What Boards Really Need to Know About Cyber Security
Delta Risk’s Founder and Executive Chris Fogle dove into the subject of cyber security perspectives for boards and business executives in Part I of our board perspectives blog and in yesterday’s presentation at CyberTexas 2016. He also took a few minutes with The CyberWire Friday podcast to discuss board responsibility when it comes to cyber security.
In Part I of our blog, we discussed how boards perceive cyber security. Although their general awareness around cyber security has increased, and cyber issues have become more of a priority, they still lack confidence in their in-house cyber security resources for adequately managing risk.
Boards are wrestling with quite a few issues in regards to managing cyber security risk. Among the top issues being kicked around in the board room are properly navigating cyber insurance policies, getting a handle on third-party risks, protecting corporate data in the cloud, and strategizing prudent near-term security investments.
All of these issues appear complex on the surface, but there are four fairly straightforward perspectives boards can keep in mind as they approach each critical item:
1. When it comes to cyber insurance, ensure your security staff and risk managers are representing their security posture honestly and correctly to the insurer.
The “speed dating” process of getting an insurance policy these days will most likely involve answering multi-page questionnaires where you’re asked to verify things like the existence of tested incident response plans, the absence of default passwords on systems, and the implementation of logging, and regular reviews of those logs.
Your cyber insurance policy will have exclusion clauses – those conditions under which payment of a claim can be denied. Many of these exclusion conditions are related to basic security practices. Companies who blindly answer “yes” to everything without checking and regularly verifying the state of their security posture through assessments and exercises may find their claims denied.
2. Aggressively seek to understand how your key vendors and third-party partners are ensuring the protection of their data and yours.
Thanks to several recent high-profile data breaches, boards are more aware of the risks posed by third-party vendors. Whether its maintaining key data for you, or connecting to your information systems and databases, third-parties represent a soft underbelly of many companies today.
The most common approach for conducting a cyber security audit of a third-party in the market is the same multi-page questionnaire where companies self-report their posture. Again, this is an insufficient strategy for ensuring an accurate assessment and it should not yield confidence. More aggressive approaches will require on-site audits, technical assessments, and participation in joint response exercises.
3. The cloud is a business reality – if you’re not confident your staff can effectively protect your data, then consider moving it to the cloud.
Many boards ask whether or not the cloud can be a trusted place to host critical data. The short answer is “it depends.” If the cloud provider is reputable, then it’s a good option. For many small and medium-sized companies, a cloud service provider is more likely to have a larger security focus because the costs of maintaining a 24×7 security staff can be spread out over their entire customer base.
This doesn’t mean their security staff is highly skilled, but if the provider is reputable, they have a real interest in ensuring their customers are satisfied and their data is secure. In light of recent surges in ransomware attacks, having the data securely backed up also provides an effective and tested option for restoration and recovery.
One word of caution, though. While services can be outsourced, the risks cannot. Companies still need to encrypt the date they store.
4. There is a virtual firehose of cyber security issues to address. If boards do anything at all, they should insist on an immediate focus on ensuring the company has and tests plans for responding to a cyber-attack.
Disasters are the wrong time to exchange business cards. It’s a common adage. Companies should immediately and regularly test their incident response capabilities and plans by conducting table top exercises using real-world cases.
It’s also critical to discuss how business units communicate across the enterprise; how the company responds to media queries; how security staffs communicate options to leadership; and how the company will engage trusted partners such as law enforcement and outside counsel.
Many times, just talking through the issues brings a modicum of awareness and insights that may prove invaluable when the time comes.
For more insight into the steps boards can take to tackle cyber security risk, download our white paper, “Cyber Security and the Board of Directors.”