Gangs of international government-backed hackers and organized cyber criminals aren't just a headache for IT departments. Boards have to deal with mounting legal, regulatory and business concerns that follow breaches.
TheStreet's founder Jim Cramer conducted a panel on cybersecurity concerns for boards at sister publication The Deal's 2017 Corporate Governance conference.
"Every corporation today is under attack all day long, every day," Proofpoint (PFPT) CEO Gary Steele said. With a dizzying pace of innovation by cybercriminals--a new strain of ransomware appears every two to three days--Steele said that boards have to remain vigilant. "Everyone is a little numb," he said.
Even social media can present vulnerability. "Attackers understand where people are hanging out," Steele said. Banks, for instance, can use social media for customer outreach. "Bad actors will take over social over night and steal banking [information from users]," he said.
As part of their succession planning, he suggested, boards should bring new board members with cyber security experience and set up a committee to weigh defenses.
Boards should also develop a playbook for how to respond to breaches. "You shouldn't be figuring it out on the fly," Steele said. "Everybody has a playbook [for what to do] if their CEO gets killed."
Editors' pick: Originally published June 5.
A ransomware attack like the WannaCry outbreak that ravaged companies across the globe last month can put companies in a difficult position. Pay up in Bitcoins, the currency of choice for ransomware extortionists, or suffer from lost data and crippled networks.
Ransomware has become so prevalent that some companies are all too ready to pay. "Companies are proactively building up their Bitcoin [holdings] so they can pay up," Citrix Systems (CTXS) CEO Kirill Tatarinov said.
Directors need to recognize cyber security as a "core ingredient of corporate risk management," Tatarinov said. Citrix has its Chief Security Officer present to the board at every meeting.
Security compliance rules can give boards a false sense of security, root9B Holdings (RTNB) COO John Harbaugh explained. "Everybody is in the mode of, "if I'm compliant, I'm good enough,'" he said.
Companies can break out of complacency by having some members of their security team simulate attacks, CyberArk Software (CYBR) Chairman and CEO Udi Mokady suggested. "Part of the solution is thinking like the attacker," he said.
When boards plan for breaches they have to understand that attackers don't necessarily come from overseas. Former employees, especially tech staffers, can break into systems. "If they leave they have many back doors to come back in," Mokady said of former IT employees.
While banks and other financial services firms were once the primary targets, cyber criminals have found value in other sectors. "A health care record is much more valuable than a credit card," Mokady said.
Given the massive scale of global hack, part of the prescription for cyber security is containing breaches when they inevitably occur.
"You can catch a cold but it doesn't have to kill you," Mokady said.
Click here for the latest business headlines.
More From The Deal's corporate governance conference:
- 'I'm All Ears': The Secret to Trian's Success With Corporate Boards
- Every Corporation Today Is Under Attack All Day Long from Hackers, Proofpoint CEO Tells Jim Cramer
- What Snap's Unusual Structure Says: 'I'm a Genius and Leave Me Alone to Let Me be a Genius'
- Premium: Former Starwood CEO Talks Digital Disruption
- Premium: Bank Deregulation May 'Eviscerate' Voice of Smaller Stakeholders