The Cybersecurity Myths That Small Companies Still BelievePaul M. Barrett
High-profile breaches at Target, Home Depot, and JPMorgan Chase have put cybersecurity on the agenda for companies large and small. But despite the ongoing media commentary and “best practices” memos, consultant Adam Epstein of Third Creek Advisors notes that board members of small-cap companies and those considering or preparing initial public offerings are still befuddled by persistent myths on this topic.
The confused companies include many in Silicon Valley, where one would expect to find more tech savvy, he says. I asked Epstein, the author of a how-to book for corporate boards, to bang out a primer on what directors think they know about cyber threats but really don’t. Herewith, his free advice:
1. Cyber breaches are preventable. No, they’re not. Breaches are a matter of when, not if. As security guru Tom Ridge recently noted in my interview with him in Directorship >magazine, your networks have likely already been breached. If Fortune 50 companies with nine-digit annual cybersecurity budgets can’t prevent breaches, neither can you. Effective cybersecurity is more about identifying corporate “crown jewels,” making it as difficult as possible for them to leave the building, and having a thoughtful plan for post-breach resilience.
2. The IT team is on it. No, probably not. Boardroom cybersecurity oversight generally consists of inviting the head of IT to make a periodic presentation on the company’s firewalls and antivirus software. Lacking security experts, most boards collectively exhale on hearing the IT update. Unfortunately, cybersecurity is only partially an IT issue. It’s also a matter of corporate culture, employee training, and physical security. You need to worry about disgruntled employees and your supply chain, not to mention that little company you just acquired. That’s way beyond IT.
3. Cyber theft is about credit cards. In the past several months, I’ve consulted with several boards whose members said that because their businesses don’t store or process credit card data, this area isn’t a cause for concern. Wrong. Cyber thieves have disparate goals, ranging from semi-benign mayhem, to espionage, to misappropriation, to terrorism. Credit card information is certainly a target, but so is personal info, intellectual property, strategy memos, customer lists, and other nonpublic information.
4. Always disclose cyber incursions immediately. While it’s admirable to want to get out in front of breach incidents and voluntarily disclose them, this can sometimes put a board at a disadvantage. Consider the Target breach, where the size and nature of the crisis expanded substantively with each press release. Malware can morph after being detected and wreak further havoc. It’s often unlikely that the first information received by the board about a breach will be accurate and comprehensive, so exercise caution not to complicate a crisis by voluntarily misrepresenting it.
5. No worries, we’ve got insurance for this. A lot of so-called cyber coverage results from a three-page application that barely addresses the quality and extent of your company’s computer-network architecture, physical and data security protocols, and corporate risk culture. The resulting coverage usually comes up short. Scores of cyber policies exclude more than they cover. Make sure the policy is underwritten after extensive, informed security assessments of your company—not just a standardized form sent via e-mail.
Good luck. You’ll need that, too.