Technology Mash-Up and Board Governance: The Perfect Storm

Recently, I found myself at the terrifying intersection of AI, cyber threats, phishing, the Internet, and CrowdStrike®—a collision that’s unnerving on a personal level but downright apocalyptic when you consider its implications for an entire company.

My day began innocuously enough, with a conversation with the COO of a company where I serve on the board. He was excited about a new AI application designed for prospecting. Imagine, he said, an AI that scours countless websites, identifies the exact pain points your prospects face, and then crafts an entire email outreach sequence—no human involvement needed. Gone are the days of endless hours spent researching; AI has turned sales into a swift, hyper-efficient process. It's remarkable, really—a glimpse into a future where AI dominates the sales landscape, cutting through the noise with precision and speed.

But then, within an hour, my day took a dark turn. I was hit by a "smishing" attack—a phishing scam delivered through a seemingly innocent SMS text. The message claimed to be from FasTrak®, the toll collection agency for the San Francisco Bay Area, informing me of an unpaid toll. It was eerily timed, as I had just crossed the Golden Gate Bridge the day before. Red flags went up, but the familiarity of the situation made me second-guess myself.

I was wary of the link in the text, so I tried to log in to the FasTrak® website on my laptop instead. It wasn’t acting normally, but I brushed it off—maybe it was just another residual effect of the recent CrowdStrike® outage. Against my better judgment, I filled out the form in the text message, surrendering personal information and my credit card details.

Moments later, dread set in. I logged into the FasTrak® site again, only to find that I owed nothing. My account was in good standing, well above the minimum balance. Realizing I had been duped, I scrambled to cancel my credit card and freeze my credit across the three major bureaus—Experian®, Equifax®, and TransUnion®. The incident left me with a sinking feeling, a sense of vulnerability that was only exacerbated as I pored over the long history of breaches where my personal information had been exposed on the dark web.

I revisited the most recent breach notifications from AT&T®, ticketmaster®, and Rite Aid®—all warning me that my data might be floating out there in the digital underworld. Full name, email, mailing address, phone number, social security number, date of birth, account details—the list went on. The only silver lining? I hadn’t handed over anything to the fake toll collector that wasn’t already compromised.

A quick Google search revealed that the smishing attack had originated from a website registered in Hong Kong, with tentacles reaching into China and Russia. The thought of it sent a chill down my spine.

And then, there’s CrowdStrike®. On July 19, a software update from CrowdStrike®—a company that touts itself as a global leader in cybersecurity—triggered one of the largest IT outages in history, crippling companies worldwide and causing direct losses estimated at over $5 billion for Fortune 500 companies. Airlines were grounded, the healthcare and banking sectors were thrown into chaos, and millions of customers were affected.

CrowdStrike®, a company that raked in over $3 billion in revenue in 2023 by promising to protect endpoints from cyber threats, couldn’t even protect itself from its own software update. The irony is as brutal as it is terrifying.

Now, consider a driver who uses his approved company’s credit card to pay the tolls.  With this “attack” and without their knowing it was an attack, the company’s credit card is now in the hands of bad actors.  Undoubtedly the limit on a corporate account is higher than an individual’s, increasing the risk and making the impact many times worse.  Here you can see a potential path to a corporate credit card hack and certainly to other malfeasance. 

The toll tag scraping is not a ransomware event, or a data breach (not obviously, anyway) but it is a fraud activity and leads one (me at least) to wonder just what else could happen.  What IS the starting point of a major cyber/fraud event?  How does it manifest from there?  How far could a simple toll tag scrape and a $25 credit card charge actually go knowing what info was accessed?

This is just the tip of the negative impact Cybersecurity and Technology can have on the companies we serve. 

The Potential Impact on Companies vs. Individuals

For an individual, falling victim to a cyber-attack like smishing can be devastating, but the damage is usually confined to that person's financial and personal information. The ripple effects might include a compromised bank account, stolen identity, and a long road to recovery. The experience is unnerving, and the consequences are personal.

