What alt-rock icons Weezer have to say about cyber security risk
If you want to destroy my sweater, hold this thread as I walk away. So goes the Weezer song.
The L.A. alternative rock band may not be known for their risk management prowess (shocking, right?), but they were on to something that can be useful in understanding the future of cyber security risk.
(My inner high-school rocker hates what I’m about to do, but strap in: it’s Weezer meets data security.)
What Weezer was getting at is critical for C-suite managers to realize: just like you can destroy a sweater by pulling on a single thread, you can destroy — or at least put in jeopardy — a company’s future with just a single cyber security event.
Let’s walk through this step by step:
- Your company has been doing well lately. Lots of work, lots of happy clients, and lots of happy employees, too. This success comes to a screeching halt one Monday morning when you arrive to work to find that every laptop, desktop, and even your servers have been infected with ransomware by some Troublemaker. Even the backups have been compromised.
- Because things had been going so well, you never really took the time to develop a cyber security incident response plan, a data governance framework, or investigate cyber insurance. So, with the network locked up now, you don’t have a plan for dealing with this kind of a problem. Say It Ain’t So.
- As the hours turn into days, your once-happy employees’ payroll costs continue to mount even as they can’t work, your once-happy clients are demanding to be released from their contracts, and your bottom line — both present and future — starts to take a serious hit as the local media gets wind of the story. A friend tells you about a forensic IT company, and after learning that they charge around $350/hour (and work 24 hours a day, with two to three individuals on the job), you bite the bullet and enlist their services to unlock your systems and repair your corrupted data. For the same price, you could have bought a home in Beverly Hills (well, maybe you could have paved a long driveway and done some nice landscaping).
- By the time the dust has settled, your business has lost just shy of a quarter million dollars in just under a week’s time. Thankfully (if you can even say the word), you didn’t have much personal client/employee, health, or payment card information. If you did, the costs could have exceeded $1 million in the blink of an eye. That would not have been a Perfect Situation.
Alright, enough with the indie rock. Let’s get down to brass tacks. At this point, cyber security issues have received enough press and have been experienced by enough businesses — of all sizes and varieties — that should a business not have some sort of cyber security plan in place, investors, regulators, lenders, and even clients would have standing to ask: “Why haven’t you prepared for this?”
“I didn’t think it would happen to us …” is not likely to be an encouraging response.
This brings us back to our sweater analogy. What starts as a cyber event can morph into a directors and officers’ liability event fairly easily. Home Depot recently settled what’s thought to be the first “successful” cyber-related shareholder derivative lawsuit. The shareholders alleged that Home Depot “… breached their duty of loyalty because the defendants failed to institute internal controls … [and] that the defendants wasted corporate assets.” The case was settled for $1 million and a promise from Home Depot to make changes to its cyber security practices. While that’s peanuts for a company of that size, the precedent it sets should grab the attention of corporate officers everywhere. Based on this case, corporate officers can be held responsible for their actions and/or inactions within the realm of cybersecurity.
So, how can corporate officers show they’ve considered and planned for a cyber event? Where are they to begin? Anywhere. Just start doing something — anything — and document it all. Develop an incident response plan. Deploy the NIST Cybersecurity Framework. Run a tabletop claims exercise. Hire an outside firm to administer a phishing simulation and penetration test. Purchase a cyber insurance policy from an agency that knows cyber. While you’re at it, have your agent review your D&O policy to ensure its cyber friendly, too. Just pick one path and let your security develop organically from there. If you aim for security, you’ll likely hit compliance, but if you aim for just compliance, you may miss security.
Long story short, if you want to spend your retirement on an Island in the Sun, take time to take your cyber security seriously.
David Kruse, CISR, is a client executive with Hausmann-Johnson Insurance.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.