“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Consumers in the digital marketplace rarely think twice about allowing companies access to their personal information, and the companies that are amassing this data are enjoying the unprecedented business opportunities that such access entails. This exchange of information does, however, come with substantial liability risks; that information can easily fall into the wrong hands. This feature of the e-commerce landscape is causing both consumers and companies to ask: Is privacy dead in the Information Age? To explore this question, NACD Directorship Editor in Chief Judy Warner sat down with former White House Chief Information Officer and founder of consulting company Fortalice Theresa Payton during a Monday evening session at the 2015 NACD Global Board Leaders’ Summit.
In short, privacy isn’t dead, but our concept of privacy is undergoing a transformation. Payton said that as business leaders and consumers, we need to have serious conversations about what the new—and correct—lines of privacy are. “We own some responsibilities as business leaders and government officials,” she said. “Data is hackable and breaches are inevitable. Don’t aid and abet hackers.”
It turns out that companies are inadvertently aiding and abetting hackers. First, some organizations fall victim to their own, outdated view of building cyber defenses: Set up as big a firewall as you can around the company’s data assets; install anti-malware and antivirus software—done. This is a losing defensive strategy; it fails to take into account the mechanics of how and why these major breaches continue to happen.
According to Payton, companies with poor data hygiene are the most susceptible to cyberattacks. When companies kept analog files, they would shred records when storage space was exhausted or when data reached a certain age. In a digital environment, storage space is cheap and seemingly limitless, meaning that data could—and probably will—live on servers for years. As time goes on and a company reorganizes, data is forgotten, creating prime points of entry for hackers. Adopting a data-“shredding” strategy is imperative.
In addition, the tools needed to hack into a system have become both affordable and readily available. Now anyone can be a hacker—and those who have chosen this path grow more adept at their craft every day. Taken altogether, this is a recipe for potential disaster.
Payton outlined best practices for maintaining optimal data hygiene:
Don’t keep all of your data in one place. For data you need to retain, “segment it to save it.” In other words, divide that information among multiple digital locations so that if one location is compromised, a hacker hasn’t gained access to the entirety of the data the company holds.
Create rules around when you no longer need data and set a schedule for “shredding” it.
“Shred” any data that you don’t need. Keep only data related to the attributes of consumer behaviors and get rid of the specifics (e.g., names and social security numbers). Doing so will reduce your risk of being held accountable when a breach happens.
Furthermore, she stressed that directors should be sure to ask certain questions as they work with management to hone the company’s cybersecurity strategies:
Have we identified our top critical assets—those that if held for ransom, lost, or divulged, would destroy us as a company?
Who has access to those assets? How do we grant access?
Have we drilled for a cyber breach disaster?
Do we have a liability plan that will cover the board should critical assets be breached?
This phrase has become rote within the security community, where the unfortunate reality is that breaches are inevitable, regardless of an organization’s industry or size. In acknowledging that a determined attacker can almost always get in, the focus becomes detection and containment in addition to prevention. A strong security strategy shouldn’t just ensure that your organization is difficult to compromise—it should also include plans for threat detection and incident response that maximize opportunities to detect a compromise and minimize fallout in the event of a breach.
Lay the Groundwork.
By nature, incident response requires high accuracy and swift investigation at each step: starting at the initial scoping stage and continuing all the way through to remediation. But when the clock is ticking, mistakes are more likely—and a single mistake can have a ripple effect that carries across the entire incident response lifecycle.
Preparation is key, so lay out your incident response strategy before disaster strikes. Times of chaos are not when you want to be bogged down with untangling processes or determining the best way to communicate crucial information.
Start by selecting an external incident response service provider, if you don’t already have one on retainer. This team will supplement in-house expertise and provide much needed support before, during, and after a breach. The ideal service providers will coordinate planning and map out an investor relations strategy within the first 30 days, which significantly lightens the resource burden placed on your own team. To maximize your investment, confirm that you’re enlisting people who are well versed in responding to compromises of varying size and severity.
Once you’ve locked in your investor relations firm, establish an incident response team and identify the key players so you can tackle the actual planning.
A comprehensive investor relations plan should outline the key stages of an incident investigation from analysis and detection through containment, remediation, and cleanup. Here are four best practices to keep in mind as your plan comes together:
Understand the data you want to protect. Is it financial data, such as credit card numbers or transactional information? Is it personally identifiable information or personal health information related to employees or customers? Is it intellectual property that your company keeps under digital lock and key?
Factor in regulatory, policy, or legal drivers that will impact investor relations decisions. Most organizations exist in a regulated industry, and knowing the parameters can make the difference between failure and success (HIPAA or PCI compliance mandates, for example). A breach response hasn’t been successful if, at the end of the investigation, fines are levied against the business.
Think about communication requirements. How do you communicate with employees? Your customer base? Will the executive team be anxious for updates, and what’s the appropriate frequency for those updates? What are the actions you want people to take? For example, victims of a spear phishing attack may want to warn against clicking certain links or opening certain attachments.
Consider who needs to be involved in the communication itself. Do you want to bring your corporate communications team on board? What about human resources or legal? These entities should be notified in advance and involved in the planning, so they know their role and can act efficiently when it counts.
Real-Life Threat Simulation.
Practice makes perfect, and the world of incident response is no exception. Scheduling time to “kick the tires,” so to speak, means you won’t discover outdated technology or untrained staff when you’re down to the wire with no time to spare.
A product doesn’t go to market without undergoing extensive testing. In the same vein, a dress rehearsal can expose vital gaps in an incident response plan. The fundamental goals of a rehearsal are to practice and optimize. It allows the players to understand exactly how to behave in the wake of a security incident, so that come show time, the team operates like a well-oiled machine.
Once the team has established how it will react to a threat scenario, practice executing the plan. Schedule a walkthrough and decide on the initial infection vector. This can be anything from a spear phishing attack to lateral movement via a third-party vendor, which is how many notable breaches have happened, including Target. To make this scenario as real and as high-stakes as possible, the attacker’s end goal should be exfiltrating your company’s most valuable data (see the first bullet point, above).
Next, pinpoint when and how people and technology will identify and locate the threat. From there, focus on the attacker’s level of sophistication. In other words, are they using advanced techniques or basic ones? How are they moving around the network? Is data escaping through a steady trickle or a large blast? Technical staff should attempt to chase the attacker through the network and, depending on the maturity of the organization, provide feedback on the evidence uncovered along the way.
The rehearsal should end with a sharing of lessons learned. An incident response service provider can certainly help with this piece by proactively identifying areas for improvement. Everyone involved should offer feedback on the tools that were used, as well as on the group’s overall level of communication and effectiveness.
Confidence, not Chaos.
Once someone discovers a breach or flags a suspicious security incident, the wheels are set in motion. Time is of the essence. The attacker needs to be stopped before they can do substantial damage; meanwhile, the targeted company must communicate the threat to the appropriate parties while still capturing necessary evidence in the event of an investigation.
Incidents can, of course, vary in scale. But regardless of whether it’s a small malware outbreak or a targeted attack on a client environment for the purpose of financial gain, the reality is that if you have a plan in place you’ve already gone a long way towards setting your business up for success. Your team can act quickly and confidently without second-guessing a decision or wasting precious hours determining next steps, instead focusing efforts on where they’re most needed: rapid response, investigation, and remediation.
Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,500 organizations, including 30 percent of the Fortune 1000. From the endpoint to cloud, we provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. To better understand how Rapid7 can help you assess your organization’s security give us a call at 866-7-Rapid7or visit their website.