Taking Responsibility for Cybersecurity

As recently illustrated by the hack of Sony, ineffective cybersecurity measures can pose significant risks to a company. Many companies don’t have the technical skills to prepare for cyber-attacks; and even if they do, they are at an inherent disadvantage. Cyber-criminals can prepare for months and attack whenever or whomever they chose, as often as they please. And a major success for the hackers can entail finding just one weakness to exploit. Thus, companies must be alert at all times.

Adding to the difficulty is the fact that most companies don’t have a clear picture of who should be responsible for cyber risks. Many companies do not have an executive dedicated to cybersecurity, so the responsibility must fall to someone who may not have the technical expertise to understand and implement sufficient cybersecurity controls. According to a 2014 BDO Board Survey, over 60% of companies do not have a Chief Cybersecurity or Chief Information Security Officer, and 61% of those companies allow cybersecurity duties to fall to the Chief Financial Officer.

The role of the board of directors in managing cybersecurity has come under scrutiny as well. Boards are tasked with the responsibility of overseeing risk management – including cyber risks – for shareholders. According to the same BDO survey, 29% of corporate boards are not briefed on cybersecurity at all, while 30% are briefed just once a year. During the SEC’s Cybersecurity Roundtable, held in March 2014, panelists expressed that boards must do more to address cyber risks, while also acknowledging that boards overwhelmingly lack expertise in the field of cybersecurity.

How much cyber-risk a company is exposed to, and who should be responsible for cybersecurity, will largely depend on what industry that company is in. As can be inferred from the table below, cybersecurity should be a growing concern for companies in all industries, but more so for some than others. For instance, manufacturers and servicers have seen the most cyber breaches between 2011 and 2014; however, the trade industry has seen the largest increase of breaches since 2011.

Understanding the type of information at risk is also important in assigning roles and responsibilities. Personal information, such as names and addresses, is typically the most accessible to cybercriminals, and has been the most frequent target in most industries. Successful breaches of financial information are less common – likely because such information is generally more secure – but are likely to be more damaging.

In 2014, 11 companies in the trade industry suffered cyber attacks directed at financial information. That is more than any other industry has seen between all of 2011 and 2014. This is probably because trade companies, especially retail ones, have the largest number of consumer customers on record, which makes them an appealing target for data thieves. A hack of Target, for example, can give cyber criminals access to the personal details of over 70 million people.So who is responsible for cybersecurity? As with everything in life, different responsibilities will fall on the shoulders of different individuals. Boards must stay abreast of macro trends – such as the rising threat of attacks at the point-of-sale, or the increasing risk faced by manufacturers related to their intellectual property – in order to assess their companies’ risk of a cyber-incident. Management must adequately evaluate the costs and benefits of their IT budget to ensure that they are not handcuffing those tasked with the onus of implementing cybersecurity measures. They must also ensure that proper controls and procedures are in place to protect, detect, and respond to cyber-incidents. (If this sounds familiar, these are three of the five functions of the NIST Framework.) Finally, employees must be trained to minimize the risk of cyber-intrusion through phishing attacks. When an employee’s credentials are compromised, it can be exceptionally difficult to detect an intrusion.

Note: Financial breaches include breaches where personal and other information were also stolen. Personal breaches include breaches where other information was also stolen. Other only includes breaches where information such as intellectual property or rewards were stolen.