Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

How Effective Boards Drive Security Mandates

The focus on cybersecurity policies must be prioritized from the top down.

As cyber attacks grow in velocity and severity, enterprises face the challenge of achieving the highest levels of security and data protection without compromising the speed, usability, or access needed for business. Although many technology tools exist to help prevent and mitigate hacks, the greatest source of risk is posed by people — personnel, contractors, partners, and others who we trust will conduct business securely.

As data breaches proliferate, more work must be done to heighten security policies, educate all personnel, and enforce cybersecurity best practices, particularly at the leadership level. Security can't rest solely on the shoulders of IT; security mandates must be modeled by the company's CEO, other C-level executives, and, perhaps most importantly, the board of directors.  

Board members are responsible for a company's overall performance and governance, and have access to the most sensitive information the company owns, but they often feel the least confident in their level of cyber-risk awareness and receive the least cybersecurity oversight. The use of free email service providers (ESPs) and open Internet connections to send/review confidential board materials is rampant.

A recent survey report of 381 board directors by NYSE Governance Services, in partnership with Diligent, found that 92% of respondents use personal email accounts at least occasionally for board communications. Further, 63% said their boards aren't required to undergo security training. These insecure practices have put companies at heightened risk, particularly as cybercriminals zero in on high-profile individuals via whaling attacks (phishing targeted at high-level executives), and other means.

To reduce risk, directors need to become significantly more aware of their companies' security practices and be held accountable to high-level security standards. Here's how some of the most effective boards are becoming more hands-on.

Getting Smart About Data
Forward-thinking board members are having more meaningful security-centric conversations about the importance and value of data. According to many board members attending the 2017 Diligent Director's Experience event, these conversations have been possible thanks to closer collaboration among board members and IT, security, and data teams. Questions such as "Where does our data live?" and "How can we make these areas less vulnerable?" are becoming common in boardrooms.

As part of this process, boards are assessing operational security practices, including reviewing current and past security practices, as well as defining and controlling access to networks and various systems, third-party platforms, applications, and data storage. Once vulnerabilities are pinpointed (for example, via auditing), savvy boards are following through by providing the proper guidance and directives to ensure their organizations are making it a priority to properly fund data security.

Revisiting BYOD Policies
Attacks on mobile devices continue to increase, particularly as a growing number of people use one device for hybrid work/personal use. Not only does this introduce security risks to the enterprise, but most people don't realize how much information is captured by popular mobile applications themselves — for example, contacts, calendars, geolocation apps, photos, and attachments.

In an age of remote working and contract employees, it's not enough to have just a static bring-your-own-device (BYOD) policy in place — this essential corporate mandate must grow/contract based on business needs, cyber-risks being faced, and the needs of the workforce. It must also be stringently enforced, starting from the top down. Board directors are stepping up their responsibilities, working with security and IT leadership to develop and refine these policies, evaluating their effectiveness, and improving them based on evolving industry best practices.

Evaluating the Cost of "Free" Applications
Along with BYOD programs, board directors are also more closely scrutinizing the use of free applications and providers. For example, the NYSE/Diligent report found that nearly half (47%) of respondents agreed that the move to digital file sharing has increased the risk of improper handling of sensitive information. From the use of file sharing and data transfer applications such as Dropbox and WeTransfer, to free ESPs such as Yahoo and Gmail, directors are seeing the negative impact that these insecure, hackable applications can have on the enterprise and are taking steps to reduce or mitigate risks, starting in the boardroom.

Understanding Personal Hacker Motivations
While board members are aware of hacking and data loss risks for the enterprise, too few understand how they can be personally targeted by cybercriminals. There's a treasure trove of confidential corporate information within the reach of a board director: M&A deals and strategy, intellectual property, even litigation. But a board member's contact information — with access to powerful individuals that govern boards in all sectors — is incredibly valuable as well.

With crucial information at risk for both the employee and the organization, boards are now required to become more attuned to the criminal motivations involved in hacking. They must also be aware of the consequences — just ask former FACC CEO Walter Stephan, who was fired in 2016 following a successful whaling attack that cost the company nearly $50 million.  

They must also become increasingly aware of evolving hacking techniques, online threats, and exploits that are designed to not only snare them but other high-profile or high-net-worth individuals in their personal networks as well. Executive-level workshops as well as crisis communication plans and drills are proving effective for helping boards understand their role in cybersecurity and the steps to take if they believe they've been targeted.   

As more breaches are reported around the globe, and as the sophistication of these attacks evolves, it's imperative that directors immerse themselves in cybersecurity strategy and execution. They must collaborate directly with security teams, follow corporate policies and processes, pursue ongoing training to boost their security knowledge, and, above all, be open to changing the way they work in order to fight back against hackers and greatly reduce the likelihood of costly data leaks and breaches. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Dottie Schindlinger is Diligent Corporation's Governance Technology Evangelist and promotes the intersection of board governance and technology as a recognized expert in the field. Diligent is the leading provider of secure board communication and collaboration tools designed ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...