THE MONTHLY BRIEFING FOR BOARDS AND C-SUITE EXECUTIVES
Patience, Playbooks, and Poisoned Code:
Three Events Every Board Needs to Discuss This Month
Three things happened in the past two weeks that, taken together, tell a complete story about the state of cybersecurity governance in 2026. A nation-state stole $285 million using nothing but patience and human psychology. A beloved American toy company, one that once understood the value of proactive cyber governance, was breached and is now warning investors of weeks of disruption, and a piece of software used by tens of millions of developers worldwide was quietly poisoned at the source.
None of these attacks required exotic technology. All three exploited something far more available: the human tendency to believe that if nothing bad has happened recently, nothing bad is coming.
That assumption is the most dangerous vulnerability in any organization. And it is the one that Boards are uniquely positioned, and uniquely responsible, to address.
— Linda Zecher & Kathryn Mihalich, Cyber Knowledge Partners
STORY ONE
The $285 Million Patience Attack
North Korea · Social Engineering · April 1, 2026
On April 1, 2026, the cryptocurrency exchange Drift announced that attackers had stolen $285 million from its platform. The headline was dramatic. The real story was the timeline.
The attack did not begin on April 1 but in fall of 2025, six months earlier. North Korean state-sponsored hackers from a group known as UNC4736 spent those six months methodically building trust, positioning access, and pre-signing transactions designed to execute at exactly the right moment. When the trigger was finally pulled, it was over in hours. The preparation had taken half a year.
No vulnerability in the software was exploited. No firewall was defeated. The attack worked because people were deceived, carefully, patiently, over a sustained period of time, into granting access and approving transactions that looked legitimate.
The technology didn't fail. The humans did. And they did so over six months without anyone noticing.
This is the attack pattern that keeps intelligence professionals awake at night: not the fast-moving ransomware blast that sets off every alarm, but the slow, deliberate infiltration that looks like normal business until the moment it doesn't. We wrote a fictionalized account of this type of action in Insider Threat.
Nation-state actors, and North Korea in particular, have become extraordinarily sophisticated at this kind of long-horizon social engineering. They research their targets, they build relationships, and they wait. The Democratic People's Republic of Korea has used cyber operations to steal billions of dollars to fund its weapons programs, and it has demonstrated repeatedly that it is willing to invest months of preparation for a single high-value operation.
THE BOARD QUESTION
Does your organization's threat monitoring assume that attacks move fast? Most incident response frameworks are designed for rapid-onset events. A six-month slow-burn operation would look like normal activity in most security dashBoards. Has your Board reviewed whether your detection capabilities are designed to catch patient adversaries, not just fast ones?
The governance lesson here is not primarily technical. It is about organizational attention span. Cyber vigilance is not a quarterly review item. It is a continuous posture. And maintaining that posture, especially when nothing bad has happened recently, requires deliberate Board-level commitment.
STORY TWO
The Hasbro Breach: When Proactive Becomes Past Tense
Hasbro · Network Breach · March 28, 2026
On March 28, 2026, Hasbro, the company behind Transformers, Monopoly, Play-Doh, My Little Pony, and dozens of other beloved brands, detected unauthorized access to its network. The company filed an 8-K with the Securities and Exchange Commission, proactively took systems offline, brought in third-party forensic experts, and warned investors that recovery could take several weeks, with product delays and shipping disruptions likely.
I have a personal connection to this story. I chaired Hasbro's Cyber Committee, a committee that was established because Hasbro's Board understood, at the time, that cyber risk was a governance responsibility, not just an IT problem. The committee was stood up precisely to ensure that the Board was asking the right questions, reviewing the right metrics, and holding management accountable for maintaining a proactive cyber posture.
A short time later the Board concluded that a Cyber committee was no longer necessary and cyber could be rolled into the Audit Committee. There hadn't been any major attacks. The systems seemed stable. The logic, apparently, was: if nothing is broken, why fix it? Multiple companies have concluded that having cyber governance sit in Audit is not a strong governance model.
The absence of an attack is not evidence of the absence of risk. It is often evidence of the presence of a patient adversary.
This is one of the most dangerous cognitive traps in cybersecurity governance, and Boards fall into it regularly. Quiet periods feel like safety. They are not. They are opportunities, for attackers to reconnoiter, for defenses to atrophy, for institutional vigilance to relax.
