Cybersecurity for the Board of Directors of Small and Midsized Businesses

• Author: Erica L. Opitz
• Published date: 01 September 2018
• Date: 01 September 2018
• DOI: http://doi.org/10.1002/bl.30115

4 BOARD LEADERSHIP

News

(continued from front page) Cybersecurity for the Board

of Directors of Small

and Midsized Businesses

By Erica L. Opitz, Esq.

Erica L. Opitz is an attorney with Atlanta-based Chamberlain Hrdlicka, providing

expertise on a variety of matters relating to corporate governance, commercial

contract, mergers and acquisitions, and privately held securities, among others.

Here, she offers her insight on the responsibilities of board members and

leadership in the realm of cybersecurity, an increasingly daunting challenge for

organizations of all types and sizes.

“In the last five years, we have

observed a steady increase in

attacks targeting businesses with less

than 250 employees, with 43 percent

of all attacks targeted at small busi-

nesses in 2015, proving that compa-

nies of all sizes are at risk. It’s not just

Fortune 500 companies and nation

states at risk of having IP stolen—even

the local laundry service is a target.

In one example, an organization of 35

employees was the victim of a cyberat-

tack by a competitor,” noted Syman-

tec’s Internet Security Threat Report

published in 2016.

It is widely accepted that cyberse-

curity is one of the greatest threats

facing businesses today. Further,

experts agree that for most compa-

nies, the question isn’t if there will be

a cyberattack, but when the cyberat-

tack will occur. It is imperative that the

board of directors take a proactive

role to address cybersecurity issues.

There is no shortage of advice on how

the board should deal with this cyber-

threat, and most of it seems to have

one thing in common: $$$$$.

As an attorney, most of my clients

tend to be start-up or midsized pri-

vately held businesses, but the com-

monly available advice on how boards

should deal with cybersecurity issues

primarily targets the boards of direc-

tors of public companies. When the

issue arises for a midsized client, the

answer is rarely to spend a ton of

money on outside cybersecurity com-

panies to evaluate the risks and pro-

vide a plan of action. Although Fortune

500 companies are more high-profile

targets for cybercriminals, every busi-

ness is in danger of a breach. All it

takes is one employee opening one

attachment from an email address

they don’t know, or a customer or sup-

plier being breached and an attack

coming through their emails to your

employees.

Ultimately, the boards of directors

of these businesses need to find a

more cost-effective way to deal with

cybersecurity risk while still addressing

the very real danger a cyberattack can

pose to the company. What can the

board of directors do to protect their

company when every dollar spent is

vital to the continued operation and

success of the venture? What follows

is a list of five vital steps that boards

of small to midsized businesses should

take to mitigate the potentially cata-

strophic results of a cyberattack.

1. Make cybersecurity a topic

on the agenda of each board

meeting. Board members

for start-ups and midsized

companies often must wear

many hats and become

conversant in topics and issues

that would not normally be in

their area of expertise. Often,

these companies do not have

a chief technology ofcer or

chief information security ofcer

unless they are a technology

company, but most have at least

a small IT department or an

outside consultant that performs

IT functions for the company. The

board should request that their

IT professionals provide at least

a quarterly update of potential

weaknesses in the company’s

cybersecurity infrastructure and

practices.

2. Treat cybersecurity like any

other business risk. A cost-

benet analysis should be

completed weighing security

concerns against customer

relations. Inevitably, more secure

systems tend to be less “user-

friendly.” If the company is

going to lose valuable customers

by taking certain security

measures, then the cost may

be too high. Just like any other

risk, the board of directors

should determine the types

and amounts of risk to accept,

avoid, mitigate, and insure

against. Cyber liability insurance

coverage can be especially

important for companies that

collect or process customer data

or payment information. These

insurance policies also typically

reimburse for investigations

into the security breach, lost

prots as a result of business

interruption, and legal expenses.

3. Train your employees and

consultants to follow at least

basic cybersecurity procedures.

Although most small to medium-

sized businesses cannot afford

to bring in cybersecurity experts

to train staff, the company

should provide at least some

basic internal training on best

practices for cyberdefense.

Among other items, these should

include not opening attachments

from email addresses that you

do not know and a procedure

for where to forward these

emails to determine whether

they are legitimate or a phishing

Thinking of publishing in

Board Leadership?

Contact Samara Kuehne

for criteria at

skuehne@wiley.com