Between the most recent revelations around Facebook’s failure to protect consumer data and the ongoing emerging details from Equifax, there is no shortage of data breach case studies. Although the Equifax data breach was publicly disclosed last summer, bad news continues to emerge. Early March, the company announced that, in addition to the 145.5 million Americans already impacted by the breach, an additional 2.4 million potentially had their names and drivers’ license numbers stolen, costing the company an astounding estimated total of $435 million. From a leadership perspective, this never-ending stream of bad news prompts a good many questions – about who is overseeing operations, what procedures have been taken and why the number of consumers impacted continues to grow.
These are important questions that deserve answers. But they shouldn’t only be put to Equifax. If the past few years have shown us anything, it’s that there is no industry and no organization that is not subject to threat. From manufacturing and retail to schools and nonprofits, every institution, no matter its size, can expect to experience a breach of some kind at some point.
This reality has serious implications for board leadership. The role of a board of directors is, at its core, to consider shareholder value and to do all it can to mitigate risk for consumers and shareholders. Most boards are cognizant of and actively confront market risks, competitive risks and management risk. But in my experience, very few boards see cybersecurity as an area in which they need to exercise oversight and governance and for the most part leave the issue to management.
It’s a responsibility they need to start shouldering – and soon. In a few short weeks, the European Union will implement GDPR, a new set of data privacy regulations for any organization that utilizes data from citizens of EU nations. Failure to comply with these regulations could cost companies millions in fines. Shareholder and consumer activists are increasingly looking to boards to assume leadership in this area. Any failure to fully consider and prepare for a breach can and will be held against board leadership. What’s more, thanks to the mob mentality that social media often feeds, such activists can easily take to online platforms and make their grievances known. Without the proper precautions, a company’s reputation and brand can be destroyed within a matter of days – even hours.
“Some companies have even restructured their leadership hierarchy, bringing the CISO out of the IT department and onto the CEO’s staff.”
The good news is that there are many steps boards can and should take to help prepare for a breach. But the most important step is the strategic, theoretical one: putting your heads together and taking stock of your assets. This means stepping into the mindset of a data thief. What does your organization have to which a criminal might want to gain access?
For some boards, the answer to this question is obvious: Many companies have access to extremely sensitive information, such as social security numbers, employee login information, medical records and credit card numbers. But for others, the answer is far less obvious and far more complex than that. If you’re a retailer or services provider, what marketing strategies might you have that a competitor could take advantage of? If you’re a brokerage firm, are there business plans or training algorithms that have contributed greatly to your success? If you’re a designer, developer or innovator, is there intellectual property that thieves could pass on or pass off as their own?
Once you’ve identified what your most significant assets are, determining what practical steps you can take to secure them becomes far easier, whether that be improving office digital hygiene or hiring an external forensics team or a response organization to make sure you’re prepared in the event the worst happens. Some companies have even restructured their leadership hierarchy, bringing the CISO out of the IT department and onto the CEO’s staff. Others have created a board committee for security and privacy oversight, adding an extra layer of specific cybersecurity accountability.
These are important conversations for leadership to have; not only will they help your organization prepare for the inevitable breach, but they also give such organizations a chance to exercise the kind of leadership and accountability our country so desperately needs. The 2018 Edelman Trust Report found that while trust in almost every major institution the U.S. has plummeted, consumers and citizens are nevertheless increasingly looking to NGOs and businesses to provide ethical leadership. Fifty-nine percent of respondents claimed that the government was the “most broken” American institution, whereas only 7 percent said business and 4 percent said NGOs. Conversely, when asked what American institution was most likely to create a better future, 29 percent said NGOs, 22 percent said business and only 15 percent said government. Most notably, almost two-thirds of respondents worldwide said that businesses should work to effect change instead of relying on the government to implement it.
Calling for prioritizing cybersecurity measures gives leaders the opportunity to demonstrate this kind of commitment to change. Many organizations are looking for new and innovative ways to give back to society and make a difference, whether it be through charitable partnerships, volunteer opportunities or major donations. But at the end of the day, simply taking responsibility for the information with which a consumer has entrusted your organization will go much further in restoring trust than a new charitable initiative. By making cybersecurity a board priority in the coming year, you can set your company on solid footing, equipping management to protect consumer data and preserve public trust for years to come.
