Four Critical Cybersecurity Questions for Directors in 2021

Companies faced a host of unforeseen cybersecurity challenges in 2020 due mainly to the large-scale pivot to virtual work environments—regardless of whether or not a company was prepared to make such a radical change. As companies will continue to deal with the ramifications of this shift well into 2021, here are four critical questions directors should consider asking to best prepare themselves.

1. How does ongoing remote work impact our organization’s risk posture? In the shift to working from home, security leaders rushed to prioritize projects to secure remote employees and their devices. But how did this massive shift away from the brick-and-mortar corporate environment accelerate risk to the organization? Working from home brings challenges related to employee security training, software-as-a-service security, virtual private network configurations, ransomware, phishing, and more. In our analysis of some 41,000 organizations, BitSight found that home networks are 3.5 times more likely to have malware on them than corporate networks. Even with COVID-19 vaccines on the horizon, workers might not want to return to the traditional office environment, meaning that network security will indefinitely remain outside of the company’s control. Directors should be prepared to ask about whether the company has adopted or will be adopting security measures—including potentially monitoring highly privileged employees—to ensure that remote workers are not introducing new risks into the organization.

2. What are we getting for our cybersecurity investments? Cybersecurity spending has grown rapidly over the past decade. Still, directors find it challenging to understand what they’re spending money on and how effective their programs are. In a 2019 article “Apply Five Rules to Your Security Metrics,” Gartner vice president Jeffrey Wheatman highlights a common challenge for boards: “Security and risk leaders often focus on overly technical metrics that provide limited value to business stakeholders. Although operational metrics are necessary to run the program, they are not useful or relevant for demonstrating the value of the program to executive leadership.” Board members can drive change by asking to see reports from the security team on security performance, how the company’s cybersecurity practices compare to industry peers, and measurable risk reduction.

3. Are we at risk of a ransomware attack? Ransomware continues to cause massive disruption to businesses and governments. Cyber insurance claims from ransomware have skyrocketed: The Hartford Financial Services Group noted in an October 6 webinar that 68 percent of claims and 95 percent of dollars paid out were directly resulting from ransomware. Yet Gartner reports in “How to Respond to the 2020 Threat Landscape,” written by Jonathan Care, that 90 percent of ransomware attacks are preventable. Malicious actors are not necessarily leveraging new attack vectors but are relying on the same old vulnerabilities to exploit. Directors must ensure that security and risk leaders are prioritizing basic security hygiene initiatives in order to mitigate potential damaging ransomware attacks.

4. How secure is our vendor and supply-chain ecosystem? Organizations everywhere are dealing with risks from cyberattacks. In a 2018 survey of some 1,000 chief information security officers and risk professionals in the United States and the United Kingdom, The Ponemon Institute found that nearly 60 percent of organizations have experienced a cyberattack because of a third-party data breach. Governments are focusing intently on this challenging issue; in recent years, the financial sector, utilities, and retailers have all stepped up their third-party cybersecurity requirements. In 2020, the US Department of Defense introduced the Cybersecurity Maturity Model Certification, a framework the department uses to assess whether contractors are following data security best practices. Directors should be aware of their organizations’ approach to monitoring third-party cyber risk as well as any new data security requirements that third parties might impose on the company—and whether the company is in any way deficient by those standards.