Blog

Tag: cyber attack

Is your board of directors prepared for a cyber attack?Another day, another cyber attack.  Just in the last few weeks we have seen headlines about a major data breach at Yahoo announced, accusations that the Russian government interfered with the US presidential election and the E-Sports Entertainment Association suffered a breach of over a million records.

Despite the potential harm from such attacks, there is a general consensus that boards of directors are not taking the necessary actions to defend and protect their companies from these attacks.  The problem is that many people in leadership positions do not understand the real problems and consequences of a cyber attack and do not have enough understanding of cybersecurity risks and how to mitigate them.

“Our country and its businesses and government agencies of all sizes are under attack from a variety of aggressive adversaries and we are generally unprepared to manage and fend off these threats,” said Gartner analyst Avivah Litan.

“Some organizations do a better job than others, but those efforts are almost always led by CIOs, CISOs or business line managers and not by corporate boards, CEOs and executive management throughout government and the private sector,” Litan added.

The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That’s an improvement from 11% in a similar poll conducted a year earlier, but nowhere near the levels needed to protect businesses and their customers.

Fortunately things are beginning to change as legislation and regulations are finally catching up to the realities of the business world.  While most of the states in the US have laws requiring data breach notification, federal laws are slow to catch up.  A number of US senators have backed breach notification laws, but no bills have passed congressional muster.  It will be interesting to see if things change under President Trump given the increasingly negative affects of cyber attacks.

Proposed regulations in New York by the Department of Financial Services (DFS) are an example of states trying to increase protection of sensitive information and hold senior leadership accountable.  The proposed 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies requires the board of directors or a Senior Officer to certify that they are in compliance with these regulations.  The regulations call for a cybersecurity plan, encryption of non-public data, access controls and audit trails of activities.  The goal is to increase the security posture of financial institutions to protect confidential information.

“Having a requirement to disclose is a great motivator to increase security to prevent future attacks,” Litan said. “No one wants their names in the news. That’s what corporate directors are most worried about, in fact.”

Education at the board level is of paramount importance to help directors understand the risk they face from cyber attacks.  Just like a board needs to understand the risk from competitors, fire, theft, litigation and currency fluctuation, they must understand how to mitigate the risk of cyber attacks.  Regulations like those proposed in New York are the beginning of this process and boards must now understand that they will be personally liable if they do not comply.

Fasoo encryption and permission control can eliminate business risk by stopping a data breachOne harrowing statistic from our recent Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” is that 56 percent of the respondents said they do not educate their employees on the protection of files containing confidential information.  Reporter Karen Epper Hoffman referenced this statistic in her SC Magazine eBook contribution, “Locking it down,” and included insight on encryption from Fasoo customer Jay Rudd, IT manager, General Plastics and Composites LP. With organizations not taking the proper precautions through education, they are not doing themselves any favors in preventing the leakage of high-value information.

As Jay Rudd noted, “The persistent, file-based encryption approach is becoming more popular in the wake of recent attacks where the malicious attacker was able to bypass traditional security measures and access confidential information.”

Where traditional security systems are failing, encryption and other additional security measures can fill the gap to further protect sensitive data from ending up in the wrong hands and resulting in a potentially catastrophic outcome. We live in a time where breaches happen so often they almost seem to be inevitable, making the “all hands on deck” approach crucial to minimizing risk.

Encryption in particular protects data whether it is accessed internally or externally. If a malicious attacker were to gain access to the data—whether customer data, trade secrets, financial information, or personal information—it would be rendered useless because of the added layer of security encryption offers.

Adding permission controls to encryption ensures that you not only protect the data at rest and in motion, but you can limit user actions as they use data.  If you can prevent a user from editing, printing or take a screen shot of sensitive information, you have closed the gap of traditional security by really controlling its access.

As we’ve seen in the past year, no industry escapes from targeted attackers. From healthcare to Hollywood, every organization must consider this next level of protection against those who wish to do harm.

Categories
Book a meeting