There was no let-up in cyber-attacks during 2015. The scale and impact of incidents, best highlighted by the Office of Personnel Management breach, proves that executives need to quickly get familiar with cyber-risk. Lawsuits following data loss events may mean executives have to defend their cyber-risk management decisions in court.
While a data breach is broadly accepted to be inevitable, executive resignations and long-term business impacts that often follow need not be. Executives should regularly ask five questions of those responsible for cybersecurity concerning the level of cyber-risk their organization is carrying.
1. Does every member of staff take responsibility for protecting the organization’s data?
Cybersecurity should be a key responsibility of every job role and that means continually educating users on cyber-risk awareness (not just during onboarding), drafting and communicating policy, and sharing best practice. Users should feel comfortable in reporting when they may have made a mistake without the fear of repercussions.
Awareness programs cannot guarantee protection, though any extra help in identifying socially engineered emails or suspicious activity on a computer is valuable. Executives, along with others who have access to the organization’s most sensitive data, should receive extra awareness training due to the heightened risk they face of being targeted. Relevant metrics that track the organization’s progress should be agreed and recorded.
2. Is the organization effectively assessing and managing cyber-risk?
Which data, processes or services are most critical to the business and how well is each of those protected? A cyber-risk register with a simple traffic light status overview demonstrates to executives the degree to which risks are being managed.
Establishing risk exposure by identifying vulnerabilities and key assets is the pre-cursor to decision-makers being able to opt whether to avoid, control, transfer, or accept risks. Cyber-risk acceptance is a valid strategy if the decision makers are fully aware of the risk, though not a recommended course of action where any business critical data is at stake.
3. Is the organization equipped to deal with the attackers and attacks it faces?
Countering cyber-attacks doesn’t start and end with technology. People and processes are the other pillars of security. Executives need a clear picture of how well prepared the organization is to protect against attacks, as well as its ability to detect, respond to, investigate and remediate intrusions. Conducting a threat assessment on the actors, their capabilities, the likely data targets of their attacks, and their methods can help in prioritizing defensive measures and in directing preparedness exercises.
Tabletop exercises involving the leadership team can simulate responses to state sponsored IP theft, customer PII compromise, denial of service, destructive malware and even the publication of all corporate data online, as happened in the Sony Pictures Entertainment and Hacking Team compromises. Exercises should be prioritized to complement projects to identify critical data.
Establishing executive roles and responsibilities in the event of a breach is essential, but equally important is having a NDA and purchase order in place with third-party experts to reduce reaction times following an incident.
4. What is the potential impact of a cyber-event?
Executives require a clear understanding of the potential impact following a cyber-attack and this requires some imagination. What do Doomsday scenarios of attacks looks like? Tabletop exercises prepare executives for the most probable events, but it pays dividends to consider the low probability, high impact events such as having all emails stolen and published or losing all corporate data to a destructive malware attack.
Organizations should also consider the legal and regulatory impacts of losing data and prepare accordingly. If the organization is part of a supply chain, what effect could a breach have on the confidence of customers? Cyber-insurance is a safety net for many organizations, but is it clear in which circumstances the claim would be paid?
5. Are our suppliers treating cybersecurity seriously?
Businesses routinely carry-out due diligence on their suppliers to ensure they are reputable, financially sound, and not affected by sanctions. Third-party cyber-risk due diligence is equally important: how is a supplier protecting their data? What would a compromise of that supplier mean for your data? Is risk increased by dealing with particular suppliers, or suppliers in particular geographies? Cyber-risk does not end at the network boundary.
Conclusion
Cybersecurity is doubtless a very complex technical subject, though at the executive level that complexity must be distilled into the language of business risk. Executives cannot afford to ignore cyber-risk given its breadth and the potential for an attacker to infiltrate the network, regardless of motivation, and steal business-critical assets.
Security solutions, whether traditional or ‘next-gen’, cannot be relied upon to safeguard data, nor can insurance be expected to cover all losses resulting from a compromise. A holistic risk-based approach must be implemented, with appropriate solutions found for discrete challenges, requiring engagement from across the business and sponsored by an executive, often the Chief Information Officer or Chief Financial Officer, who maintains oversight and drives improvement initiatives. The challenge is considerable, but the consequences of ignoring it are potentially devastating.