A knock on the door…
The serious-looking man with the grey hair cut in a sharp military style arrived at the offices of the design-engineering firm accompanied by a much younger woman. They presented themselves at reception and asked for the Chairman and Group CEO by name.
The woman had arranged the appointment over the telephone the previous day. One of those strange, out-of-the-blue, no nonsense calls. She was acting on behalf of an enforcement agency but couldn’t say anymore than that. She suggested it would be wise for the company’s lawyers to also attend the meeting.
The receptionist ushered them straight through to the boardroom where the Chairman had already assembled the CEO, Finance Director and two corporate lawyers from a ‘magic circle’ law firm. Who were these people and what was the purpose of their visit? Well, they were actually UK representatives of the Federal Bureau of Investigation. Yep, the United States’ very own FBI. The purpose of their visit was to inform the company that they had infiltrated a major cyber espionage ring targeting companies across the globe and this company had been a target. The FBI discovered the company had been infiltrated through ‘a black hole’ in its network security over a period of 5 years. It wasn’t bank account information that was the target though; this was a case of industrial espionage.
The hackers accessed highly valuable information that they sold on to competitors and other third parties. Client information, tender and contract pricing documents, design templates and technical data. Carefully, undetected for over 5 years. In a nutshell, this company’s competitors had been receiving information that gave them an opportunity to create a competitive advantage. This sounds like a work of fiction (albeit badly written fiction!) but in fact it’s a true story. It happened last year.
The point here is that all businesses face risks, that is stating the obvious. Although some areas like global supply chains are more complex than they have ever been, it’s easy to identify the risks that can cause serious impact on a company’s future cash flow, balance sheet and overall security. The difference now is that all companies are now ‘Tech’ companies. The use of software runs like veins through every business. It holds data, it automates production systems, it helps design products, it enables customers to spend money on our products without leaving their arm chair, we use it to prepare presentations & tenders but above all we use it to improve productivity and give us an advantage over our competitors.
It is really important to give this risk a high profile in board meetings. It’s very real, growing exponentially in occurrence and the perils of getting the risk and insurance protection wrong can be crippling. This is not about undermining your IT director but some simple questions can clarify a lot: 1. If a Third Party infiltrates our IT systems will we know? Do our staff have / do we have the technical ability to identify and rectify the problem or will we need outside contractor help?
1. How will we pay for that?
2. If our IT system is crippled due to some malware how will we deal with the impact? Can we afford to take a drop in income whilst we try and fix it?
3. What about the actions of disgruntled employees? Current or recent employees cause most cases of IT sabotage.
4. Do we train our staff to understand the significance of our IT/Software security systems on our ability to trade (and keep them in jobs)?
5. If we lose client data can we pay the Data Commissioner’s fine (up to £500,000)?
6. If we hit a problem and it becomes public knowledge how will our clients and suppliers react? Do we have Public Relations Contingency Plan at the ready?
7. How will other stakeholders such as our bank and investors view a serious incident? If it has a material impact on the business will we be exposed to legal action as directors?
This type of risk exposure is developing fast and it’s difficult to keep up with. My suggestion though is to make sure that, as a director or officer of a company, you ensure that software risk and its impact is firmly rooted in your Corporate Governance/Business Management programme.
After all, you don’t want the FBI to come knocking at your door, do you?!