By Linda C. Ashar, J.D.
Faculty Member, Dr. Wallace E. Boston School of Business
Cybersecurity risk is an omnipresent issue today for any type or size of business. For many business managers, thoughts about cybersecurity typically focus on how well their electronic systems can resist hackers or hijackers.
However, the issues and potential risks for cybersecurity problems are wide-ranging. They require a comprehensive understanding of cybersecurity from a business management perspective, involving all facets of a business’ operations.
Nearly all business activities rely on their connectivity to cyberspace. The five top cybersecurity concerns for business managers are:
- Security of electronic systems
- Supply chain security
- Privacy of customer and corporate data
- Employee activities
- Legal issues
Security of Electronic Systems
It’s important for business managers to assume that a cybersecurity breach is inevitable. According to the Harvard Business Review, management from the board level to individual team members must be knowledgeable about what assets need to be protected and how to respond to security problems.
Leaving the defense against cyberattacks solely to the company’s IT person or department is like sitting in a dark room and hoping someone else remembers where to find the light switch. Ideally, business managers should have a documented approach to security questions as:
- How will a breach affect each part of our company’s activities?
- What is the response plan?
- Is it regularly updated?
- Are all systems routinely tested?
- Are employees properly trained?
Supply Chain Security
Cybersecurity in supply chains reach far beyond IT management. They include areas such as product sourcing, supply chain interruption, transportation functions and communications, and customer service.
A recent and colossal example was the ransomware attack on Colonial Pipeline. To protect pipeline operations, the company had to shut down one of the largest pipelines in the nation, affecting the delivery of refined gasoline and jet fuel to its sources.
The ransomware attack on Colonial Pipeline is just one example. The U.S. government’s National Institute of Standards and Technology (NIST) identifies these areas as key supply chain cybersecurity risks:
- Third-party service providers or vendors ranging from janitorial services to software engineers who have physical or virtual access to information systems, software code, or Internet Protocol (IP) addresses
- Poor information security practices by lower-tier suppliers
- Compromised software or hardware purchased from suppliers
- Software security vulnerabilities in supply chain management or supplier systems
- Counterfeit hardware or hardware with embedded malware
- Third-party data storage or data aggregators
NIST also suggests several best practices for avoiding these problems. These best practices should be a part of every business manager’s toolkit and part of conducting business as usual.
In particular, NIST recommends that business managers should ensure contracts with suppliers cover:
- Contingencies for supply chain interruption
- Security requirements and remedies for software purchase/use
- Use or sharing of third-party systems
Privacy of Customer and Corporate Data
Cybersecurity expert Bruce Schneier said, “Surveillance is the business model of the internet. Everyone is under constant surveillance by many companies, ranging from social networks like Facebook to cellphone providers. This data is collected, compiled, analyzed, and used to try to sell us stuff. Personalized advertising is how these companies make money and is why so much of the internet is free to users. We’re the product, not the customer.”
While Mr. Schneier’s concern was directed primarily to individual users so that they would be aware of corporate surveillance, his warning is equally relevant for business managers. The privacy of corporate data and personal private data for which a business is custodian (such as customer identity information) are of paramount importance in cybersecurity.
Just ask Facebook, who confronted several data dump accusations in 2021 alone. The company is also dealing with potential class action litigation under consideration in Ireland.
Employees utilize their employer’s hardware and software daily in myriad ways. Employees utilize a company’s electronic systems to perform their jobs, but often access the internet during breaks for activities such as checking personal e-mail, shopping or browsing social media. These activities expose a company to malware, viruses and hackers.
Clearly, cybersecurity risks co-exist with legal risks. For example, the doctrine of respondeat superior holds an employer liable for employees’ wrongful and illegal actions conducted in the course of their employment. If an employee has authorized use of the employer’s computer or electronic system and uses it to injure someone else or commit a crime, it is the employer’s burden to establish the employee was acting outside the scope of employment.
Proving that an employee was acting outside the scope of normal employment is not easy to do, however. Such actions arguably extend to the use of employer-owned cell phones.
Another risk is an employee’s use of a computer to defraud his own employer by misappropriating proprietary and other confidential information. If the employee does not have authorized access to this information (such as through an internal hack of the employer’s files), the act could be a criminal violation of the federal Computer Fraud and Abuse Act. It would also give the employer grounds for civil action against the employee.
However, if the employee does have permissive access and authorized use, the U.S. Supreme Court has held that information misappropriation does not violate the CFAA. Employers must have clear policies on the use of their electronic systems and control employee access to these systems. Training is an important component of managing employee use of company computers, digital data and electronic systems.
Other legal issues relate to the ripple effect of computer system failures or cybersecurity breaches. A cybersecurity-related shutdown that causes a delay in production or transportation can interfere with contractual obligations to the customers of a business. The release of private customer information can lead to financial damages not only from litigation, but also in harm to the reputation of a business.
Part of creating a good cybersecurity strategy includes management’s recognition of the inherent legal risks associated with a security breach and including that assessment in the company’s planning. According to Mike Mueller, former Chief Technology Officer at ARM, every business must assume it will experience a cybersecurity breach and have a “solid mitigation strategy.”
Cybersecurity Insurance Is a Wise Choice
Cybersecurity insurance plays a vital part in this mitigation strategy. Forbes recommends that businesses obtain cybersecurity insurance to cover damages for ransomware attacks, privacy breaches (including litigation), the loss of business income for downtime caused by weather-related outages or criminal attacks, and regulatory fines.
The university is responding to the need for business managers to develop more expertise in cybersecurity by offering various academic programs in cybersecurity. These academic programs include both online degrees and certificates.