Benjamin Franklin said that there are only two things certain in life: death and taxes. But across every enterprise, another certainty exists: cyberthreats. The number of security breaches continues to grow each year, while the average cost of cybercrime for an organization has increased from $1.4 million to $13 million. However, cyberattacks no longer simply affect a company’s brand and bottom line. With a quarter of new bills introduced in the House of Representatives directly addressing cybersecurity concerns, the issue has reached a crescendo.
One federal statute that will radically change the way organizations manages cybersecurity protocols and processes is 2019’s Corporate Executive Accountability Act. The bill cites that CEOs will be accountable for any corporate wrongdoings that “lead to harm,” including data breaches, that affect stakeholders, including employees. In theory, once the bill is passed, a chief executive can possibly be served a prison term if an employee of his organization unknowingly clicks on a malicious hyperlink and grants universal network access, essentially rolling out the digital red carpet for external bad actors to do as they wish with corporate assets. In most large corporations, the CEO may be half a world away and not have even met the employee in question. Even then, the security breach happened on his or her watch, making them accountable for the repercussions. Whether or not CEOs will be charged with negligence even if they made a proper preventative effort to minimize security risks -- and to what extent -- is still to be determined based on the prospective enactment of the bill.
If approved by Congress, these bills will light a fire under most large enterprises to either begin deploying security tools or scramble to evolve their existing protocols to ensure their CEOs won’t procure a criminal record based on the actions seemingly outside of their control. Either way, it will boost cybersecurity to mission-critical priority for all enterprises.
While CEOs could be personally liable for all “corporate wrongdoings,” the actions leading to the incident can originate from anyone within an organization. Insider threats are one of the biggest sources of vulnerabilities, whether or not employees are aware that they’re posing a security risk. Even tasks as simple as connecting company-issued devices onto personal or public networks, plugging a USB drive into various devices, and clicking on a link from an unfamiliar sender in emails or IMs, can cause the fabric of company security to rip at the seams.
One of the primary channels for cyber intrusion is, unfortunately, the most popular method for information exchange -- email. Ninety-one percent of cyberattacks and resulting data breaches begin with a phishing email. While many businesses believe that securing endpoints is enough to minimize opportunities for breaches, more focus needs to be placed on securing the data that employees generate and access with simple, yet critical, mechanisms such as encryption, multi-layer security, and two-factor authentication.
Let’s take encrypted communication, for example. It’s not a nascent approach to security frameworks. It’s one of the simplest and more robust security options in an enterprise’s toolbox, and one that can potentially eliminate CEO accountability for harmful security incidents.
Consider this: If all communication and documents sent by employees possess encryption keys that change with each file, then this in itself would be a fairly substantial deterrent to hackers. Imagine a bad actor spending hours ‘unlocking’ a message, only to find that every subsequent message in a chain of correspondence requires a unique decryption key -- that’s more than enough to deter most hackers from continuing down that road.
It’s worrying, though, that some of the most popular and mainstream communication and collaboration platforms do not adequately encrypt the information relayed across their solutions. While these systems can function as a digital environment to, for example, quickly share updates about a project, employees also use it to share confidential and sensitive data such as passwords, client information, and other types of intellectual property.
The ubiquitous nature of communication channels, like email, certainly means that enterprises won’t be giving these up anytime soon. There are tangible productivity benefits associated with using such systems in today’s “always-on” workplaces. However, companies must be cognizant of the inherent security vulnerabilities and understand that they cannot rely on a single mechanism or vendor to provide a watertight fortress around their corporate assets. Companies must consider the unique security needs of their organization and ensure that the solutions deployed are a perfect fit for their particular business. At a minimum, at least consider one with a simple, robust, and universal mechanisms such as encryption that can potentially prevent chief executives from being accountable for any and all corporate wrongdoings that substantially affects stakeholders.Based in San Francisco, Morten is the CEO of Wire