March 17, 2021
March 17, 2021
“Cyber pandemic” is a term first heard by most in business last spring, but its hyperbole makes the intended point: the COVID-19 pandemic and subsequent mass telework have begotten an alarming increase in cybersecurity attacks. Indeed, the US Federal Bureau of Investigation’s cyber division reported in April 2020 that it was receiving up to 400 percent more complaints per day than it received pre-pandemic.
That’s why resilience is more important now than ever, according to Robert E. Kress, a managing director and the global quality and risk officer at Accenture Security. To expand on this point and frame the current state of cybersecurity for directors, Accenture teamed up with NACD on March 3 to host a roundtable moderated by Christopher Y. Clark, publisher and senior director of partner relations at NACD, with speakers Kress and his colleague Vikram Desai, a managing director and the lead of the global products industries group with Accenture Security. To Kress and Desai, the top areas of concern today are ransomware, supply-chain risk, and cloud security.
This type of cyber threat was already a growing concern well before the declaration of a global pandemic. However, prior to the past year, ransomware mainly involved threat actors working their way into a business environment, encrypting data, and locking up a company’s ability to operate until the organization paid a ransom. With the onset of the pandemic, threat actors are evolving and growing smarter. In addition to encrypting an organization’s data, threat actors are now stealing data and intellectual property and threatening to expose the confidential or sensitive information, which may include emails from and between members of the C-suite. In parallel, the ransoms being demanded are dramatically increasing in price—into the millions and tens of millions of dollars.
There are a number of related risks directors should consider. These include the following:
The risk of compounded attacks should not be forgotten. “Threat actors are smart in that once they understand an organization can be compromised, that organization goes on a ‘frequent flier’ list for attacks,” noted Kress. “You’re much more likely to be attacked again and again when it becomes known that you’ve been attacked.”
What can directors do? Kress recommends asking the following questions:
On the last question, Kress commented, “Negotiating this isn’t like having a Zoom call. It’s a different world. We’re talking cryptocurrency, how you engage with them would be different.”
“The beliefs and values of those holding your data hostage are very different than your beliefs and values—you’re not going to be able to connect,” Desai added. “You need someone, perhaps external, who can speak their language.”
Ransomware and supply-chain risk often merge. A company’s value chain, including franchises, hotels, retail stores, or any kind of extension of the main business that attaches to the business’s processing systems, can be the target of an attack.
“You could be a top 250 firm with a franchisee that clicks a malicious email link, and it moves all the way back to the corporate office, and moves laterally from there,” said Desai. “If you’ve ever had fish at home, you put food at the top of the tank and all the fish converge on it. That’s what ransomware is like.”
The SolarWinds hack is perhaps the best recent example of exposure to supply-chain risk. In Kress’ mind, this massive attack by foreign agents in December was a gamechanger. “The one thing chief information security officers (CISOs) and chief information officers have relied on is the integrity of the updates from their suppliers,” he said. “For example, if your organization uses Microsoft Teams, when they issue their weekly patches for their products, CISOs would take those patches and assume they were good and implement them as quickly as possible. SolarWinds has challenged the integrity of even these core updates to systems. Organizations need to spend time testing that the patches they’re getting are actually good, but this extends the timeframe between patch release and when your organization can implement it.”
Questions about supply-chain risk the board may wish to ask management include the following:
COVID-19 accelerated the pace at which innovation has taken place. Why? Employees could not get to the office and employers could not easily monitor their workers’ Internet sources and activity, leading to the rapid creation of new working solutions. This has resulted in a faster migration to the cloud than previously expected.
“Many clients think cloud is going to give them great agility; it can. Many think it can save them money; it can. They think it is relatively easy to do; it is not,” said Desai. “And the answers to the first two questions are most often yes, it can, but no, it didn’t. And you shouldn’t shift everything onto the cloud as is. Don’t take your current data problems with you.”
Questions for the board to ask about moving to the cloud and how to keep cloud activities secure include the following:
On the last point, Kress noted that companies must strike a balance between concentration risk and having so many providers that the organization cannot effectively manage them all. “You probably don’t want all of your cloud hosting with a single provider. There is a concentration risk, and we’ve seen Amazon Web Services go down for a couple of hours—that has a big impact,” he said. “If you have more than two providers, though, I would start to question why.”
To close out the conversation, the two speakers offered final takeaways.
“The number one way in which you can minimize your risk associated with ransomware is through training. Accenture routinely tests all 500,000 of its employees. If you fail our testing more than three times, you go to school, and your email privileges are severely cut back,” offered Desai.
“Do you know what role your board plays in a cyber incident?” Kress questioned. “If the board can’t answer that, you’re not ready.”
NACD: Tools and resources to help guide you in unpredictable times.