One of the nation’s largest financial institutions, J.P. Morgan Chase & Co., is still reeling from a massive cyber-assault which compromised the personal information of millions of their customers. 

The source of the attack is still unknown, but some speculation has centered on what The Wall Street Journal identified as “Russian-speaking cybercriminals,” who may have ties to that nation’s government.  If Vladimir Putin’s government – or someone acting in its employ – is found to have played some part in the attack, it joins this spring’s Department of Justice indictment of five hackers from the Chinese People’s Liberation Army (PLA) as mounting evidence that cyberspace is quickly becoming the 21st Century’s most volatile battlefield.

ADVERTISEMENT

J.P. Morgan Chase is only the latest in an unfortunately long string of American companies to feel the ravages of a cyber-attack.  It’s not just financial institutions – major retailers like Wal-Mart, Home Depot and Target have been hit recently as well, resulting in significant customer data breaches.

With each new attack, the same truths become increasingly clear: no company is immune to cyber-attack, and preparation is key to mitigating risk.  This preparation must start with a commitment at the very top of the company: the board of directors.  With a top-down approach and directors who are actively engaged, companies stand a greater chance of protecting their shareholders’ interests in cyberspace.

For many corporate directors, adding another issue to the already-packed agenda is admittedly complicated.  But cybersecurity demands nothing less than the board’s full attention and passive management is not an option.  Starting the conversation is crucial and directors can accomplish that by taking five actions: empowering, informing, investing, preparing and engaging.

Any board’s first step should be to identify someone in their company to act as cyber-security point person – a digital gatekeeper.  This must be a senior management position, a Chief Information Officer or Chief Technology Officer.  If no such position exists in the C-suite, create one – either by promoting a current information technology employee with the requisite security background and skill set or hiring from outside.  This individual should then be empowered to evaluate and bolster the firm’s digital defenses, with quarterly reviews by the board.

The next step is for the board, with the help of this digital gatekeeper, to inform themselves about their current cybersecurity status.  Begin a full audit of the firm’s existing protections to identify potential vulnerabilities.  As they await the results of the audit, the directors should educate themselves on recent data breaches elsewhere and the lessons to be learned from them. 

Third, the board must commit to investing the necessary resources to ward off cyber-attacks.  This often requires a change in the investment paradigm.  It must be remembered, however, that in cyber security, it is almost always cheaper to prevent an intrusion rather than face the fallout after customer data or intellectual property is stolen.

Any 21st Century company is at risk of attack.  As such, it is important to prepare for it at all levels.  The accounting department should run financials for simulated attacks, perhaps based on others which have occurred in the same industry.  The communications and investor relations teams should be prepared with crisis plans to handle media inquiries and shareholder interaction.  The key is assembling and integrating experts who know your network and systems to reduce mitigation time should an attack hit.

Finally, an effective board is constantly engaged.  Follow up consistently, not just with the chief information officer but with all of senior management, to see that security is being tested, improvements implemented effectively and every facet of a business is ready.  Make sure management is aware just how serious cybersecurity is and must be taken.  Make clear that the shareholders are owed nothing less.

It’s almost impossible to predict when a cyber-attack will strike or who will perpetrate it.  When a company is prepared, however, the attack can be prevented or the effects mitigated.  If planning for an attack is going to be a clear corporate priority – as it should – the board of directors must set the standard.  Their company’s future may depend on it.

Ortiz is a principal at Crane & Crane Consulting, an adviser on public policy and regulations for a D.C.-based global law firm, and recently spoke on the Cybersecurity Landscape panel hosted by the U.S. Securities and Exchange Commission.