Posts

Cyber security risks: What do you tell the board?

Cyber security is a risk that needs to be managed like every other risk. So how does the executive team inform the board on the risks and how they are being managed? What actions does the board need to take to be responsible for cyber risk?

Your company board performs quite a few different functions, but often the starting point is governance. The board and its members are constantly asking the question, “Are we doing all the things that we need to be doing to protect the business and the shareholders?” Their focus is on ensuring the RETURN of shareholder capital before the RETURNS on shareholder capital. Of course, this oversight is multifaceted, and often one of the areas of least expertise at board level is cyber security.

Under the Australian Corporations Act one of the board’s primary responsibilities is to act “in good faith in the best interests of the corporation (Section 181.1)” – ensuring the ongoing sustainability of the business.

As a result, the starting point for quite a few IT and cyber security questions from the board are based on compliance. “What compliance mandates am I required to address and how do I address them in the most efficient way?” We all know that ‘compliant with regulation’ does not necessarily mean secure any more than meeting a building code means quality construction techniques have been employed.

So what do you do to mitigate cyber security risks and protect shareholders?

Compliance, Regulatory Risk & Business Impact

Risks can be quantified in the following ways:

  • Fines for non compliance
  • Inability to trade while non-compliant
  • Reputation and brand damage due to breaches
  • Actual physical inability to access systems due to ransomware, etc – that means business comes to a halt
  • Payment of ransoms of gain access to encrypted systems (hopefully!)
  • Cost of restoring systems and databases that have been destroyed by malware
  • Loss of IP and trade secrets through corporate espionage or the actions of nation state backed cyber criminals

Compliance is not security – but it’s at least a good starting place for boards who do not yet fully understand the broad scope of cyber risks. Most compliance regulations mandate a number of technical security controls that are foundational to your cyber security posture. Even if you don’t really understand the controls, this is a sensible start in ensuring that at least basic controls are active, being monitored, and reported on to ensure visibility and accountability.

Data Security

To add complexity to this many compliance mandates (like GDPR) mean that you need to understand what data you are storing, where you are storing it, what’s important and who has access to it in an ongoing and real time manner. When the board has to ask “Who did it?” the executive will need IT to have access to forensic log data that proves who had access to the data , what they took or changed and how they gained access.

Malicious Attacks

How do we mitigate or defend from an attack that our perimeter security can’t detect or stop? How do we know if our important files have been deleted, edited or changed? How do we know if user accounts accessed data they should not have had access to or their access privileges were increased without approvals?

Monitoring of systems and system events is critical in detecting “zero day” attacks that perimeter defense (like anti-virus or firewalls) do not have a solution for yet. We have seen many companies turn to a security expert like an MSSP to help detect threats after an initial breach has hurt the business. As a board you must ensure that your service provider can complement your internal compliance and security teams.

Breach Notification & Financial Penalties

To make things even more complex, there are also a number of legislative requirements that mandate formal disclosure of data breaches. This means that you actually need to be monitoring the databases and the access to important data – all the while ensuring that only approved staff inside your business can see the underlying data while they are monitoring the systems.

There are many studies (like the Ponemon study for example) that quantify data breach costs, but on top of this there are often fines that apply directly for not maintaining compliance or for failing to notify of a breach. In Australia the fines for failure to notify is significant – up to $420,000 for individuals and up to $2.1M for corporations. These penalties apply to businesses with a turnover as low as $3M – that’s right down to SMB.

Bottom line – it’s just not big business that needs to have a plan!

Some organizations like the US Department of Health & Human Services even maintain a “Wall of Shame” for breach reports. Fines of up to $1.5M can apply for data breaches.

What happened? Is it bad? What do we do next?

And so we come to the question that the executive leaders will be asked by the board. What happened? Is it bad? What do we do next?

It’s at this point that a good executive will have all of the forensic data on hand to be able to inform the board (and any regulators) what data has been accessed, how and when it happened, and which accounts accessed the data.

This is critical in remediating the vulnerability and ensuring that any holes are plugged, and that additional controls are put in place.

