CEOs who think cybercrime is just the business of CIOs are like Enron’s shrugging off the companies books as something for the accounting department. Those provocative words from Dr. Paul Twomey, president and CEO of ICANN, highlighted an all-star panel discussion on the launch of Cyber Attack: A Risk Management Primer for CEOs and Directors released on December 12 by the British-North American Committee (BNAC) and the Atlantic Council of the United States, the U.S. sponsor of the Committee.

Dr. Twomey noted that, while the Internet has been marvelous in reducing transaction costs and barriers to entry for the good guys, it has done exactly the same thing for the bad guys.  Online crime is now more profitable than illegal drugs and its perpetrators have taken on a mafia model.

Robert Holleyman II, president and CEO of the Business Software Alliance, agreed.  He observed that cybercrime has good from kids in the basement looking for excitement and bragging rights to organized professionals looking to make money.  While the U.S. Justice Department is doing a superb job and lawmakers are scrambling to solve the problem, government can’t do it all.  Indeed, government is mostly reactive – prosecuting criminals after the damage is done.  It’s the refore up to business leaders to adopt best practices and constantly update them.

Paul Kurtz, partner and COO of Good Harbor Consulting and a former senior advisor to Presidents Clinton and Bush on cyber-espionage, said both governments and CEOs have been “asleep at the switch” on these issues.  When the main risk was the loss of sensitive information and potential identity theft for customers, most CEOs simply wrote it off as “a cost of doing business.” Now that their own intellectual property is at stake, however, more are beginning to wake up.

H.E. Väino Reinart, Estonia’s Ambassador to the United States, spoke about the recent cyber attacks on his government’s network. He praised the report as “a no nonsense paper” and urged CEO’s to pay heed.  He also touted the need for governments to sign on to the Council of Europe’s Convention on Cyber-crime and work together to implement solutions to this growing problem.

More from the report:

CEOs must make cyber security a top priority or their businesses could fall victim to industrial espionage similar to recent cyber attacks on such large companies as Rolls-Royce and Royal Dutch Shell.  The one global Internet, for which the Internet Corporation for Assigned Names and Numbers (ICANN) coordinates addresses, makes possible about $2.8 trillion in global e-commerce annually.

“As enterprise on the Internet has become more sophisticated, so have cyber criminals,” said Twomey, one of the report’s main authors. “The message of this report is clear – senior government figures and leaders of corporations need to make cyber-security a personal priority.”

“Global investors, CEOs and board directors, while measuring risks to the corporate bottom line, will have to know what they are doing to prevent data compromises. CEOs are not IT experts and they don’t have to be.  This report is a quick comprehensive reference list of things that every chief executive should know and do,” said William Mayer, founder of Park Avenue Equity Partners and chairman of the BNAC Cyber Security and Business working group.

“We live in a completely different environment wherein people and businesses are dependent on technology and the Internet and while this helps us run are companies better, we need to realize that there are corresponding risks and threats. Cyber security is therefore critical to the success of every enterprise,” said Frederick Kempe, Atlantic Council president and CEO and a BNAC member.  “It must be an integral part of every CEO and directors thinking and planning.”

The report calls on CEOs and corporate directors to take actions to protect their businesses and organizations from cyber attacks. It identifies information security threats, and most commonly made mistakes in data security and provides recommendations for business and corporate leaders to manage cyber security risks.

“This report is a timely reminder to all organizations – large and small, public and private – of the need keep up with best data security practices. The risks are very real but help is at hand,” said Clive Mather, until recently president and CEO of Shell Canada and a BNAC member.

Among its recommendations, the report urges CEOs and directors to:

• Establish a comprehensive information security policy, implemented by senior management;
• Hold a company-wide security audit to expose vulnerabilities and strengths and give a complete picture of an organization’s security requirements;
• Underpin a robust security culture with frequent and rigorous testing; and
• Prioritize keeping abreast of changes in security technology and best practices, including through participation in relevant international information security organizations.

The report further provides a comprehensible information security checklist of recommendations chief executives and directors must follow to protect their corporations against industry espionage. Endorsed by members of the British-North American Committee, a group of distinguished business, academic, and labor leaders from the United Kingdom, the United States and Canada.

Resources:

• Cyber Attack: A Risk Management Primer for CEOs and Directors
• Video: watch the event
• Council of Europe Convention on Cybercrime
• International Standards Organization”Information Security Management – Specification With Guidance for Use,” a/k/a ISO 27001 available for purchase at http://www.iso.org/iso/catalogue_detail?csnumber=42103
• Post your comments at http://blog.icann.org/