When senior Wired writer Mat Honan got hacked earlier this month, he lost eight years’ worth of emails, and everything on his laptop, iPhone, and iPad — from documents to photographs of his baby daughter. It was a highly personal loss, though one writ large against the forces confronting just about every plugged-in person and company: the increasing frequency of cyberattacks, weaknesses in data security policies and practices at major corporations, and the approaching ubiquity of cloud computing.
For the in-house lawyers in the room, then, it’s worth reviewing what happened to Honan with an eye toward company oversight — illustrated by a new survey of general counsel and corporate directors, and an interesting idea the U.S. Department of Energy is proffering about corporate governance and cyberrisk.
Reporter that he is, Honan methodically investigated how he got hacked. While he takes responsibility for his own lapses — like not backing up his data and “daisy-chaining” his passwords across services — those mistakes also revealed chinks in the armor at two data leviathans: Apple and Amazon. From Amazon technical support, Honan’s attackers were able to obtain a partial credit card number. Using those credit card digits with Apple technical support, Honan’s attackers were given access to his iCloud account. Honan, post-digital torching, puts it thus:
In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
As the results of a new survey of 1,957 general counsel and 11,340 corporate directors at public companies shows, data security concerns are now top of mind at many corporations. For the first time in 12 years the results of the “Law and the Boardroom Study,” conducted by FTI Consulting and corporate governance information company Corporate Board Member, show data security as the most prevalent concern among both groups (48 percent of directors and 55 percent of general counsel), topping the perennial front-runners — operational risk and reputation.
The question that persists, though, is what companies are doing about this abundantly clear need to secure corporate data and networks.
As to how well the board manages cyberrisk, 33 percent of GCs “believe their board is not effective at managing cyberrisk.” Out of the 13 risk management areas covered by the survey, this proved to be one of the worst ratings of board effectiveness, according to the report.
What about disaster preparedness in the event of a cyberattack? “Less than half (42 percent) of directors said their company has a formal, written crisis management plan for that purpose; just over a quarter (27 percent) said their company has no such written plan, and nearly another third (31 percent) were uncertain,” the study states.
The real head scratcher, though, is that even in the absence of having a formal crisis management plan (or at least just knowing whether the company has one), the vast majority of respondents are still comfortable with their ability to respond to a cyberattack. “Seventy-seven [percent] of directors and general counsel believe their company is prepared to detect a cyber breach should one occur,” according to the study.
For Corporate Board Member president TK Kerstetter, that disconnect is cause for concern.
“I hate to say this, but I think it is going to take several well-publicized security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster,” Kerstetter states in the report. “Cyber risk and social media developments only increase the odds that it will happen to your organization — so boards should take steps to protect their company’s reputation.”
Maybe that’s why the Department of Energy is encouraging electric power companies to adopt a separate board altogether that’s just devoted to cyberrisk governance, as Network World reports. Under the recommendation outlined in new guidance [pdf], a “cybersecurity governance board” would “develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy.”
Of all the data and files lost to Honan’s hackers, the ones he laments most in his Wired article are the photos of his daughter’s first months. While the impact of data loss and compromised networks would be more clinical, the GCs and directors surveyed by FTI Consulting and Corporate Board Member may need to start forming a sentimental attachment to their computer systems before their own nightmare scenarios become a reality.