By Vanessa Fuhrmans
Cyber threats have zoomed to the top of chief executives' worry
lists for fear a data breach could cost them their jobs and take
down their businesses.
The fallout of attacks on companies from Target Corp. to Yahoo
Inc. and, most recently, Equifax Inc. has thrust more corporate
bosses to the front line of cybersecurity issues and changed the
way they work.
No longer leaving data protection just to I.T. departments, CEOs
are now often the ones reassuring nervous boards, stressing the
importance of data-security to employees and are leading cyber
drills to gird for a potential hack. And as especially ripe
phishing targets, chief executives -- more than many other staffers
-- are being forced to rein in once-freewheeling email habits.
The number of U.S. data breaches jumped to a record 791 in the
first six months of 2017, according to the nonprofit Identity Theft
Resource Center and data security firm CyberScout. That is a 29%
jump from the same period last year. At the same time, U.S. CEOs
surveyed by KPMG LLP this year on average ranked cybersecurity as
their top investment focus over the next three years, up from its
second-place spot in last year's survey.
"This is something a lot of us just didn't have to worry about
five years ago -- someone else was handling that," says Michael
Riggs, chief executive of car-hauling company Jack Cooper Holdings
Corp. But now, "any CEO who's not putting this at the top of their
priority list is crazy."
That is partly because their jobs are now often the first on the
line. Breaches at Target, Sony Pictures Entertainment and Equifax
Inc. all spurred the departures of their bosses. Yahoo's then-CEO
Marissa Mayer lost her 2016 bonus after the attack that occurred on
her watch.
"The more it hits everyday citizens, the more likely it will
cost a CEO their job," says Brett Stephens, chief executive of
board and executive search firm RSR Partners.
Jack Cooper, which has more than 3,000 employees and transports
cars for General Motors Co., Ford Motor Co. and other auto makers,
doesn't just have to guard its own data. It is under pressure not
to become the inadvertent portal through which hackers could gain
access to its car-manufacturing customers, whose systems interface
with theirs.
"They are a lot bigger pot of gold than we are, and we have to
give assurances that we're not just OK, but that we're making this
a top priority as far as the CEO and board are concerned," Mr.
Riggs says.
Earlier this year, he rearranged the company's organizational
structure so that the chief information officer reports directly to
Mr. Riggs. On the executive team's conference call every Monday,
the CIO updates Mr. Riggs and the rest of Jack Cooper's top
executives on cybersecurity matters, from software problems with
suppliers to other companies that have suffered attacks. On
occasion, the team has used the weekly updates to act immediately
on a cybersecurity recommendation, such as a software upgrade or
process change.
Among the biggest cyber risks to companies are CEOs themselves.
The sheer amount of publicly available information about them makes
it easy for so-called phishers to craft authentic-appearing email
urging them to click on malicious links or to initiate money
transfers, experts say.
For Michael Hansen, CEO of educational-content company Cengage
Learning, that risk means he often can't immediately respond to
email from students and other customers. He says he makes a point
of answering each email, which during the back-to-school season
number as many as five a day. Now, though, he says he first has to
scrutinize the email address and message or send them to the
company's I.T. department for verification, which usually takes a
couple of hours.
"I would love to just hit the 'reply' button," he says. "But at
the same time I have to be conscious that not everyone could be
legitimate."
A few times a year, Mr. Hansen and other senior managers take
part in cyber drills in which they walk through a simulated
phishing, ransomware or other cyberattack and determine when to
inform customers and investors of the breach.
For a business leader, "going through the process helps you
appreciate the level of pain this will cause in real life," says
John Ackerly, a former tech policy director in George W. Bush's
White House who is now CEO of Washington-based encryption and
data-protection firm Virtru Corp. Plus, "it gives you insight into
the quality of your team and where the weak links are."
A cottage industry of training courses, largely provided by
consulting firms, has sprung up to demystify cybersecurity for
C-suite executives and board directors, who are increasingly
putting chief executives under pressure to bolster their
defenses.
"We're not turning board members into technologists," says Tom
Ridge, the former Homeland Security secretary and Pennsylvania
governor, whose risk and consulting firm, Ridge Global, has put 225
board and senior company executives through a 16-hour cyber
training program since it began earlier this year. "But it gives
them a foundation to exercise their duty in financial
oversight."
Angus Loten contributed to this article.
Write to Vanessa Fuhrmans at vanessa.fuhrmans@wsj.com
(END) Dow Jones Newswires
October 12, 2017 11:25 ET (15:25 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Target (NYSE:TGT)
Historical Stock Chart
From Mar 2024 to Apr 2024
Target (NYSE:TGT)
Historical Stock Chart
From Apr 2023 to Apr 2024