Get the Board Involved When a Data Breach Hits Where It Hurts (The Bank)
Missing earnings by $120 million, thank you, Petya. Not exactly the way to get your board to pay attention to the cybersecurity threat, but it’s certainly a head-turner when your bottom line is immediately impacted. Such was the case for Reckitt Benckiser Group PLC – a global maker of household goods like Airwick air fresheners and Calgon bath products, with distribution all over the world. They were hit by Petya which crippled not just their business but their supply chain – delaying shipments and invoicing and impacting manufacturing processes. Now the company is cutting its full-year forecast and their board has no choice but to pay attention to the threat in front of them.
More typically, when a business is struck by a cyberattack – not just from recent examples of ransomware as with Petya or WannaCry, but as a result of a data breach or another type of cyber threat, the impact to the bottom line isn’t always felt immediately. Sometimes cyber insurance kicks in to take the sting out of the cost of breach notification, compliance fees, etc. In other cases, revenue may not necessarily be immediately impacted as a result of customer churn after an attack. This is especially true if churn winds up being low. If the company is smart about how they react to the cyberattack by doing things like keeping customers in the know at all times, responding swiftly, communicating openly and frequently about the status of the breach or attack – they may keep more customers than they lose as a result of that cyber incident.
This brings me back to my main takeaway from the Reckitt Benckiser example, however – their board was immediately aware of just how serious a cyberattack can be on the business from a revenue standpoint. It’s not just about the sheer embarrassment of seeing your company in the headlines for all of the wrong reasons, but there are huge implications to the business after a breach or cyberattack. While business leaders are fully aware of those implications – from customer loss, reputation and brand trust damage to fines incurred and ultimately, lost revenue – board members aren’t necessarily so acutely aware, at least not until pretty recently.
In today’s world where it’s not ‘if’ but ‘when’ your business will be breached, board members are starting to need to take a more active approach into how the businesses they serve manage IT security efforts for the business. This is something we’ve talked about for a while on our blog – highlighting the importance of educating board members on cybersecurity and risk management efforts underway, giving them a primer on the growing cybersecurity risk posed to the business overall. Many board members simply don’t have any prior background in cybersecurity and risk management so naturally, they need the right context to fully grasp the severity of the issue. Ultimately, board members can become your biggest change agents within the company, as our CMO Juliette Rizkallah points out in her blog post on the topic – if board members can help guide business leaders towards understanding how cybersecurity can be a competitive advantage and business differentiator, for example.
In today’s threat landscape, it’s not just about covering the ‘must have’ bases in security, it’s about making sure all of your bases are covered. As cyber attackers continually turn to the weakest link – you and me – when seeking their way ‘in’ to a company, organizations cannot afford to ignore identity governance as a critical component to their overall security operations efforts. Getting the board ‘on board’ with cybersecurity as a topline business priority is so clearly a must today, as recent events certainly underscore. No CEO or board member wants to face a $120 million earnings miss because they weren’t ready to invest enough into the company’s security efforts.