Digital Savviness is Becoming More Urgent: Masterclass Cybersecurity for Boards
Author: Ellis Bloembergen | Image: Roderik van Nispen | 07-03-2023
Many companies have cybersecurity high on the agenda. Substantial investments are being made in securing business systems. 'It will remain a much-discussed topic within Boards in the coming years too,' expects Joyce Leemrijse, notary public and partner at Allen & Overy. 'The risks are now so serious that a single Executive cannot bear the responsibility alone - all Executives must be well informed in order to formulate a good cyber strategy.' This also follows from the Corporate Governance Code as updated in December 2022.
We have not reached that point yet, according to the master class on cybersecurity for Boards, to which a select group of company secretaries was invited. Executives but also Supervisory Board members are often less tech savvy than desirable. Due to the lack of ICT knowledge, there are still few constructive discussions about the best security against cybercrime. Worse still, Executives and Supervisory Board members are often easy to lure into a trap by cybercriminals, since the digital hygiene of Executives and non-Executives often leave much to be desired. The company secretary is primarily the person to identify problems and knowledge gaps and address them. The master class for company secretaries was therefore intended to update them on these risks and to have a discussion about their experiences.
Phishing emails even more ingenious thanks to ChatGPT
The urgency of solid ICT security is high. The techniques of cybercriminals are becoming increasingly sophisticated, outlines Bart Preneel, Ph.,professor of computer security and industrial cryptology at KU Leuven. 'Where in the 1980s and 1990s hackers tried to crack passwords to penetrate systems, today the attacks are automated. Cybercriminals target several companies at once with cheap software and strike when they find holes in an ICT system.' According to Preneel, every software program contains bugs. These are ‘patched’ or repaired with new updates, but sometimes cyber thieves have already slipped in by then. Preneel: ‘Developers want to bring a new app to the market as quickly as possible; they take some vulnerabilities for granted to fix them later.’
Phishing is also a major risk for organizations. If employees click on the wrong link, cybercriminals gain access to the corporate network. These criminals can steal data, co-read confidential documents, and know, for example, how a company is doing financially. By installing ransomware - hostage software that encrypts data - they can then blackmail a company. Preneel: ‘Phishing emails are increasingly difficult to spot, thanks in part to technologies such as ChatGPT.’
It is not only corporate networks targeted by criminals, by the way. 'As our society continues to digitize, they can also sabotage smart cars, homes or buildings.'
Artificial intelligence arms race
Preneel identifies three trends. First, the number of data breaches is increasing alarmingly. 'Especially through social media channels, a relatively large amount of personal data is captured. Facebook users can assume that their data has been leaked at least once.' While Facebook may involve log-in data, according to the professor, a data leak at a government agency causes privacy-sensitive information to get into the wrong hands.'
As a second trend, the professor notes that organizations must protect themselves not only from cybercriminals, but also from governments. 'The war in Ukraine is playing out both physically and digitally, on our ICT systems. Cyber attacks are targeting Ukraine's vital infrastructure. But the Netherlands, one of the most digital countries, is also vulnerable. Things could go wrong with payments, the water system, drinking water supply, train traffic, the transportation sector or energy supply.'
Finally, Preneel predicts an artificial intelligence arms race in cybersecurity. 'Organizations are deploying artificial intelligence to monitor possible cyber attacks on their network, at the same time cyber thieves are targeting holes in digital networks with automated software. This creates a war on our systems that we ourselves no longer understand. Preneel does have some good news. 'We are in a transition phase. In 20 years, only secure software programs will be developed. Looking back, we will wonder why such penetrable software was ever brought to the market.’
Directors and commissioners easily targeted
Employees are often a weak link in the security of corporate digital networks. ‘Criminals prefer to target the top of an organization, says the managing Director of cyberwolf.io, who prefers to remain anonymous for security reasons. Cyberwolf.io is a company that specializes in the personal cybersecurity of Executives and non-Executives. ‘This is not without reason. Criminals find it relatively easy to get in via private email or devices of Executives or Supervisory Board members,’ is his warning. ’MB or SB members have a large amount of confidential information, but are often the weakest secured. They are easy targets because - through ignorance or indifference – they do not always have their ICT hygiene in order. For example, executives do not use password managers or two-factor authentication, or do not perform updates.’
