Security mavericks to middle market directors: Become a harder target
Imagine you’ve spread your prized possessions out on your dining room table. If a burglar manages to make her way past locked doors and windows, she could plunder those items in minutes and disappear back out into the night. You’ve made her job easy with one layer of defense, no alarm systems, and valuables left in plain sight. However, imagine you put those same possessions in a safe bolted to the floor in your bedroom closet. If the burglar gets past your basic external defenses (which are more trivial than you’d like to think), she is now standing in the dark in an unfamiliar place, trying to hunt for the goods while remaining undetected. Odds are she’ll step on that squeaky floor board, kick the cat, or otherwise alert you to her presence. If she does find the safe, she’ll struggle to crack the combination, and might even give up trying before being caught.
While comparing a cyber-breach to a burglary may seem like a stretch to some, RSM US LLP’s Daimon Geopfert, national leader of the firm’s security and privacy consulting practice, says it’s an apt metaphor for what a breach looks like at some middle- market companies. Geopfert noted in a recent roundtable discussion with directors that people have an inherent understanding of how to protect physical property, but often abandon the same concepts when it comes to securing digital goods. This has led to skyrocketing rates of data breaches within the middle-market, which happens to comprise of the majority of American businesses.
Middle-market companies often partner with third-party vendors to extend their growth, a move that compounds risks. Both information technology staff and the general counsel’s office must track the vendor’s compliance with their own security expectations, which can lead to vulnerabilities. In order to mitigate these risks, companies must insist on contracting certain protections that would harden the security stance of their enterprise.
Directors and management should remember that, while moving to the cloud can enable growth, the softening of security that can occur when working with third parties can lead to chaos when breaches occur. Directors have the opportunity to pressure test their security to verify if these steps have been taken. “When you ask companies simple questions to verify the protections in place in their systems, their staff oftentimes pause and say, ‘You know, we’ve never verified X, and we’re not sure about why we haven’t,” said Craig Hoffman, a partner at law firm Baker & Hostetler, describing his experience as a forensic investigator in breaches of midcap companies. Companies might say they segment their data, which is a common data security best practice, but third parties may not have been called in to independently verify that the segmentation was properly performed, he explained. This lack of assurance creates vulnerabilities that could make or break a company in the event of a breach.
One director noted that boards of mid-cap companies can mitigate the risk of a cyberattack by insisting that the company define its risk appetite and ensure that the processes to protect important assets are well documented.
“A lot of businesses think they understand their business processes, but they really don’t,” the director said. “They don’t document processes, and they rely on prior knowledge. If you can have the self-discipline to document the business process, then you’ll have the ability to say, ‘How will we definitively know as a board whether or not we lost data based on this diagram?’”
Due to budget constraints, many midmarket companies may choose to invest in a lower tier of service when purchasing certain security and information technology. With limited cost comes limited coverage, however. Returning to Geopfert’s metaphor, you would not want to secure your prized possessions in a subpar safe. The same goes for your company’s digital assets. Consider, for instance, the importance of reviewing logs once a breach has occurred. In order to save money, Hoffman pointed out that companies might choose server packages that do not include log mainte nance beyond 30 days of cover age. He urged directors to ask their legal teams if contracts have been carefully reviewed to under stand the extent of coverage pro vided. Doing so can help them weigh their coverage against their accepted risk tolerance.
Play to Strengths
The limited size of middle-market companies means less surface area to protect—and fewer people to train on security. While the overall target area is larger due to the sheer number of mid-cap companies, individual companies may realize some sizebased advantages. “You can’t hide on the Internet,” Geopfert said. “Hackers quite often aren’t looking for anything specific, and because there are so many smaller companies out there, the statistics say they’re more vulnerable.”
That said, the experts were keen to point out that a smaller footprint means greater speed to strengthening security—and greater opportunity for employees to alert one another when some thing looks fishy.
When one director asked what organizations that are smaller and have fewer resources can do to secure their enterprises, Geopfert offered words of reassurance.
“The second you are small enough to convince yourself that you don’t matter, you’re the key demographic,” he said “However, we have worked with some companies that have turned themselves into exceptionally hard targets in short order because their organizations are that much simpler. The Targets and Equifaxes of the world are that much harder to get their arms around.”
Directors of middle-market companies should remind management that their organization is indeed a visible target, and that one job of management is to make it harder for cyber thieves to gain entry.
“You can’t hide your assets any more than you can hide your house,” Geopfert said. “That said, you know where your important things are. Do what you can to lock them down.”
Article originally appeared in NACD's Directorship magazine September/October 2018 issue.