Risk

9/1/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

How Effective Boards Drive Security Mandates

The focus on cybersecurity policies must be prioritized from the top down.

As cyber attacks grow in velocity and severity, enterprises face the challenge of achieving the highest levels of security and data protection without compromising the speed, usability, or access needed for business. Although many technology tools exist to help prevent and mitigate hacks, the greatest source of risk is posed by people — personnel, contractors, partners, and others who we trust will conduct business securely.

As data breaches proliferate, more work must be done to heighten security policies, educate all personnel, and enforce cybersecurity best practices, particularly at the leadership level. Security can't rest solely on the shoulders of IT; security mandates must be modeled by the company's CEO, other C-level executives, and, perhaps most importantly, the board of directors.  

Board members are responsible for a company's overall performance and governance, and have access to the most sensitive information the company owns, but they often feel the least confident in their level of cyber-risk awareness and receive the least cybersecurity oversight. The use of free email service providers (ESPs) and open Internet connections to send/review confidential board materials is rampant.

A recent survey report of 381 board directors by NYSE Governance Services, in partnership with Diligent, found that 92% of respondents use personal email accounts at least occasionally for board communications. Further, 63% said their boards aren't required to undergo security training. These insecure practices have put companies at heightened risk, particularly as cybercriminals zero in on high-profile individuals via whaling attacks (phishing targeted at high-level executives), and other means.

To reduce risk, directors need to become significantly more aware of their companies' security practices and be held accountable to high-level security standards. Here's how some of the most effective boards are becoming more hands-on.

Getting Smart About Data
Forward-thinking board members are having more meaningful security-centric conversations about the importance and value of data. According to many board members attending the 2017 Diligent Director's Experience event, these conversations have been possible thanks to closer collaboration among board members and IT, security, and data teams. Questions such as "Where does our data live?" and "How can we make these areas less vulnerable?" are becoming common in boardrooms.

As part of this process, boards are assessing operational security practices, including reviewing current and past security practices, as well as defining and controlling access to networks and various systems, third-party platforms, applications, and data storage. Once vulnerabilities are pinpointed (for example, via auditing), savvy boards are following through by providing the proper guidance and directives to ensure their organizations are making it a priority to properly fund data security.

Revisiting BYOD Policies
Attacks on mobile devices continue to increase, particularly as a growing number of people use one device for hybrid work/personal use. Not only does this introduce security risks to the enterprise, but most people don't realize how much information is captured by popular mobile applications themselves — for example, contacts, calendars, geolocation apps, photos, and attachments.

In an age of remote working and contract employees, it's not enough to have just a static bring-your-own-device (BYOD) policy in place — this essential corporate mandate must grow/contract based on business needs, cyber-risks being faced, and the needs of the workforce. It must also be stringently enforced, starting from the top down. Board directors are stepping up their responsibilities, working with security and IT leadership to develop and refine these policies, evaluating their effectiveness, and improving them based on evolving industry best practices.

Evaluating the Cost of "Free" Applications
Along with BYOD programs, board directors are also more closely scrutinizing the use of free applications and providers. For example, the NYSE/Diligent report found that nearly half (47%) of respondents agreed that the move to digital file sharing has increased the risk of improper handling of sensitive information. From the use of file sharing and data transfer applications such as Dropbox and WeTransfer, to free ESPs such as Yahoo and Gmail, directors are seeing the negative impact that these insecure, hackable applications can have on the enterprise and are taking steps to reduce or mitigate risks, starting in the boardroom.

Understanding Personal Hacker Motivations
While board members are aware of hacking and data loss risks for the enterprise, too few understand how they can be personally targeted by cybercriminals. There's a treasure trove of confidential corporate information within the reach of a board director: M&A deals and strategy, intellectual property, even litigation. But a board member's contact information — with access to powerful individuals that govern boards in all sectors — is incredibly valuable as well.

With crucial information at risk for both the employee and the organization, boards are now required to become more attuned to the criminal motivations involved in hacking. They must also be aware of the consequences — just ask former FACC CEO Walter Stephan, who was fired in 2016 following a successful whaling attack that cost the company nearly $50 million.  

They must also become increasingly aware of evolving hacking techniques, online threats, and exploits that are designed to not only snare them but other high-profile or high-net-worth individuals in their personal networks as well. Executive-level workshops as well as crisis communication plans and drills are proving effective for helping boards understand their role in cybersecurity and the steps to take if they believe they've been targeted.   

As more breaches are reported around the globe, and as the sophistication of these attacks evolves, it's imperative that directors immerse themselves in cybersecurity strategy and execution. They must collaborate directly with security teams, follow corporate policies and processes, pursue ongoing training to boost their security knowledge, and, above all, be open to changing the way they work in order to fight back against hackers and greatly reduce the likelihood of costly data leaks and breaches. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Dottie Schindlinger is Diligent Corporation's Governance Technology Evangelist and promotes the intersection of board governance and technology as a recognized expert in the field. Diligent is the leading provider of secure board communication and collaboration tools designed ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...