Three lessons for boards and trustees from the Colonial Oil ransomware case

By 2021-05-11No Comments

The Colonia Oil debacle was catastrophic by itself. Suppose the bad actors had shut down the entire electrical grid at the same? Suppose they could have compromise access to the air traffic system while thousands of flights are aloft? 

Cyber security is a negative goal… matter how hard we try, cyber breaches are not a question of “if” but “when”. So, what can board members do to at least mitigate the risk? Here are three ideas that can help:

  1. Give your CISO a sophisticated tool like the ones developed by FAIR, NIST, and/or ISO/IEC-27001 to plan for and assess cyber risk. Where are the weak points that need to be addressed? Since we have limited resources and can’t fix everything, which are the areas that reflect the highest probability of being breached?
  2. Designate a member of your cybersecurity board committee to help translate the more technical terms of cyber risk into understandable language. 
  3. Follow board-level cybersecurity best practices; what are your peers doing? Having a written set of best practices isn’t enough.  Board members, in their role as fiduciaries, must be able to demonstrate that they are following a prudent process by monitoring conformance with best practices on an ongoing basis.

Unfortunately, the Colonial Oil breach is not a one-off occurrence, nor will it be the last. By following a prudent path, board members can sleep at night knowing that, while cyber breaches will happen, they have done their best to mitigate the risk.