However, when the same scenario plays out within a company, the impact can be exponentially more severe, cascading through the organization with devastating speed. Consider the following:

  • Financial Losses: For a company, a single compromised corporate credit card can result in unauthorized transactions that run into the tens or hundreds of thousands of dollars. But that’s just the beginning. The breach of one piece of financial information can expose other sensitive data, leading to widespread fraud, embezzlement, or even corporate espionage. The financial losses are not only direct but can also include fines, legal fees, and the cost of remediation.
  • Reputational Damage: In the age of instant communication and social media, news of a security breach can spread like wildfire, damaging a company’s reputation in the blink of an eye. Customers, partners, and investors may lose trust in the company’s ability to safeguard sensitive information, leading to lost business and a plummeting stock price. Rebuilding that trust can take years—if it’s even possible.
  • Operational Disruption: A cyber-attack can bring a company’s operations to a grinding halt. Whether it’s a targeted attack on a specific department or a widespread outage like the one caused by CrowdStrike®’s software update, the disruption can cripple productivity, delay projects, and result in significant revenue losses. In industries like healthcare, finance, and transportation, such disruptions can have life-or-death consequences.
  • Legal and Regulatory Consequences: Companies are subject to a wide range of laws and regulations governing data protection and cybersecurity. A breach can trigger regulatory investigations, lawsuits, and substantial fines. In some cases, executives and board members may be held personally liable for failing to uphold their fiduciary duties.

I asked ChatGPT to give recommendations for Board Governance.

ChatGPT

Recommendations for Board Governance

In light of these immense risks, the role of the board in overseeing cybersecurity and technology governance is more critical than ever. Here are key recommendations for boards to consider:

  1. Elevate Cybersecurity to a Strategic Priority: Cybersecurity should be viewed not just as an IT issue but as a core strategic concern. The board must ensure that cybersecurity is integrated into the company’s overall business strategy, with adequate resources allocated to protect the organization from evolving threats.
  2. Establish a Dedicated Cybersecurity Committee: Given the complexity and importance of cybersecurity, many boards are establishing dedicated Cybersecurity Committees. These committees should include members with deep expertise in cybersecurity and technology, who can provide informed oversight and guidance.
  3. Regularly Review Cybersecurity Policies and Procedures: The board should mandate regular reviews of the company’s cybersecurity policies and procedures, ensuring they are up-to-date and effective in addressing current threats. This includes incident response plans, disaster recovery protocols, and employee training programs.
  4. Conduct Regular Cybersecurity Audits and Assessments: Independent audits and assessments can provide an objective view of the company’s cybersecurity posture. The board should ensure that these assessments are conducted regularly and that any identified vulnerabilities are addressed promptly.
  5. Engage in Continuous Education: Cyber threats are constantly evolving, and board members must stay informed about the latest trends and best practices in cybersecurity. This can be achieved through ongoing education, training sessions, and participation in industry forums.
  6. Foster a Culture of Cybersecurity Awareness: The board should work with management to cultivate a culture where cybersecurity is everyone’s responsibility. This means promoting awareness at all levels of the organization and encouraging employees to report suspicious activities without fear of retribution.
  7. Prepare for the Worst: While prevention is crucial, the board must also ensure that the company is prepared to respond effectively to a cyber-attack. This includes having a robust incident response plan, clear communication protocols, and a well-practiced crisis management team.
  8. Monitor Third-Party Risks: Companies increasingly rely on third-party vendors and partners, who may introduce additional cybersecurity risks. The board should ensure that third-party risks are thoroughly evaluated and managed, with appropriate controls and oversight in place.

Conclusion

In today’s fast-paced, technology-driven world, the threats posed by cybersecurity and technology failures are pervasive and escalating. For board members, the stakes have never been higher. Ensuring comprehensive oversight and governance in these areas is not just about protecting the company—it’s about safeguarding its very future.


ABOUT PATRICIA WATKINS

Patricia Watkins is an experienced board member, Go-To-Market (GTM) Strategist and Sales Growth Expert.  She has held senior leadership roles in Sales, Marketing, Alliances, and Channels, with Fortune companies including HP, Teradata, AT&T, NCR, and a number of start-ups in Silicon Valley.  Patricia has led new teams starting at $0 million to existing teams delivering in excess of $800 million in annual sales.

Patricia graduated with a BBA from The University of Texas, and an MBA from Santa Clara University, both with honors.  She is currently on 5 Boards.


Disclaimer: The views and opinions expressed in this blog are solely those of the authors providing them and do not necessarily reflect the views or positions of the Private Directors Association, its members, affiliates, or employees.

 

Share this post: