Risk
9/1/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Effective Boards Drive Security Mandates

The focus on cybersecurity policies must be prioritized from the top down.

As cyber attacks grow in velocity and severity, enterprises face the challenge of achieving the highest levels of security and data protection without compromising the speed, usability, or access needed for business. Although many technology tools exist to help prevent and mitigate hacks, the greatest source of risk is posed by people — personnel, contractors, partners, and others who we trust will conduct business securely.

As data breaches proliferate, more work must be done to heighten security policies, educate all personnel, and enforce cybersecurity best practices, particularly at the leadership level. Security can't rest solely on the shoulders of IT; security mandates must be modeled by the company's CEO, other C-level executives, and, perhaps most importantly, the board of directors.  

Board members are responsible for a company's overall performance and governance, and have access to the most sensitive information the company owns, but they often feel the least confident in their level of cyber-risk awareness and receive the least cybersecurity oversight. The use of free email service providers (ESPs) and open Internet connections to send/review confidential board materials is rampant.

A recent survey report of 381 board directors by NYSE Governance Services, in partnership with Diligent, found that 92% of respondents use personal email accounts at least occasionally for board communications. Further, 63% said their boards aren't required to undergo security training. These insecure practices have put companies at heightened risk, particularly as cybercriminals zero in on high-profile individuals via whaling attacks (phishing targeted at high-level executives), and other means.

To reduce risk, directors need to become significantly more aware of their companies' security practices and be held accountable to high-level security standards. Here's how some of the most effective boards are becoming more hands-on.

Getting Smart About Data
Forward-thinking board members are having more meaningful security-centric conversations about the importance and value of data. According to many board members attending the 2017 Diligent Director's Experience event, these conversations have been possible thanks to closer collaboration among board members and IT, security, and data teams. Questions such as "Where does our data live?" and "How can we make these areas less vulnerable?" are becoming common in boardrooms.

As part of this process, boards are assessing operational security practices, including reviewing current and past security practices, as well as defining and controlling access to networks and various systems, third-party platforms, applications, and data storage. Once vulnerabilities are pinpointed (for example, via auditing), savvy boards are following through by providing the proper guidance and directives to ensure their organizations are making it a priority to properly fund data security.

Revisiting BYOD Policies
Attacks on mobile devices continue to increase, particularly as a growing number of people use one device for hybrid work/personal use. Not only does this introduce security risks to the enterprise, but most people don't realize how much information is captured by popular mobile applications themselves — for example, contacts, calendars, geolocation apps, photos, and attachments.

In an age of remote working and contract employees, it's not enough to have just a static bring-your-own-device (BYOD) policy in place — this essential corporate mandate must grow/contract based on business needs, cyber-risks being faced, and the needs of the workforce. It must also be stringently enforced, starting from the top down. Board directors are stepping up their responsibilities, working with security and IT leadership to develop and refine these policies, evaluating their effectiveness, and improving them based on evolving industry best practices.

Evaluating the Cost of "Free" Applications
Along with BYOD programs, board directors are also more closely scrutinizing the use of free applications and providers. For example, the NYSE/Diligent report found that nearly half (47%) of respondents agreed that the move to digital file sharing has increased the risk of improper handling of sensitive information. From the use of file sharing and data transfer applications such as Dropbox and WeTransfer, to free ESPs such as Yahoo and Gmail, directors are seeing the negative impact that these insecure, hackable applications can have on the enterprise and are taking steps to reduce or mitigate risks, starting in the boardroom.

Understanding Personal Hacker Motivations
While board members are aware of hacking and data loss risks for the enterprise, too few understand how they can be personally targeted by cybercriminals. There's a treasure trove of confidential corporate information within the reach of a board director: M&A deals and strategy, intellectual property, even litigation. But a board member's contact information — with access to powerful individuals that govern boards in all sectors — is incredibly valuable as well.

With crucial information at risk for both the employee and the organization, boards are now required to become more attuned to the criminal motivations involved in hacking. They must also be aware of the consequences — just ask former FACC CEO Walter Stephan, who was fired in 2016 following a successful whaling attack that cost the company nearly $50 million.  

They must also become increasingly aware of evolving hacking techniques, online threats, and exploits that are designed to not only snare them but other high-profile or high-net-worth individuals in their personal networks as well. Executive-level workshops as well as crisis communication plans and drills are proving effective for helping boards understand their role in cybersecurity and the steps to take if they believe they've been targeted.   

As more breaches are reported around the globe, and as the sophistication of these attacks evolves, it's imperative that directors immerse themselves in cybersecurity strategy and execution. They must collaborate directly with security teams, follow corporate policies and processes, pursue ongoing training to boost their security knowledge, and, above all, be open to changing the way they work in order to fight back against hackers and greatly reduce the likelihood of costly data leaks and breaches. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Dottie Schindlinger is Diligent Corporation's Governance Technology Evangelist and promotes the intersection of board governance and technology as a recognized expert in the field. Diligent is the leading provider of secure board communication and collaboration tools designed ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.