Cybercrime is no longer an IT problem, it's a business imperative and CEOs and boards of directors are finally starting to take notice. "Increasing threats to corporate information systems, critical infrastructures, and intellectual property—as well as compliance risks, liability concerns, and the potential for reputational damage or lost business—continue to make cybersecurity a top priority in the boardroom and the C-suite," says the National Association of Corporate Directors.
According to Symantec's annual Internet Security Threat Report released in April, the reasons are clear: There were 430 million net new pieces of malware detected in 2015. That is an increase of 36 percent over 2014. The number of zero-day exploits -- malware that attacks unknown vulnerabilities in existing software and systems -- more than doubled to 54. While this may not sound like a lot, zero-day exploits are particularly nasty because they can go undetected for months or years.
In 2015, over half a billion records were stolen or lost; major security vulnerabilities were found to exist in three quarters of the web's most popular websites; spearfishing attacks targeting employees increased 55 percent; and the type of ransomware that encrypts data on hard drives, called crypto-style ransomware, increased 35 percent.
To make matters worse (if that's even possible) mobile devices and smartphones are now becoming popular targets for hackers looking to either steal personal data or infiltrate corporate networks. And as the Internet of Things (IoT) opens up ever more holes into corporate networks, the old ways of securing networks through perimeter defenses will become less and less effective. Finally, if this isn't enough, it is a well-known mantra among security pros that all companies have been hacked – whether they know it or not is the only question left to be answered.
Yet despite the numbers and the reputational risk such breaches pose, less than half of corporate boards are actively involved in information security discussions or reviews, according to PwC's The Global State of Information Security Survey 2016.. Still not all the news is bad. There is a marked increase in board involvement and interest in cyber security over 2014.
Guidelines from the National Association for Corporate Directors (NACD) advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts," the report states. "Boards appear to be listening to this guidance. This year we saw a double-digit uptick in Board participation in most aspects of information security."
In my own, informal survey of some CIOs I know, I found that while all of them report to the board regarding cybersecurity, the frequency of that reporting differs greatly. Some CIOs or their designees report at every board meeting, while others only give annual updates.
According to the NACD, this is not enough. Corporate boards need to stay current on the latest risks not only from threat actors (such as the rapid and devastating rise in crypto style ransomware that can bring a company to a transactional standstill), but also regulatory risk and the impacts a cyber breach could potentially have on their businesses.
Specifically, boards need to independently assess the effectiveness of IT with regards to its cybersecurity readiness, recognize that internal vulnerabilities exist at every level of the organization (including the board), and look at cybersecurity in the context of best practices not just point solutions.
While the news regarding cyber security is grim, there is hope that as boards become more actively involved it will lead to a hardening of their organizations and, eventually, help stanch the flow of new threats.
"Board involvement has helped improve cybersecurity practices in numerous ways ... as more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending," the PwC report states. "Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals."
This involvement coupled with an integrated security posture that utilizes people, process, and technology in a self-reinforcing system, putting data at its center, should go a long way toward managing the current cyber-crime crisis.