How a Pandemic Can Help Boards Understand Cybersecurity

By Mike Lloyd and Ray Rothrock


COVID-19 Cybersecurity Online Article

Cybersecurity Ventures predicts cyberattacks will cost $6 trillion globally by 2021, and the average single data breach will cost $3.86 million. It’s no wonder that cybersecurity is one of the top concerns of boards. However, the struggle to understand the cyber readiness and resilience of organizations is real. It doesn’t help that cybersecurity professionals tend to delve into complex details. These complicated security conversations about hidden threats may be difficult for the average executive to visualize, understand, or quantify.

We see a useful analogy between the current pandemic and cybersecurity. Looking at cybersecurity through this lens can make some things clear that tend to be obscured by technical mumbo-jumbo. During the pandemic, we have all learned quickly about public health, epidemics, and the ways in which to fight back. These same concepts apply directly to cyber risk and can transform the dialogue about cybersecurity in the boardroom.

What has the pandemic taught us? Three clear principles have been hammered home, and each one has a corollary in network security:

  1. Social distancing
  2. Contact tracing
  3. Basic hygiene

Minimize Risky Connections

Maintaining social distance is important to slowing the spread of a virus because infectious diseases exploit our social interactions. Likewise, cyber threats tend to spread machine to machine, much the same way diseases spread from person to person. We even call one class of online threat a “virus” because the analogy is so strong. As people facing a pandemic, we’ve all had to think seriously about how to limit physical contact—in grocery stores, in taxis, at sports games. We’ve had to reexamine how we do the things we enjoy, realizing that some precautions are necessary so that our recreation doesn’t cause excessive risk.

The same tradeoff happens online—your company network with its connections to customers and suppliers exists so you can do business. But those connections open up potential pathways for attack. You need to separate some of your organization’s assets from the outside world or else your core business will be at greater risk from online viruses, ransomware, or just bad actors. It’s no fun to apply social distancing to your network and maintain it, but you need to.

Hunt and Trace

Contact tracing is essential because we can’t stop a pandemic unless we know who is infected and needs to quarantine. We also need to identify disease hotspots. The same is true in business networks—you can’t just build a network, start doing business online, then stop worrying about it. Networks are dynamic. You have to know what’s on your network and how it all connects so that you can track the spread of an attack, the same way we track the spread of disease.

In both situations this is done with a combination of people and technology. For the pandemic, we train contact tracers and testers, and we arm them with antibody test kits. For cybersecurity, you need a team who can identify and track cyberattacks as they move through your network. Then, they can quarantine the intrusion and block its effectiveness. There is a secondary advantage, too. These threat-hunting teams will become expert in all your business flows and the pathways they use, so they can track what doesn’t belong. They can provide great insight into how your business actually works, down to the nuts and bolts, where many organizations struggle to keep track.

Wash, Rinse, Repeat

Finally, and most importantly, basic hygiene really matters. For the pandemic, we know that the combination of facemasks and thorough hand washing is our best and most effective defense. We continue to hope for a breakthrough medical treatment, but it may be a long time coming, and it may be less than 100 percent effective when it does arrive.

The hygiene lesson also applies directly to cybersecurity. Security fundamentals need to be adhered to. Too many intrusions are allowed in by simple oversights. Make sure you know what is on your networks and that everything is set up securely. You’d be surprised how often a well-known default password is left on a device. Demand compliance with standardized rules for how networks are set up and maintained. These are policies established by industries, governments, and your own organization. Then, the extent to which the rules are being followed should be measured and reported.

In both a pandemic and network security, we need to help ourselves. Hoping that the next magical technology solution from a security vendor is going to make all of our ills disappear is like waiting for a cure-all pill. The complexities of human biology are not going away any time soon, and neither is the comparable complexity of the cyber world.

Stay tuned for the January/February 2021 issue of NACD Directorship, in which this topic will be expanded upon. And tune in at 3 PM ET on October 29 to hear Ray Rothrock moderate the Expert Insights: Data Privacy and Cybersecurity panel, part of our Virtual NACD Summit 2020.

Robert Peak
Robert Peak has served in senior capital markets policy roles including at the SEC, where he worked on the Commission’s issuance of its 2018 cybersecurity guidance. He has advised commissioners, members of Congress, and board members, and is a thought leader in securities trading, regulation, and enforcement.

Ray Rothrock
Ray Rothrock is executive chair of RedSeal, the author of Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, and serves on the board of the NACD Northern California Chapter.