Encryption is ‘key’ for CEOs to avoid potential prison time

Benjamin Franklin said that there are only two things
certain in life: death and taxes. But across every enterprise, another
certainty exists: cyberthreats. The number of security breaches continues to
grow each year, while the average cost of cybercrime for an organization has
increased from $1.4 million to $13 million. However, cyberattacks no longer
simply affect a company’s brand and bottom line. With a quarter of new bills
introduced in the House of Representatives directly addressing cybersecurity
concerns, the issue has reached a crescendo.

One federal statute that will radically change the way
organizations manages cybersecurity protocols and processes is 2019’s Corporate
Executive Accountability Act. The bill cites that CEOs will be accountable for
any corporate wrongdoings that “lead to harm,” including data breaches, that
affect stakeholders, including employees. In theory, once the bill is passed, a
chief executive can possibly be served a prison term if an employee of his
organization unknowingly clicks on a malicious hyperlink and grants universal
network access, essentially rolling out the digital red carpet for external bad
actors to do as they wish with corporate assets. In most large corporations,
the CEO may be half a world away and not have even met the employee in
question. Even then, the security breach happened on his or her watch, making
them accountable for the repercussions. Whether or not CEOs will be charged
with negligence even if they made a proper preventative effort to minimize
security risks — and to what extent — is still to be determined based on the
prospective enactment of the bill.

If approved by Congress, these bills will light a fire under
most large enterprises to either begin deploying security tools or scramble to
evolve their existing protocols to ensure their CEOs won’t procure a criminal
record based on the actions seemingly outside of their control. Either way, it
will boost cybersecurity to mission-critical priority for all enterprises.

While CEOs could be personally liable for all “corporate
wrongdoings,” the actions leading to the incident can originate from anyone
within an organization. Insider threats are one of the biggest sources of
vulnerabilities, whether or not employees are aware that they’re posing a
security risk. Even tasks as simple as connecting company-issued devices onto
personal or public networks, plugging a USB drive into various devices, and
clicking on a link from an unfamiliar sender in emails or IMs, can cause the
fabric of company security to rip at the seams.

One of the primary channels for cyber intrusion is,
unfortunately, the most popular method for information exchange — email.
Ninety-one percent of cyberattacks and resulting data breaches begin with a
phishing email. While many businesses believe that securing endpoints is enough
to minimize opportunities for breaches, more focus needs to be placed on
securing the data that employees generate and access with simple, yet critical,
mechanisms such as encryption, multi-layer security, and two-factor
authentication.

Let’s take encrypted communication, for example. It’s not a
nascent approach to security frameworks. It’s one of the simplest and more
robust security options in an enterprise’s toolbox, and one that can
potentially eliminate CEO accountability for harmful security incidents.

Consider this: If all communication and documents sent by
employees possess encryption keys that change with each file, then this in
itself would be a fairly substantial deterrent to hackers. Imagine a bad actor
spending hours ‘unlocking’ a message, only to find that every subsequent
message in a chain of correspondence requires a unique decryption key — that’s
more than enough to deter most hackers from continuing down that road.

It’s worrying, though, that some of the most popular and
mainstream communication and collaboration platforms do not adequately encrypt
the information relayed across their solutions. While these systems can
function as a digital environment to, for example, quickly share updates about
a project, employees also use it to share confidential and sensitive data such
as passwords, client information, and other types of intellectual property.

The ubiquitous nature of communication channels, like email,
certainly means that enterprises won’t be giving these up anytime soon. There
are tangible productivity benefits associated with using such systems in
today’s “always-on” workplaces. However, companies must be cognizant of the
inherent security vulnerabilities and understand that they cannot rely on a
single mechanism or vendor to provide a watertight fortress around their
corporate assets. Companies must consider the unique security needs of their
organization and ensure that the solutions deployed are a perfect fit for their
particular business. At a minimum, at least consider one with a simple, robust,
and universal mechanisms such as encryption that can potentially prevent chief
executives from being accountable for any and all corporate wrongdoings that
substantially affects stakeholders.Based
in San Francisco, Morten is the CEO of Wire

Comments are closed.