The recent cyber attacks on the US government, T-Mobile, Scotttrade, Excellus BlueCross BlueShield and many others has brought cyber security into the mainstream. Boards of Directors and executives are now more aware of today’s cyber threats and how they might adversely affect their business.
Not surprisingly, most executives are not security experts and many don’t know what questions to ask to understand the vulnerabilities they may face. Determining threats and understanding how to approach them is the job of the CISO, CSO or CIO. Security professionals need to help executives become more literate and frame threats as part of a risk management conversation. Addressing cyber threats need to be part of an enterprise risk management strategy, the same way an organization deals with any risk to its business.
Board members are not comfortable talking about technology details, so a security professional needs to discuss cyber security in business terms. Cyber security should be another data point in a business decision, just as legal and financial issues are.
Are you protecting the company’s “crown jewels”?
Management needs to understand what data is critical to the organization’s ability to function, where it is and who has access to it. Many organizations don’t know all the locations of sensitive and critical information, such as intellectual property, customer lists, financial data and personally identifiable information (PII). Since employees create, store and access information on desktops, mobile devices and in cloud repositories, keeping track and controlling access can be challenging. If a company doesn’t know the location of its critical digital assets and who can access them, it is unlikely it can determine how to protect them. The board needs to understand the business risk of not protecting sensitive information and how management intends to mitigate that risk.
Are you properly managing third-party providers?
A company is ultimately responsible for sensitive information throughout its supply chain and has to rely on the security systems of its downstream partners to protect information. Unless a company does a security audit on those partners and is satisfied they will maintain sensitive data in a safe way, it is vulnerable. Management needs procedures to assess cyber-risks presented by third-party vendors and service providers. The board needs to understand how to protect information shared with third-parties and how management intends to ensure compliance.
Are you managing insider access to sensitive information?
One of the biggest threats to an organization is trusted insiders who have access to the most critical information inside your business. IT, security administrators and general staff have access to intellectual property, financial and customer information as a regular part of their jobs. In a recent Insider Threat Report,
62 percent of security professionals say insider threats have become more frequent in the last 12 months, but only 34 percent expect additional budget to address the problem. Fewer than 50 percent of organizations have appropriate controls to prevent insider attacks. The board needs to understand investment needs to ensure that insider threats are mitigated.
Can management explain its cyber risks and its response to those risks?
Management should explain to the board its assessment of cyber security risks and articulate its plan to address them by choosing to accept, avoid, mitigate, or transfer such risks. Boards would do well to have at least one member capable of assessing both cyber risks and the appropriateness of the company’s defenses and planned responses. CISOs and CSOs need to assess risk holistically, addressing both physical and cyber security. The integration of cyber and physical security will become even more significant with the rapid growth of the Internet of Things (IoT).
Every company has business critical sensitive information that must be protected. This will only happen if management and board members make cyber security a top priority. Since cyber risks are to the information itself, the best way to protect it is by applying strong encryption to that data that is controlled through persistent, dynamic security policies that can restrict its use to only authorized people. This protects the data regardless of location and will give boards the piece of mind that their business is safe.