High-profile data breaches continue to make news, and you can bet that your board of directors has noticed. Breaches can result in huge remediation costs, litigation and lost revenues resulting from a damaged reputation. Board members pay attention to those things.
You don't want your first discussion about cybersecurity with your company's board of directors to happen post-breach. Start educating the board now. Explain the scope and components of a comprehensive security program, and be clear about how far your company's program falls short of optimal effectiveness. The board members need to understand that, at a minimum, a good cybersecurity program should include processes to manage patches, review logs, force secure passwords and train staff not to open emails from Nigerian princes. They probably also need to be educated about the policies and procedures that have to be put in place just to meet the security regulations and standards of legislation such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley and industry initiatives such as PCI and EMV. They need to know that you recognize the dangers of collecting and storing data that's subject to regulation and will do so only when there is no other option. And they need to see how the procedures controlling all these processes have been thoroughly documented and are regularly tested.
But those are just the basics. A truly comprehensive cybersecurity program involves much more, and you need to make your board aware of what those things are, so that it can assure that sufficient resources are allocated. Some of the things to consider undertaking and funding are these:
- Certifying vendors. Your vendor's infrastructure may not be as secure as your own. According to the Senate Committee on Commerce, Science, and Transportation's March 2014 report, Target's HVAC company had access to Target's network and apparently did not follow accepted security practices. The report states, "The vendor's weak security allowed the attackers to gain a foothold in Target's network."Ideally, vendors should be restricted to a separate network and never allowed on the corporate network. However, this is frequently impractical for IT vendors. When a vendor needs access to your internal network, supply its staff with company computers running the same security tools found in the rest of your infrastructure.
- Monitoring social media. Scammers sometimes accountjack LinkedIn and other social media. Recently, scammers created high-quality LinkedIn profiles for a large manufacturing company's entire executive team, none of whom were LinkedIn members. The scammers built a substantial network of industry executives before sending legitimate-looking messages containing malware. When the manufacturing executives discovered that malware had been sent under their names, they were disappointed in their IT security staff for not having prevented the problem. The security staff felt blindsided, since they had never envisioned (or been told) that it was their responsibility to check social media.
- Establishing a cyber-risk board committee. Few boards regularly focus on cyber risk. Since the issue is relatively new, cyber risk and security often get lost between the gaps among the Audit Committee, the Risk Committee and the Governance Committee. If the board does not have a committee specifically addressing cyber issues, recommend that it create one.
- Enforcing separation of duties. Good management controls demand that any process that allows access to money or critical data has appropriate checks and balances. Good ERPs facilitate appropriate separation. However, small companies or business units sometimes have to accept the risk, leaving themselves open to undetected theft.
- Re-examining BYOD. While many employees appreciate the convenience of accessing needed data on their own devices, BYOD broadens the enterprise's cyber risks. IT can lock down company devices and wipe them remotely when lost, stolen or compromised. This is obviously impractical with employees' devices. Consider the trade-offs carefully.
- Increasing staff engagement. Internal employees are responsible for many data breaches. Some are careless and inadvertently reveal information that enables a thief to gain access. Others embezzle or steal information for personal financial gain. Still others, including Edward Snowden, justify their actions as retaliation for their employer's real or imagined breaches of ethical behavior. Disgruntled employees are more likely to facilitate security breaches, while people who feel valued are less likely to abuse the company's trust. There are always people desperate enough to steal, but showing appreciation for staff is good for morale, security and business.
- Updating insurance coverage. Corporate insurance policies frequently do not cover cybersecurity breaches without a separate rider. The department responsible for corporate insurance must review all insurance policies for cybersecurity coverage.
Most importantly, both IT and the board should not delude themselves that a breach won't happen to them. As Joseph Demarest, assistant director of the FBI's cyberdivision, said at a recent cybersecurity conference, "You're going to be hacked. Have a plan."
Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps organizations invest well in IT. Contact him at BartPerkins@LeveragePartners.com.