Another major pitfall for organizations is that when it comes to security, they only focus on business accounts and devices, whereas in order to achieve good digital hygiene, executives must be able to rely on support from their organizations to secure their personal devices. ‘Executives often use their own laptops and store confidential documents on them. They also often app or e-mail using their own cell phones, which usually do not have any protection software. At the same time, various less secure apps are downloaded on the business mobile. This present a cybercriminal with several opportunities to slip in.’
One of the company secretaries notes that this problem is effectively addressed by agreeing that private and business must be kept strictly separate. ‘With us, that is policy.' Yet practice is more recalcitrant. 'A Supervisory Board member finds it enormously inconvenient to have four different phones and laptops for the four Boards he is a member of.' Moreover, convenience sometimes wins out over compliance with security guidelines. The managing Director: 'Even politicians sometimes get it wrong. Hugo de Jonge, for example, as Dutch minister of Health, emailed from his private email and not through the ministry's better-secured account.’
Continuing education is the motto
There are some lessons to be learned from cyber incidents. For example, cybercriminals' techniques can be very sophisticated, knows Nicole Wolters Ruckert, data, privacy and cybersecurity expert at Allen & Overy. She mentions how, after countless contacts via email and phone, an investment company thought it was dealing with a serious investment fund. 'Everything seemed in order, yet the contact turned out to be a fraud – it resulted in 10 million euros being transferred to the wrong party.' A second warning: 'Be alert to disgruntled employees. They may well sell their passwords for a large amount of money.' She also points out the danger of cyber attacks on suppliers and customers. 'Investigate how vulnerable your company is and arrange for this in your contracts.’
Wolters Ruckert argues for some basic knowledge about cybersecurity in the Boardroom. 'What is cybercrime, what impact can it have and why is it important to strive for good ICT hygiene? The knowledge now varies greatly.' Further training is therefore the motto. According to Wolters Ruckert, in future Executive and Supervisory Board members will be required by law to have a certain level of knowledge of cybersecurity anyway. The role of the chief information security officer (CISO) is important in this regard. 'The person responsible for information security within the company must report to the Board about the risks. The advice of the CISO must be well attuned to the knowledge level of the Executive Board and Supervisory Board, as the CISO does not always speak the same language as the Board. But at the same time it is extremely necessary to have a constructive conversation about the most adequate cybersecurity strategy.’
Liability for Directors will increase
'A large amount of European and national laws and regulations are being developed which will place more responsibility on the Board. For example, Executives and Supervisory Board members will have to approve the cybersecurity measures of the CISO. If compliance with these measures is not properly monitored, Executives can be held liable. That is quite extensive,’ is the opinion of the cybersecurity expert at Allen & Overy. Wolters Ruckert expects the responsibility and liability of Executive Board and Supervisory Board to increase further in the coming years. 'Also, Executives could be held personally liable in the future. Until now, under Dutch liability rules, there must be a serious culpability before someone is held personally liable. In the field of cybersecurity, this has so far been limited to a single case: it involved, as an example, an Executive who deliberately failed to report a data breach.'
In conclusion, Wolters Ruckert argues that Executives and Supervisory Board members will soon no longer get off the hook so easily if they are nonchalant about ICT guidelines established by the company. She clarifies, ’We consider it normal for new employees to on their first day put down in writing that they will handle company resources and software carefully and securely. It should be no different for Executives and Supervisory Board members. If they deliberately circumvent the rules and thereby open the back door to criminals, that can be construed as serious culpability.’
'Can we keep up?'
The company secretaries acknowledge that cybersecurity is playing a more prominent role within the organization. One of them says that only a few years ago, ICT was regulated independently at each branch. 'We thought cybercrime will not happen to us. However, we had to deal with a number of incidents, which sometimes also brought production to a standstill. Since then, we organize it centrally and we continuously monitor for threats. If there is a serious alarm, we act.’ A fellow company secretary wonders if large companies can keep up with the ever-increasing cyber threats. 'Can we keep up?'
Wolters Ruckert signals that the situation is indeed improving - but slowly. 'We notice that companies are more often appointing Executives and Supervisory Board members who are more digitally minded. 'The tide is turning, although it will take some time.’
This article was published in Management Scope 03 2023.