Two articles in Bloomberg BNA today point to some of the reasons. First, a panel at the ABA Business Law Section spring meeting said that boards have a fiduciary obligation to assure a reasonable information technology reporting system for cybersecurity threats and breaches. They said that this can be an issue for some companies because “most directors cannot even spell IT”. Well, that’s direct.
The panel proposed a few questions that the board should be asking management such as “how have you prepared for a security incident?” and “how do we keep the business going if breached?” among others.
The article (subscription required) goes on to talk about cybersecurity insurance and it goes further than just cyber liability insurance.
The panel agreed that prevention is almost impossible, but how the board RESPONDS to a breach is just as important.
The panel contrasted the board at Target (characterized as “the board effectively fell asleep”) and Wyndham (the board held 14 meetings and the audit committee 16 to deal with the breach).
While the Delaware Chancery Court held that only a sustained or systematic failure of the board to exercise oversight will create liability, one panelist suggested that “Looking to see what other similarly situated companies are doing is important because that may become the standard of care”.
Boards can no longer say that they didn’t understand the risk and that is why they were not actively managing cyber risk.
The other article (subscription required) analyzed Verizon’s 2014 data breach report (available here).
Verizon says nearly a quarter of the people who get sent phishing emails open them and 11 percent proceed to download the attachments. This even includes fake emails from a bank asking them for a password.
In 2012, Columbia sent out (fake) phishing emails to 2,000 faculty, students and staff about a bogus iPad promotion. 176 of them opened the email and clicked on the link. The clickers were then told that their action made them very susceptible to phishing attacks.
Three weeks later, the school sent a second email to those 176 people and 10 of them opened the email and clicked on the link.
A few weeks later, another round of phishing emails and 3 people still opened them and clicked on the link.
Given it only takes one person to do that and infect the company, what are the odds that a large business can make sure that ZERO people open that email and click on the link, assuming clicking is even required.
Marcus Ranum, well known security consultant put it this way:
Ranum said it costs companies more in the long run to have to continually react to intrusions than it would to steer clear of threats altogether by putting more resources into better detection. “Your seat belt and air bags are great, and you’re stupid if you don’t use them,” he says. “But it’s smarter to avoid the semitrailer in the first place.”
Food for thought.