Although the media storm surrounding the cyber-attack on Sony has subsided, it is quite difficult to estimate both the short-term and long-term economic and image-related “damage” that will be caused to Sony corporation.
Furthermore, cyber-attack on Target, one of the leading retail corporations in the world, occurred in 2013, although it is difficult to estimate the damage to this day.
Recently, it seems that the wave of cyber-attacks constantly threatens us from all directions.
I am by no means an expert in the field of cyber, although the comments made by the CEO of Sony, “it’s not like we had a playbook of what to do or what not to do when cyber-attack accrue,” made me think about the following: Is it possible that, in our time, while we manage business corporations, everything has become exposed to the public? Is there anyone responsible for the company’s information security, besides the IT manager? What is the responsibility of every position-holder, including directors, in any corporation when it comes to cyber security? Cyber-attacks are the price we pay for conducting business in the age of digital economy.
In recent years, the business world has been characterized by high volatility arising from global economic changes and constant technological development. The information economy is affected by such technologies, as well as by corporate activities in social networks.
Several years ago, if someone told me that I would drive a car equipped with dozens of sensors and computers, it would have sounded like a science fiction movie scenario.
However, such technological approaches, as “The Internet of Things,” which use Internet services for the purpose of monitoring and remote operation, have become an inseparable part of our daily lives, while changing the economy beyond recognition.
A fly in the ointment: Tremendous business opportunities accompanied by significant risk technology has a decisive influence on our way of conducting business-related activities, as well as our risk management.
Globalization reveals business opportunities, although it has also increased the risks involved in any business activity. Technological development, beneficial as it is, may disrupt intra-organizational procedures and control implementation and thus damage a company’s ability to detect irregularities. The more we use technological tools for business and financial information purposes, the greater the chance of cyber-attacks.
According to various economic forecasts, cyber-attack is considered one of the 10 most prominent threats to effect business organizations in 2015, while the levels of risk in this field are expected to grow continuously.
Cyber-attack has an impact on all corporate fields of endeavor. It undermines corporation’s internal and external stability, causing a crisis of trust between the management and employees, between the clients and organization. Over time, it impairs company’s assets, reputation and good continuation.
And yet, many executives consider the cyber threat issue to be technological only and therefore, the solution, in their opinion, lies in constant increase of budgets dedicated to purchasing “the next” firewall or another protection software, instead of examining the problem from the risk-management perspective.
Such an approach makes the executives ignore the overall risks related to the subject and avoid making decisions adjusted to the cultural and business-related changes of the modern era.
We must acknowledge that not every protection software, as efficient as it may be, will prevent a cyber-attack completely, just as it is impossible to completely avoid such economic crimes as fraud and embezzlement.
In addition, statistics show non-correlation between budgetary investment in cyber security software and the frequency of cyber-attacks.
After all, we would expect the security software to reduce both the frequency and intensity of cyber-attacks, but in reality, it is quite the opposite: cyber-attacks become more frequent and sophisticated every day.
Thus, the core issue has nothing to do with the budget or type of software. The main issue concentrates on intelligent risk management in relation to cyber-attacks and security.
Increasing the resources should be implemented as part of the strategic management process within the organization’s risk management system, after carefully examining the company’s characteristics and resources, infrastructures and assets, which must be protected.
Managers and directors must be optimally prepared for cyber-attacks or physical security breaches. The next question should refer to the way of recovering from such attacks, while maintaining stability and continuing to preparation toward other risks.
What are the questions that CEOs and directors should ask themselves regarding cyber threats? Risk Assessment: What are the main risks the corporation is facing? Are the aspects of competition and specific vulnerabilities of the industry, in which the corporation operates, being taken into consideration? If a corporation is engaged in developing an innovative medicine, the major risk may be concentrated in the field of R&D, while a retail corporation is in danger of losing information regarding the customer clubs. In which fields is the organization exposed to the risk of sensitive and critical information theft? “The Unsatisfied Employee”: Every director would feel uncomfortable if an outside intruder broke into the organization, but what about the internal risks? Embezzlements are mostly caused by employees. Some of them carry revenge motives due to a personal affront or certain employment conditions. For others, the reason maybe employment termination.
Such reasons may serve as a powerful motivator to cause “information leakage” and make a prohibited use of corporate assets.
Does the organization have a policy aimed to minimize the risk of sensitive information leakage? Are there procedures that require employees to report? Are the employees aware of these procedures? Is the policy being enforced? Involvement and Commitment: Does every manager, who is responsible for corporate resources, get sufficient information and ask relevant questions, in order to establish a proper security strategy? What is the manager’s responsibility regarding corporate cyber security and minimization of cyber-attack risks? Preparedness and Arrangement: These are the main issues. To what extent is the organization prepared to respond to a cyber-attack? What is the right thing to do when it occurs and, equally important, what not to do? Do the people responsible for data know where it is stored? Can the information be restored quickly? Should a press release be submitted in order to minimize the anticipated reputation damage? These are some of the possible scenarios, as they may be different for every organization, but the common aspect is that every company should be prepared in advanced.
Senior management and board members bear a double responsibility: On the one hand, they are responsible for establishing the corporate business strategy and setting the policy, while on the other hand, they implement overall supervision and therefore, they are responsible for all the consequences and failures.
One of the most concrete examples is the dismissal of Target’s CEO, following the theft of personal details of 40 million customers.
Another example is the retirement of Sony’s chairman, who was considered one of the most influential women in the film industry.
Think before you act: Who is actually responsible for the organization’s cyber security? The digital age has caused significant changes in the way of conducting business dialogue.
Such concepts, as corporate responsibility and effective risk management processes, became dominant.
Today, senior officials are evaluated in aspects of their detail orientation skills. They are required to carry a great deal of responsibility for business results and for maximizing the profit of those organizations, which they are responsible for. They must internalize the fact that cyber-attacks and physical security breaches are a real threat that might “paralyze” the company, while they will have to provide their opinion on the matter.
The dialogue between senior executives and cyber risk management experts is necessary, in order for them to be able to handle the constantly growing risks responsibly and rationally, while minimizing their personal exposure to potential lawsuits for negligence in case of failure.The author is the managing partner and one of the founders at the RSM Shiff Hazenfratz & Co. accounting firm and the former president of the Institute of Certified Public Accountants in Israel.