Remember when Russian agents hacked more than 500 million accounts from Yahoo in 2013 and 2014? It wasn’t just the size of the breach that was enormous. The consequences of delaying disclosure of the breach for years ended up being enormous as well. It turned out that Yahoo knew about the hack as early as 2014 but didn’t disclose anything until late 2016, during a sale of major portions of its business to Verizon Communications.
Not only did the delay hurt Yahoo’s reputation; it also resulted in a financial setback. The U.S. Securities and Exchange Commission slapped Altaba, the company that formed from what remained of Yahoo after the sale, with a $35 million fine in 2018 for failing to disclose the breach to investors. That was on top of $50 million to settle lawsuits from Yahoo account holders.
Verizon agreed to pay half of that settlement but balked at paying the full purchase price for Yahoo. It ultimately paid $4.48 billion for the purchase, which was $350 million less than what was originally agreed.
The case showed that the stakes are magnified when it comes to breach disclosures and communication. This article will focus on some of the biggest mistakes corporate leaders make when it comes to cybersecurity, compiled from interviews with experts.
1. Failing to communicate properly.
As the Yahoo case showed, good communication is invaluable. When and how to communicate that a breach has occurred is never an easy decision, and information about the breach may change during an investigation. A common mistake in response to news of a breach is an announcement that underestimates the potential harm.
“There’s an urge to say ‘Everything’s fine here, look away,’’’ says Kevin Haley, director of security response at the cybersecurity software firm Symantec Corp. There’s also an urge not to communicate a breach until after an investigation is over and all the facts are known. However, 2018 guidance from the SEC says that an ongoing investigation shouldn’t prevent disclosure of material information to investors.
“Most senior executives think a cyber breach is primarily a technical risk to the company,’’ said Leo Taddeo in a DirectorCorps video interview. Taddeo is a 20-year veteran of the FBI who is now the chief information security officer for the infrastructure and security platform Cyxtera Technologies. “That may be true to an extent. But the real risk to a company is failure to communicate properly. That’s where reputation damage could be made worse. That’s where you could lose the ability to work with partners and customers.”
2. Creating an environment unsafe for truth-telling.
It’s hard to address problems in an atmosphere of fear. Make sure employees and vendors feel safe to report breaches and security problems. Don’t punish the bearer of bad news or anyone not responsible for the problem, but make sure those who are responsible are held accountable.
“My job as a CISO, and the job of other executives and the board, is to create an atmosphere where it’s safe for people to tell you the truth,” says Taddeo.
3. Reacting to the news instead of being proactive.
Planning for a breach is a fundamental part of corporate decision-making. Don’t get side-tracked by the latest news and lose sight of the company’s cyber security strategy and investments, says Gabriel Bassett, a co-author of Verizon’s 2019 Data Breach Investigations Report. The news is filled with reports of major breaches at corporations and city governments. Don’t ask what the company is doing to prevent an attack that was similar to one in the news.
“It’s great you’re worried about this one but what about the million other threats that came out today?” says Symantec’s Haley. Companies needs to protect themselves and plan for an attack based on their particular vulnerabilities.
“It’s hard if you’re only looking at the threat of the day,” Bassett says.
4. Thinking you can outsource risk.
Companies are increasingly turning to outside vendors for software and the cloud for storage. They are able to do so much more with the help of third-parties than they can do on their own, but they can’t pass the security risk to a third party.
“A lot of executives would like to externalize the risk,’’ says Adam Sedgewick, senior IT policy advisor for the National Institute of Standards and Technology. “A lot of people feel it’s too technical a topic and they want to buy their way out of it.”
Corporate leaders and board members need to ask enough questions to make sure they understand the risks their company faces and make sure management is addressing them. Think about the organization’s critical infrastructure and how to protect it, such as client lists and trade secrets and ask questions of IT managers to understand how they plan to go about protecting critical assets. And as your company changes, so might your risk profile. If you buy another company or shift your strategy or move files to the cloud, how does your risk change and how do you address that?
While corporate leaders often don’t have a lot of technical expertise, they can lead when it comes to strategy, communication and culture.