The ever-present threat of cyber attacks, highlighted by the host of massive data breaches affecting most sectors and countries, is forcing business of all sizes to take action. Some reports tell us that cyber security is a hot topic in the boardroom, while other reports imply that the board isn’t placing enough emphasis on this thorny matter.
Nevertheless, cyber crime and its associated consequences are here to stay, and if the board is not yet asking the tough questions, it is time that it did. While some might argue that the board is ill-equipped to challenge the CISO (Chief Information Security Officer) about cyber security risks and their counter measures, several organisations have already embarked on director training in cyber security.
Although boards of directors and CEOs may not need to know why a certain type of malware can penetrate a firewall, they will need to know what their organisation is doing to address threats known to penetrate firewalls. Discussions of cyber risk at board level should include identifying which risks to avoid, accept, mitigate or transfer (through cyber insurance), as well as reviewing specific plans associated with each approach.
The board must ensure that the CISO is reporting at the appropriate levels within the organisation. Although many CISOs report to the CIO, it is important to be aware that there may be conflicting agendas between the CIO and the CISO.
The Institute of Internal Auditors recommends asking the CISO the following questions:
- Does the organisation comply with leading information security frameworks or standards?
Examples include the international information security management standard, ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS) and COBIT, as well as HIPAA for organisations in the US healthcare industry.
- What are the top risks the organisation faces?
Examples could include ‘bring your own device’, Cloud computing, internal threats (employee errors or malicious acts) or supply chain risks.
- Do we have an effective information security awareness programme?
Most companies realise the benefits of effective staff awareness training. Ensure that the training provides sufficient awareness about the key threats and employee behaviours that can result in a data breach. Staff should also be aware of the increasingly sophisticated tactics used by phishing attacks.
- Are we considering the internal threat?
A startlingly large number of breaches are caused by employee error (often conducted by managers!) or malicious behaviour.
- In the event of a data breach, what is our response plan?
Many cyber security experts now believe that it is no longer a matter of ‘if’ but ‘when’ you will be breached. The critical difference between organisations that will survive a data breach and those that won’t is the implementation of a cyber resilience strategy, which takes into account incident response planning and disaster recovery strategies to bounce back from a cyber attack with minimal disruption to the business. The board should also be aware of the laws governing its duties to disclose a data breach.
Other important questions include:
- Are we conducting comprehensive and regular information security risk assessments?
The risk assessment should provide the board with an assurance that all relevant risks have been taken into account, and that there is a commonly defined and understood means of communicating and acting on the results of the risk assessment. Worryingly, 32% of respondents to a recent PwC information security breaches survey (ISBS) had not undertaken any form of risk assessment. Proven software tools can help speed up and streamline the risk assessment process.
- Are we adequately insured?
Recent reports reveal that cyber insurance is not adequate to protect companies from a full-scale cyber attack. Although it is difficult to quantify how expensive a data breach can be, information about other data breaches in your industry should provide an indication of the potential damages your organisation might face. Latest statistics reveal that breaches cost large organisations between £1.46m and £3.14m in 2014. Many organisations don’t realise that they are liable for a data breach even if the data is stored in the Cloud, or if a third party with which they share information is breached.
- Are we testing our systems before there’s a problem?
There are many tests that can be undertaken to assess the vulnerability of systems, networks and applications. An important element of any security regime should be regular penetration tests. Pen tests are simulated attacks on a computer system with the intent of finding security weaknesses that could be exploited. They help establish whether critical processes such as patching and configuration management have been followed correctly. Many companies fail to conduct regular penetration tests, falsely assuming the company is safe, but new vulnerabilities and threats arise on a daily basis, requiring the company to continually test its defences against emerging threats.
- Have our internal cyber security controls been audited?
If the organisation has chosen to comply with an information security standard such as ISO 27001:2013, an independent review of an organisation’s information security controls can be conducted by a certification body, and can be used to provide evidence of the organisation’s commitment to information security. This can in turn be used as a competitive advantage when bidding for new business, as indeed is the case with companies certified to ISO 27001.
Is our information security budget being spent appropriately?
26% of respondents to the PwC ISBS said they don’t evaluate how effective their security expenditure is.
The board can play a key role in preventing problems before they arise by playing a more active role in cyber risk discussions.
Author: Julia Dutton - http://www.itgovernance.co.uk/