Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/1/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

How Effective Boards Drive Security Mandates

The focus on cybersecurity policies must be prioritized from the top down.

As cyber attacks grow in velocity and severity, enterprises face the challenge of achieving the highest levels of security and data protection without compromising the speed, usability, or access needed for business. Although many technology tools exist to help prevent and mitigate hacks, the greatest source of risk is posed by people — personnel, contractors, partners, and others who we trust will conduct business securely.

As data breaches proliferate, more work must be done to heighten security policies, educate all personnel, and enforce cybersecurity best practices, particularly at the leadership level. Security can't rest solely on the shoulders of IT; security mandates must be modeled by the company's CEO, other C-level executives, and, perhaps most importantly, the board of directors.  

Board members are responsible for a company's overall performance and governance, and have access to the most sensitive information the company owns, but they often feel the least confident in their level of cyber-risk awareness and receive the least cybersecurity oversight. The use of free email service providers (ESPs) and open Internet connections to send/review confidential board materials is rampant.

A recent survey report of 381 board directors by NYSE Governance Services, in partnership with Diligent, found that 92% of respondents use personal email accounts at least occasionally for board communications. Further, 63% said their boards aren't required to undergo security training. These insecure practices have put companies at heightened risk, particularly as cybercriminals zero in on high-profile individuals via whaling attacks (phishing targeted at high-level executives), and other means.

To reduce risk, directors need to become significantly more aware of their companies' security practices and be held accountable to high-level security standards. Here's how some of the most effective boards are becoming more hands-on.

Getting Smart About Data
Forward-thinking board members are having more meaningful security-centric conversations about the importance and value of data. According to many board members attending the 2017 Diligent Director's Experience event, these conversations have been possible thanks to closer collaboration among board members and IT, security, and data teams. Questions such as "Where does our data live?" and "How can we make these areas less vulnerable?" are becoming common in boardrooms.

As part of this process, boards are assessing operational security practices, including reviewing current and past security practices, as well as defining and controlling access to networks and various systems, third-party platforms, applications, and data storage. Once vulnerabilities are pinpointed (for example, via auditing), savvy boards are following through by providing the proper guidance and directives to ensure their organizations are making it a priority to properly fund data security.

Revisiting BYOD Policies
Attacks on mobile devices continue to increase, particularly as a growing number of people use one device for hybrid work/personal use. Not only does this introduce security risks to the enterprise, but most people don't realize how much information is captured by popular mobile applications themselves — for example, contacts, calendars, geolocation apps, photos, and attachments.

In an age of remote working and contract employees, it's not enough to have just a static bring-your-own-device (BYOD) policy in place — this essential corporate mandate must grow/contract based on business needs, cyber-risks being faced, and the needs of the workforce. It must also be stringently enforced, starting from the top down. Board directors are stepping up their responsibilities, working with security and IT leadership to develop and refine these policies, evaluating their effectiveness, and improving them based on evolving industry best practices.

Evaluating the Cost of "Free" Applications
Along with BYOD programs, board directors are also more closely scrutinizing the use of free applications and providers. For example, the NYSE/Diligent report found that nearly half (47%) of respondents agreed that the move to digital file sharing has increased the risk of improper handling of sensitive information. From the use of file sharing and data transfer applications such as Dropbox and WeTransfer, to free ESPs such as Yahoo and Gmail, directors are seeing the negative impact that these insecure, hackable applications can have on the enterprise and are taking steps to reduce or mitigate risks, starting in the boardroom.

Understanding Personal Hacker Motivations
While board members are aware of hacking and data loss risks for the enterprise, too few understand how they can be personally targeted by cybercriminals. There's a treasure trove of confidential corporate information within the reach of a board director: M&A deals and strategy, intellectual property, even litigation. But a board member's contact information — with access to powerful individuals that govern boards in all sectors — is incredibly valuable as well.

With crucial information at risk for both the employee and the organization, boards are now required to become more attuned to the criminal motivations involved in hacking. They must also be aware of the consequences — just ask former FACC CEO Walter Stephan, who was fired in 2016 following a successful whaling attack that cost the company nearly $50 million.  

They must also become increasingly aware of evolving hacking techniques, online threats, and exploits that are designed to not only snare them but other high-profile or high-net-worth individuals in their personal networks as well. Executive-level workshops as well as crisis communication plans and drills are proving effective for helping boards understand their role in cybersecurity and the steps to take if they believe they've been targeted.   

As more breaches are reported around the globe, and as the sophistication of these attacks evolves, it's imperative that directors immerse themselves in cybersecurity strategy and execution. They must collaborate directly with security teams, follow corporate policies and processes, pursue ongoing training to boost their security knowledge, and, above all, be open to changing the way they work in order to fight back against hackers and greatly reduce the likelihood of costly data leaks and breaches. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Dottie Schindlinger is Diligent Corporation's Governance Technology Evangelist and promotes the intersection of board governance and technology as a recognized expert in the field. Diligent is the leading provider of secure board communication and collaboration tools designed ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11496
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
CVE-2020-15822
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2020-24375
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVE-2020-7193
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
CVE-2020-7194
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).