Many vendor solutions will claim to be a panacea for all your cyber and compliance ills but realistically, you will need to evaluate potential solutions carefully. In our experience, one area of huge value is the ease that any monitoring solution can be set up and installed, and managed, without hiring additional, expensive cyber system administrators. Ideally, you need a simple installation, a security policy that can be applied easily across multiple devices (sometimes tens of thousands of devices) and network, automated reporting, and alerting to help eliminate “false positives”.

(Ask us how Snare can help with this)

Visibility and Accountability

In the end, the board needs to hold itself accountable for understanding the risks and ensuring they are managed.

This means a variety of actions:

  • Gain understanding of cyber risks and mitigating strategies
  • Understand your compliance requirements and monitor compliance over time – not just at a point intime like a security or compliance audit
  • Understand the security controls and monitoring that is in place and ensure regular reporting back to the board on potential issues and threats
  • Ensure end-to-end accountability for cyber risk both at the executive level and across the organization
  • Ensure communications plans are in place to manage the multiple stakeholders in an emergency including staff, customers, partners, shareholders, regulators and any other stakeholders.

Ultimately, the security risk must be balanced with the commercial risk and cost as no-one has unlimited funds to throw at these problems. Finding an efficient and affordable approach is also important.

Snare can help as we provide substantial monitoring and reporting for not only for many compliance regulations but also provides intelligent reporting and alerting to help detect potential compromise of systems.

Resources

Australian Data Breach regulations

https://www.oaic.gov.au/privacy/notifiable-data-breaches/

IBM/Ponemon Cost of Data Breach study

https://www.ibm.com/au-en/security/data-breach

AU Govt statement on Cyber Attacks

https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks

DHHS HIPAA Breach report (wall of shame)

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Snare Solutions Announces Commitment to Global Efforts Supporting and Promoting Online Safety and Privacy for Cybersecurity Awareness Month

This year’s initiative highlights the importance of empowering individuals and organizations to better protect their part of cyberspace in an increasingly connected world

October 1, 2020 — Snare Solutions today announced its commitment to Cybersecurity Awareness Month, held annually in October, by signing up as a Champion and joining a growing global effort to promote the awareness of online safety and privacy. The Cybersecurity Awareness Month Champions Program is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations and individuals committed to this year’s Cybersecurity Awareness Month theme of ‘Do Your Part. #BeCyberSmart.’ The program aims to empower individuals and organizations to own their role in protecting their part of cyberspace.

The overarching message of this year’s theme, ‘If you Connect it, Protect it,’ dives into the importance of keeping connected devices safe and secure from outside influence. More than ever before, connected devices have been woven into society as an integral part of how people communicate and access services essential to their well being. Data collected from these devices can detail highly specific information about a person or business which can be exploited by bad actors for their personal gain. Cybersecurity Awareness Month aims to shed light on these security vulnerabilities, while offering guidance surrounding simple security measures to limit the susceptibility of threats for commonly used devices.

This year, the Cybersecurity Awareness Month’s main weekly focus areas will revolve around:

  • Understanding and following general security hygiene for connected devices and home networks
  • The importance of connected devices security for remote workers
  • How connected devices play a pivotal role in the future of healthcare; and
  • The overall future of connected devices for consumers, professionals and the public domain

If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees – our interconnected world will be safer and more resilient for everyone.

Now in its 17th year, Cybersecurity Awareness Month continues to build momentum and impact with the ultimate goal of providing everyone with the information they need to stay safer and more secure online. Snare Solutions is proud to support this far-reaching online safety awareness and education initiative which is co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security.

“Cybersecurity is important to the success of all businesses and organizations. NCSA is proud to have such a strong and active community helping to encourage proactive behavior and prioritize cybersecurity in their organizations,” said Kelvin Coleman, Executive Director, NCSA.

 

For more information about Cybersecurity Awareness Month 2020 and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month.

 

###

 

About Snare Solutions
Snare Solutions (a Prophecy International, LLC brand, ASX:PRO) is a centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save timesave money & reduce risk. Learn more at snaresolutions.com.

About Cybersecurity Awareness Month
Cybersecurity Awareness Month is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit
staysafeonline.org/cybersecurity-awareness-month/

About NCSA

NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information on NCSA, please visit https://staysafeonline.org.