Cybersecurity Myths Continue to Plague Companies

Cloud technology security

(DGIwire) Cybersecurity is in the news daily due to high profile breaches at Sony, Target, Home Depot, and J.P. Morgan, among others. But even with the endless media commentary and onslaught of best practices memos from lawyers, directors are struggling inside the boardrooms of companies of all sizes where misinformation still reigns supreme with respect to cybersecurity.

Adam J. Epstein, former institutional investor, author, and founder of Third Creek Advisors, LLC, the country’s leading small-cap corporate governance advisory firm, narrows it down to five persistent myths.

  1. Cyber Breaches are Preventable. Not true. Cyber breaches are a matter of when not if. In fact, as global cybersecurity icon Gov. Tom Ridge commented in a recent interview, chances are that your networks have already been breached – you just don’t know it yet. Effective cybersecurity is more about identifying corporate “crown jewels,” making it as difficult as commercially practicable for them to leave the building, and having a thoughtful, implementable plan for post-breach resilience.
  2. Cybersecurity is an IT Issue. Unfortunately, most boardroom cybersecurity oversight amounts to periodically inviting the head of IT to make brief presentations to directors showing that the company employs state of the art firewalls and antivirus/malware software; i.e., “IT has it handled.” Largely lacking in technology or security experts, many boards collectively exhale upon hearing the reassuring IT update. But, cybersecurity is only partially an IT issue. It is also a corporate culture issue, an employee training issue, a physical security issue, a BYOD compliance issue, a disgruntled employee issue, a vendor, service provider, customer, and supply chain issue, and a “company you just acquired” issue.
  3. Cyber Theft is About Credit Cards. Not even close. First, cyber thiefs aren’t all the same, and they have disparate goals ranging from creating mayhem to espionage, misappropriation, and terrorism. Second, credit card information is certainly a target of cyber thiefs, but, importantly, so is personally identifiable information, business processes, intellectual property, strategy, customer lists, and other material, nonpublic information. Also, many states have complex privacy statutes that can be violated irrespective of whether credit card data are compromised in a cyber breach.
  4. Cyber Incursions Should Always be Disclosed Immediately. While it’s admirable for boards to want to get out in front of cyber breach incidents and voluntarily disclose them immediately, this can sometimes be a bad idea for a reason that boards often fail to consider when they are thrust into crisis mode. Tools and processes for assessing cyber breaches are highly variable, and, depending upon the timing and efficacy of breach remediation, breach malware can morph after being detected and wreak further havoc. The moral of the story is that it’s often unlikely that the first information received by the board about a cyber breach will be accurate, comprehensive, and dispositive, so exercise caution not to complicate a crisis by voluntarily misrepresenting it.
  5. “We’re Fine: We Have Cyber Insurance.” When an insurance broker sends a simple 3 page application for cyber insurance that barely addresses the quality and extent of your company’s computer network architecture, physical and data security protocols, and corporate risk culture it’s not terribly surprising that the so-called “cybersecurity coverage” subsequently issued is limited. Still, many boards unfortunately learn the hard way that scores of cyber insurance policies often exclude considerably more than what they cover. An important key to purchasing reliable, impactful cyber insurance (an increasingly critical risk management tool for pre-IPO and small-cap companies) is to make sure that the policy is only underwritten pursuant to extensive, informed security assessments of your company – not just a short standardized form via email.