The Hasbro breach is a reminder that cyber governance infrastructure, committees, protocols, regular reviews, executive accountability, exists not to respond to attacks. It exists to prevent them. When that infrastructure is dismantled because things seem fine, the organization becomes measurably more vulnerable in ways that are invisible until they aren't.
THE BOARD QUESTION
When did your Board last conduct a structured review of your cyber governance infrastructure, not just your technology, but your committees, your reporting lines, your accountability frameworks? Has anything been scaled back or eliminated in recent years because "things seem fine"? The Hasbro story is a direct argument for proactive governance as a permanent posture, not a reactive one.
The financial and operational consequences of this breach are still unfolding. What is already clear is that weeks of disruption to a major consumer brand, shipping delays, investor notifications, third-party forensic investigations, will cost significantly more than whatever was saved by reducing the governance infrastructure that was meant to prevent exactly this.
STORY THREE
The Poisoned Library: Supply Chain Risk Comes Home
Axios JavaScript Library · Supply Chain Attack · North Korea · April 2026
The third story this month is less visible than the others, but in some ways it is the most instructive for Boards, because it illustrates a risk that almost no organization has adequately addressed.
The Axios JavaScript library is a piece of software used by developers to make web requests. It is downloaded tens of millions of times every week. It is embedded in the software of thousands of companies worldwide, often without those companies knowing it is there, because it was included by another piece of software they rely on, which was included by another piece of software, and so on.
In April 2026, North Korean state-sponsored hackers, the same nation-state behind the $285 million Drift theft, compromised a maintainer account for the Axios library and published two malicious versions containing hidden malware. Every organization that automatically updated to those versions, or whose software vendor did, was potentially exposed.
Your organization's security is only as strong as the weakest link in the software supply chain, and most organizations have no idea how long that chain is.
This is the supply chain risk that Boards have been warned about in the abstract for years. Here it is in the concrete. A trusted, widely-used, open-source tool was turned into a delivery mechanism for malware, not by exploiting a flaw in the software itself, but by compromising the human being responsible for maintaining it.
Again: the human was the vulnerability. Not the code.
THE BOARD QUESTION
Does your organization maintain an inventory of the third-party software libraries embedded in your systems, including the libraries inside your vendors' software? Do you know how quickly a malicious update to a widely-used component would propagate through your technology stack? Software supply chain visibility is no longer a developer concern. It is a Board-level risk management question.
The connection between the Axios attack and the Drift theft is not coincidental. They are both North Korean operations, executed in the same month, using the same fundamental strategy: find the humans, compromise the trust, wait for the technology to do the rest.
THE CKP PERSPECTIVE
The Frontier Is Still Human
Three stories. Three different attack vectors. Three different industries. One common thread.
In every case, the technology performed exactly as designed. The attackers did not find a flaw in the code. They found a flaw in the human systems surrounding the code, the trust relationships, the governance structures, the organizational attention, the assumption that silence means safety.
This is what we mean when we say the frontier of cybersecurity is human. The most sophisticated technical defenses in the world are navigable by anyone who can patiently earn trust, compromise a relationship, or exploit the organizational tendency to relax when nothing bad has happened recently.
The Board's role in this is not to understand the technology. It is to ask the questions that no one else in the organization is positioned to ask, and to keep asking them, especially when things seem quiet.
Especially then.
These lessons apply whether you sit on a Fortune 500 Board or run a ten-person business. If you know someone who needs a practical starting point, our CKP Small Business Cybersecurity Guide is available on Amazon. It is written in plain language and designed for the people who need it most.
THREE QUESTIONS FOR YOUR NEXT BOARD MEETING
1. Is our threat monitoring designed to detect patient, slow-moving adversaries, or only fast-onset attacks?
2. Have we reduced or eliminated any cyber governance infrastructure in the past two years because "things seemed fine"? If so, what would it take to restore it?
3. Do we have visibility into our software supply chain, including the third-party libraries inside our vendors' products?
ABOUT CYBER KNOWLEDGE PARTNERS
Cyber Knowledge Partners is a female-owned strategic advisory firm that helps corporate Boards and C-suite executives understand, govern, and communicate cybersecurity and AI risk. Founded by Linda Zecher and Kathryn Mihalich, two executives with deep experience inside the intelligence community, Fortune 500 Boardrooms, and the cybersecurity industry, CKP operates from a simple but powerful premise: the frontier of cybersecurity isn't technical, it's human. Judgment, discernment, and the capacity to ask the right questions are the last line of defense, and most Boards don't yet know how to exercise them.
cyberknowledgepartners.com