a cybersecurity expert, and president and mentor of Net-Square, suggests that “just as lawyers or chartered accountants are on a board because they bring in some expertise, have someone who has run an IT department on the board or at the very least have someone with the requisite knowledge as an advisor to the board.”
It is important that issues regarding cyber security are reported to the board and more frequently to the risk committee. Depending on a company’s digital strategy, having a separate cyber risk committee is also an option that needs to be deliberated. Direct oversight by the board will ensure companies to have systems and controls. This also assumes that someone in the company is responsible for this aspect.
Needless to add, companies need to have thought carefully about the configuration of its IT infrastructure. Its preparedness against cyber attacks must be monitored continuously and employees must have well defined access-rights and trained in best practices.
Finally, the board should not assume that just because they have built a firewall, and discussed it at every board meeting, they are protected. They need to have an emergency plan in place regarding how the company will respond if an attack is underway (the chance of which are very high), including a business continuity plan and how to recover as quickly as possible from this. This includes identifying external vendors and what role they will play, test the disaster recovery, and identify alternate means of communication.
In several markets, companies are regulatorily expected to disclose when they have faced a cyber attack and the implications (or damages) of such an attack. In India, this is yet to take place. But as law enforcement increases its attention on cybercrimes, it is not unimaginable for capital market regulators to step up their focus on cyber security. Till this happens boards should debate the merits of voluntary public disclosures. No company is fighting this battle alone: Each security breach risks spreading beyond a company’s boundaries and each solution strengthens the digital environment.
If companies are not doing more, it is because they view it as an IT issue — and not a business issue. This mind-set needs to change, and will happen only when boards understand its substance.
First the hackers are moving faster than the defenders. Marc Sorel of McKinsey, a consultancy, validates this in terms of the growing time gap between “time to exfiltrate (get in and obtain what the hacker is after)” and the “time to quarantine (stopping the hacker once it is known the hacker is in the system)”.
Two, as more and more of the economy gets digitised, the cyber threat goes up exponentially (this may explain both the interest and the role that state-sponsored players have being taking in malware). At a firm level, as a larger portion of the supply and distribution chain get digitised and linked to the company’s operations, the more vulnerable it is to cyber threats.
Some readers may be familiar with the story about two men are walking through a forest, when they suddenly see a bear in the distance, running towards them. They turn and start running away. But then one of them stops, takes out his running shoes from his bag, and starts putting these on. When questioned whether he think she will run faster than the bear with these, the first one replies, “I don’t have to run faster than the bear, I just have to run faster than you.” This brings us to the second aspect. Cyber attacks do not necessarily happen where the attacker can get the maximum amount as ransom ware nor where the data is most sensitive, but where the systems are weakest. The WannaCry virus first attached itself to a UK hospital, before it spread.
John Wanamaker, a department store owner, is believed to have remarked “Half the money I spend on advertising is wasted; the trouble is I don't know which half.” As boards begin to get their arms around cyber security, and sign-off on cyber security budgets, they will no doubt be similarly troubled by whether they are they prioritising spends in the right area. And as boards wrestle with their budgets, the nature of the threat implies that even companies that have progressed with regard to setting up strong defenses, need to keep running to stay in the same place.
Many boards continue to feel uncomfortable (or fear), dealing with cyber risks vis-à-vis some of other risks the company faces. The best way to get over this fear is to familiarise itself with the risks and the response (digital resilience). Hiren Shah, a cybersecurity expert, and president and mentor of Net-Square, suggests that “just as lawyers or chartered accountants are on a board because they bring in some expertise, have someone who has run an IT department on the board or at the very least have someone with the requisite knowledge as an advisor to the board.”
It is important that issues regarding cyber security are reported to the board and more frequently to the risk committee. Depending on a company’s digital strategy, having a separate cyber risk committee is also an option that needs to be deliberated. Direct oversight by the board will ensure companies to have systems and controls. This also assumes that someone in the company is responsible for this aspect.
Needless to add, companies need to have thought carefully about the configuration of its IT infrastructure. Its preparedness against cyber attacks must be monitored continuously and employees must have well defined access-rights and trained in best practices.
Finally, the board should not assume that just because they have built a firewall, and discussed it at every board meeting, they are protected. They need to have an emergency plan in place regarding how the company will respond if an attack is underway (the chance of which are very high), including a business continuity plan and how to recover as quickly as possible from this. This includes identifying external vendors and what role they will play, test the disaster recovery, and identify alternate means of communication.
In several markets, companies are regulatorily expected to disclose when they have faced a cyber attack and the implications (or damages) of such an attack. In India, this is yet to take place. But as law enforcement increases its attention on cybercrimes, it is not unimaginable for capital market regulators to step up their focus on cyber security. Till this happens boards should debate the merits of voluntary public disclosures. No company is fighting this battle alone: Each security breach risks spreading beyond a company’s boundaries and each solution strengthens the digital environment.
The writer is with the Institutional Investor Advisory Services of India
Twitter: amittandon_in
Twitter: amittandon_in
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%