Mid-way through the National Association of Corporate Directors breakfast held in Newton this week, former Boston Police Chief Ed Davis, now a security consultant, held up a picture of someone with a long Russian name. “$3,000,000,” intoned Davis. “The FBI is offering a $3,000,000 reward to catch this man. He is a cyber-thief, stole $100,000,000 using the Zeus malware. $1,000,000 more reward than the FBI paid for Whitey Bulger!”
The number of programs discussing cyber-crime has so proliferated, the number of articles so voluminous, that it is almost possible to get jaded by the onslaught. On the other side, however, the newspapers are constantly filled with stories of ever-escalating breaches of security systems, causing chaos, economic loss, and reputational destruction for the businesses and institutions suffering these incursions.
Some key take-aways from the NACD program, according to Davis and Greg Touhill, the retired Brigadier General who runs the cyber security system for the Department of Homeland Security (our government’s top gun in the war on cyber-crime):
Cyber-crime is not an IT issue, it is an enterprise risk management issue. The key to a robust system is several fold: keep physical security of your space, train your key people and update them, and use the technology by constantly applying the patches and amendments to software.
There are lots of resources available to help you: consulting experts; a framework for a cyber-security infrastructure published in 2014 by NIST; consultative help available from the Department of Homeland Security itself (charged in the 2002 Homeland Security Act with protecting the nation’s infrastructure and operating sixteen “centers” which provide information and on the scene consultative services for companies); a handbook for boards published in 2014 by the NACD itself (Cyber-Risk Oversight: Director’s Handbook Series).
Cyber security is taking a major role in merger and acquisition work. Acquirors are carefully reviewing acquisition targets to determine the robustness of data privacy and security. Deals fail based upon a failing grade; no one wants to acquire a major data leak. Warranties and representations concerning the quality of cyber security on the part of acquisition targets are being heavily negotiated. After a merger takes place, failure properly to both integrate target computer systems and insulate them and test them for vulnerability, has become a major problem.
A measure of the seriousness with which the Federal government takes this risk is the active involvement of: the Federal Bureau of Investigation (which enforces the Homeland Security mandate on protecting our infrastructure); the Secret Service in investigating financial crime; and Immigration and Customs in protecting against intellectual property theft.
How serious is the IP risk? Releasing credit information and other identification is one thing, but when you hack into a movie company and download an as yet unreleased season’s worth of shows of The Walking Dead, we are talking about serious business risk here.
And finally: think about where your computer hardware is being manufactured. Domestic US computer designs often are shipped offshore to be manufactured and then shipped back. What, exactly, is going into that computer being assembled in China?
I am planning a full article on the best current thinking for cyber security for directors and businesses, culling the literature (which is full of scare stories) in order to end up with specific actionable suggestions which will not break the bank. I expect publication in April and will announce by blog post access to that article.