By George Platsis & Paul Ferrillo
Originally published on Tripwire, July 10th, 2017
It’s 10:00 am Monday morning and management is in the hot seat. The stock has lost 15 points since the opening bell and is going in a downward spiral. The company is being maligned on the news and trolled on social media. Shareholders are demanding to know how the company allowed a breach to happen over the long weekend, exposing 100 million pieces of personally identifiable information. An emergency meeting with all available board members is called for 1:00 pm to discuss the state of affairs and the question, “What do we do now?”
Ready to present, management and IT hastily put together a presentation of what happened. As soon as the presentation starts, the unthinkable occurs: ransomware takes control. Its demands are simple: $50 million in Bitcoins within one hour, or at 2:00 pm the hacker group dumps corporate R&D and emails from the last year into the public domain. There is no way for the company to recover once this information goes public.
How was all of this allowed to happen?
In times of desperation – and yes, we should consider ourselves in those times right now – friends help friends out with honest and straight talk, not with fluff, pats on the back, or empty comments of consolation. You need to address the illness, however blunt that may be.
If you ever find yourself in the nightmare scenario listed above, it is for one of the following reasons:
- You did not spend enough time discussing all matters cybersecurity.
- You did not ask the right questions – as a director – on all matters cybersecurity.
- You honestly and legitimately did not know how these cybersecurity matters could impact your company.
- You had an IT department and/or CISO/CIO/CSO tell you everything was “A-OK” and you – naively or not – believed them.
It is harsh truth to hear this, but better to hear it from us than from plaintiffs or regulators. All we can do is make you look down at your shoes and feel bad. Courts (and the markets) make you feel pain.
If the WannaCry attack did not get your attention, it should have. But you may be asking: “What could I, as a board member, have done to stop these ransomware attacks? Is not that a job for my IT department?”
Yes, it is a job for the IT department but it is also a job for you – as a board member – to make sure the organization is run in reasonable and “heads up” manner. Remember, if everything tears apart at the seams, you will be asked: “Dear Director, what did you do to prevent this?”
If your response is a blank stare or a Homer Simpson-like “I dunno,” then sunshine, you’re going to have a problem on your hands the likes of which you may have never seen before.
By contrast, if your response is, “Well, Senator, we performed a vulnerability assessment in the following areas, found these deficiencies, and took these corrective actions,” you may find yourself in a much better place.
So, what questions should you ask of your organization?