The art for corporate cyber security is not to prevent people from breaking in; it is to prevent them from breaking out with what they came for.
Boards of directors should not obsess about the technology; they should think about the behavior of human beings.
The best way to protect corporate information is to think about access; as doing business will in the future involve substantial exposure to electronic storage of data, how should you think about cordoning information off so that the wrong people do not have access in the first place?
These were among the issues highlighted by an expert cyber panel at this Tuesday morning’s conference in Waltham sponsored by the New England Chapter of the National Association of Corporate Directors. Speakers included Matt Moynahan, CEO, Force Point (the second largest cyber security company in the world); Retired Coast Guard Rear Admiral Mary Landry (formerly a White House Advisor and now a Corporate Board Member); Special Agent David Farrell of the Counterintelligence Branch of the Boston Office of the FBI; and Tom Reagan with Marsh Financial (the New York Office where they advise and insure companies against cyber risk).
What should directors do? Mostly, they should think. Do not get buried in the details of a report from your IT Department; it does not matter how many emails have been reviewed and how many phishing efforts have been caught by electronic defenses. Bad people will get into your system. Have you thought about what you most want to protect, and have you thought about which people might have access to it, and have you asked company management to report on the steps they have taken to prevent insiders and outsiders from being able to reach and export this information?
A sobering takeaway: According to Moynahan, in spite of the billions spent on cyber security, hackers enjoy 95% success for breaking in, and 80% of data breaches are caused by one’s own employees either through malice or their credentials being stolen and utilized for entry.
I had the pleasure of moderating this panel discussion, and will be pleased to receive your comments on cyber security and the role of the board of directors.