Last week, the Senate Select Committee on Intelligence passed legislation intended to help the U.S. Government and American companies thwart cybersecurity attacks, the Cyber Information Sharing Act (CISA). Should this legislation pass Congress and be signed into law, it would be a big step towards tightening our nation’s security online.
Legislation alone is not enough. Fortunately, the leaders of major corporations are finally starting to get serious about protecting their cybersecurity infrastructure. The Wall Street Journal reported last week that the boards of directors at many companies are making attempts to tackle these threats head-on or at the very least are taking them seriously. They are even adding executive-level or even director-level positions filled by individuals with a cybersecurity background. And these are not just tech companies, or even those whose business is based predominantly around the Internet. They are food producers like Kellogg’s and Tyson, airlines like Delta and energy companies like Exxon Mobil.
The key to achieving buy-in at the very highest level is education and engagement. Corporate board members – quite obviously – are usually busy people and a premium is placed on their time. Luckily, efforts are being made nationwide to get critical information on cyber-threats in front of these business leaders. Two conferences in June alone made great strides toward doing just that. At a National Association of Corporate Directors cybersecurity conference in Chicago, attendees heard from various government agencies, including a former Federal Bureau of Investigation (FBI) official. The Hon. Luis Aguilar, the current senior commissioner of the Securities and Exchange Commission (SEC), addressed a powerful group of directors and executives at a similar conference at the New York Stock Exchange, where he spoke of the “gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.”
These conferences are a step in the right direction as they help inform and engage with senior corporate leaders to engage their entire operations in the fight against cyber-threats. The dangers certainly are not going away, and the security of these companies and their customers depends on fighting them effectively. When Commissioner Aguilar warned the assembled directors of the gap between risks and boards’ current efforts to address them, he was speaking truth to power.
The threat posed by criminals, state actors and other malevolent elements over the Internet should be evident to anyone who has ever carried out a transaction online. There’s always a risk involved. This threat was certainly made evident to the millions of Target customers whose personal information was put at risk during a massive security breach that hit the company late last year. Anyone who visited one of the thousands of websites affected by the Heartbleed vulnerability – including popular web destinations like Netflix and Instagram – potentially had their information exposed as well. Indeed, the Journal noted that 1,517 companies listed on NASDAQ and NYSE mentioned “some version of the words cybersecurity, hacking, hackers, cyber-attacks or data breach” in their recent reports.
These attacks are so rampant that many major companies are recognizing that cybersecurity is not just a matter to delegate down the organizational chart until it comes to rest somewhere in the orbit of the IT department. The best directors and executives are those who lead by example, and if they take an active stance against these threats, it will instill that attitude throughout the company. After all, since the entire company’s bottom line would definitely be affected by any such security breach, this concerns everyone at all levels of the organization.
Still, many major companies are operating in willful ignorance of the omnipresent cyber-threats to their businesses and American consumers. It’s time for more corporations to follow in the footsteps of industry leaders and make our marketplaces safe for American consumers.
Ortiz is a principal at Crane & Crane Consulting, an adviser on public policy and regulations for a D.C.-based global law firm, and an investor in cybersecurity technologies and services. He recently spoke on the Cybersecurity Landscape panel hosted by the U.S. Securities and Exchange Commission.