As published by Audrey LaForest, Detroit Regional Chamber

Company executives play key role in managing cyber risks

In today’s digital age, technology creates endless opportunities for businesses and customers, but it also presents a number of challenges that leadership must address.

Just ask General Motors CEO Mary Barra, who delivered a keynote speech on the subject at the Global Automotive Cybersecurity Summit in Detroit this past July.

“We all want our customers to be able to take advantage of the technology that is changing the automobile and opening up new experiences that were unimaginable when I started in this business, but we also want our customers and their data to be safe and secure while they are doing it,” Barra said to summit attendees. “Cybersecurity protects not only the physical safety of our customers, but also their privacy and their data security.”

Barra has made cybersecurity a top priority at GM, she said, but it is also an issue every automaker — and every organization, for that matter — should understand and take appropriate action to manage the risks.

“(Cybersecurity) is a challenge facing most business owners because it’s a complex area,” said Linda McConkey, managing director at O’Keefe, a financial and strategic advisory firm with offices in Bloomfield Hills, Grand Rapids, Chicago and Atlanta. “IT is moving at the speed of light. Three-year old IT is dangerous. It ages very quickly. It’s not the equipment; it’s the software, the solutions, the anti-hack software, antivirus software, the malware detection. The things that keep your company safe, as well as your customers’ and clients’ data safe, has to stay current.”

The Best Defense

As businesses and consumers delve deeper into an era of connectivity ¬— living in a world where nontangible assets exist on the cloud — cybersecurity has evolved from a simple IT issue into a top priority for C-suite executives and board members.

“I think the first thing (chief information officers) and CEOs need to understand is the level of risk,” said Scott Goodwin, senior vice president of government services at OpTech, a Troy-based professional services firm that supports organizations in the public and private sector. “There are basically two kinds of companies out there: those that have been hacked and those that don’t know they’ve been hacked.”

It is part of the risk management of the company that executive leaders have appropriate protocols, processes and programs in place to secure company and client data from common cyber risks like targeted phishing attacks, where a virus sends out bogus emails from your account with a “please open this” subject. When unsuspecting recipients open the email, it launches a virus onto their system, too, if they’re not protected against it.

“Same with business continuity and disaster recovery,” McConkey said. “It’s a big area no different from any of the other pillars of operating a company, and the board has a fiduciary responsibility to ensure the executive team is paying close attention and is doing what they can within appropriate limits to insulate from these risks.”

IT security experts, like University of Michigan Chief Information Security Officer Don Welch, acknowledge it is not always easy for executives to understand all of the “bits and bytes” involved in cybersecurity, but a company’s leadership — the C-suite, the board, etc. — ultimately must decide what level of risk they are willing to accept.

“Most nontechnical leaders in an organization are really happy to trust their IT people, their information security people and say, ‘Good, you’re taking care of that. I don’t have to worry about it’ because it’s a difficult thing to understand and get right,” said Welch, who has served on Gov. Rick Snyder’s Cybersecurity Advisory Council and the higher education cybersecurity advisory council to the FBI. “But I think that’s a mistake. It’s not just an IT thing. It’s a business thing. Companies can go out of business.”

A Cyber Solution

The reality of today’s world is that it is not a matter of “if” a cyber intrusion or attack happens, it is a matter of “when.” And one of the worst positions to be in, McConkey said, is one without a plan. “The first time you hear about it shouldn’t be where there’s an event,” she said. “That’s the last thing you need — to put it bluntly — is the surprise.”

So, what should company leadership do exactly? While it depends on the size and needs of an organization, there is one thing every company shouldn’t be without, OpTech’s Goodwin said: a well-defined information security policy that is constantly updated, monitored, read and followed.

“(It’s important) for CEOs to understand the threat is probably not going away soon, and there’s no simple way to take care of it,” Goodwin said. “You have to constantly be on your toes, and it has to become a bigger focus for CEOs because the value of the company can be greatly diminished by a severe attack.”