On July 11, 2023, Microsoft
MSFT
The hackers exploited a vulnerability in Microsoft’s cloud email service to gain access to the accounts. They were then able to use stolen credentials to access other accounts. The hackers were able to steal a significant amount of data, including emails, documents, and other sensitive information.
Microsoft has since patched the vulnerability and blocked the hackers’ access to the affected accounts. However, the full extent of the damage is still unknown. The company is working with law enforcement to investigate the incident.
The Microsoft data breach is a reminder of the growing threat of cyberattacks from bad actors. It is important for businesses to take the necessary steps to not only protect their data from cyber threats but to also be prepared with a remediation plan should a breach take place.
This breach has set off warning alarms for many boards of directors.
Public company directors know their role is to perform oversight of the corporation. This includes reviewing the operating plans, going over financials, and the foundational responsibility of mitigating risk.
Many boards are now focusing on coming up the cybersecurity learning curve in anticipation of the proposed new SEC regulations on board of directors’ cyber compliance.
Given this recent incident involving Microsoft, I thought it would be helpful to share a brief overview of some the steps boards can take in their journey toward cyber readiness and preparedness:
- In terms of immediate actions, boards should start with board education to bring everyone up to the same cyber literacy level. Boards may also want to consider assigning a specific committee to own cybersecurity oversight.
- Additionally, board members should seek to understand what the costs are and the budget impact will be of bringing the company’s cyber systems up to a level that correlates to the cost and risk tradeoff of what the company can accept as the possible loss for the business. Every industry will have different areas of emphasis. For example, protecting intellectual property may not be as big an issue in a retail business as it is in a pharmaceutical business.
- One of the most basic foundational tools that is widely accepted and recognized for performing cyber oversight, and that boards need to understand, is the NIST framework. The NIST Cybersecurity Framework is an oversight tool that breaks cyber risk into five categories and reviews the corporation’s cyber posture and readiness to protect the corporation from a cyberattack. The NIST framework is often used by boards as a scorecard tool to review cyber resilience and readiness, and to rate and identify areas of strength and areas for concentration of resources to improve. Directors will be well served to do a review of the NIST Framework with the full board.
While it is critically important to take preventative measures, the recent incident at Microsoft highlights that no business can be 100% immune from cyberattacks.
The natural next step in cybersecurity preparedness is having a cyber response protocol in place in case of a breach or cyber-attack:
- Think through the protocol in advance. Have the IT and/or cyber teams review the crisis management tabletop exercise they have run with the board. Ensure that they’re ready with external cyber forensic experts.
- As part of tabletop cyber planning, ask the CISO and/or tech team to run through their post-breach protocol with the board. For example, who is the outside council they would use? Who is the forensic consultant? Who on the communications team is in charge?
- Post-breach the key area organizations need to focus on is how to remove and stop the attacker’s ability to move around within the company. It is important to keep in mind that many internal IT systems within companies were set up for efficiency. The internal IT systems typically presume that all the other systems are trusted and so there are connection points that make it easy for an intruder to move around within a system. In general, overall IT system designs are not specifically architected with cybersecurity in mind. This is an area to reexamine.
As board members seek to conduct oversight and guide management priorities, it may be helpful for the board to consider bringing in outside experts to give an orientation and briefing.
For example, in 2022 Mandiant (a cybersecurity firm that is now part of Google Cloud) helped over 1,800 customers prepare for or recover from critical cybersecurity incidents.
Cyber-related risk continues to be one of the top concerns businesses are facing. For more information on how boards should think about cybersecurity preparedness and risk mitigation, I recommend reading this white paper shared by the Google Cloud Cybersecurity Action Team, “Perspectives on Security for the Board”.
Read the full article here
