In early 2020, a highly sophisticated group of hackers One of the most widespread cyber attacks It’s the worst crime ever committed. The group, believed to be working for the Russian government, broke into the computer systems of SolarWinds, an IT management software developer, and planted malicious code in the company’s monitoring tools.
By June, the malware had given hackers access to internal information at hundreds of federal agencies and Fortune 500 companies. By the time the hack was discovered, the hackers had months of time to spy on government and corporate activities.
For both the public and private sectors, the incident was a wake-up call about a steadily growing threat. Cyber attacks are as old as the Internet, but in recent years they have become more sophisticated, insidious and destructive. Direct reported losses from cyber attacks have been small, on the order of $500,000, but the International Monetary Fund recently warned that the risk of extreme losses… At least $2.5 billion — I’ve grown up.
Given the high stakes, the responsibility for protecting the company from cyber attacks falls to its highest member: the board of directors. A critical job for boards today is to determine whether the right culture and governance is in place to protect the company’s systems from cybersecurity threats, which requires a granular understanding of cyber risks.
“Boards have to be financially smart, of course, but they also have to be cyber smart,” said Ron Green, cybersecurity fellow and former chief security officer at Mastercard. “Boards face that challenge every day, whether they realize it or not.”
But that level of expertise on the board is rare: Only 12% of S&P 500 company boards have cybersecurity experts on their boards, says Kimberly Cheatle, director of the US Secret Service. 2023 Survey by Night Dragona venture capital firm that funds cybersecurity companies, and Diligent Institute.
To help directors protect their companies and citizens from cybercrime, Mastercard has worked with the Cyber Security Council to develop a training course, the Cyber Security Council Academy. United States Secret Service, Cybersecurity and Infrastructure Security Agency, National Association of Corporate Directors And then there’s NightDragon. “This is a really unique opportunity to start filling that gap,” Cheatle says.
The inaugural session of the CISA and Secret Service Board Academy took place Tuesday at the Secret Service’s James J. Lawrie Training Center in South Laurel, Maryland, bringing together company directors and industry experts to explore the latest advances in protecting digital networks.
Mastercard Cybersecurity Fellow Ron Greene speaks to company directors attending a cyber risk and resilience training session in Maryland earlier this week. (Photo by Rebecca Abraham)
“We wanted to make sure that we were strengthening that connectivity,” says Jen Easterly, director of CISA. “The private sector certainly can’t be expected to take on sophisticated nation-state actors on its own, so it’s really going to be important to increase and strengthen the connectivity between the public and private sectors,” she says.
Working together to protect our national infrastructure
In an increasingly interconnected world, cybersecurity must be a teamwork, which is why Mastercard and its partners hosted board members from Fortune 500 companies and many executives representing our critical infrastructure to learn directly from government and industry experts. With a curriculum based on NACD and Internet Security Alliance principles for effective cyber risk oversight, participants discussed threats, governance, protection and resiliency, laying the foundation for best practices for continuous cyber defense.
The damage from these attacks can reach far beyond financial, as criminals and state-sponsored actors seek to espionage or disable the nation’s critical infrastructure. No institution is off-limits: hospitals, school systems, medical research institutions, and state and local governments are all targets. And because much of America’s infrastructure is privately owned, the business sector plays a key role in civil defense.
“Finding ways to be vigilant on this issue on behalf of companies and on behalf of the country is critical to our work,” said Stephen Jennings, an independent director at semiconductor maker Analog Devices Inc., who was one of 16 directors who attended the first meeting. “We have a much deeper understanding of enforcement capabilities, the latest trends and the latest risks.”
“Cybersecurity has to be a collaborative effort. We will see more collaboration between industry and the public sector on cybersecurity. The threats are not going away anytime soon. This is going to be an ongoing battle.”
Stephen Jennings
The program also creates an ongoing public-private partnership, allowing participants to learn from each other and stay ahead of threats: Board members can tap into a growing network of cybersecurity expertise, and CISA and the Secret Service have avenues for feedback to fine-tune messaging for the broader private sector.
“Cybersecurity has to be a collaborative effort. Going forward, industry and the public sector will have to work together to address cybersecurity,” Jennings said. “The threats aren’t going away anytime soon. This is going to be an ongoing battle.”