If you’re a Board of Directors member, you should be concerned about cybersecurity risks. As a Director executing your “Duty of Care,” perhaps you’ve tried to read up on the subject. Maybe the CISO or an outside cybersecurity consultant did a presentation for the board? If so, great! But let me make a wild guess: The material was either very technical and jargon-filled, too general to seem actionable (how many cybersecurity “frameworks” are there, anyway?), or both. When you finished reading or listening, were you left wondering what questions to ask management?
If that’s where you are, read on. I’m going to share six principles that can increase your level of understanding, reduce risks from cybersecurity incidents and minimize the damage such incidents can do to your organization. And none of these principles require a computer science degree to understand!
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
1. Robust Prevention — Lock Exterior Doors
The first goal of cybersecurity is to keep unauthorized users out of your systems. Despite what you read in the news, most incidents aren’t targeted attacks by nation-states (if your organization is worried about nation-state attacks, you need more than this short article!). Most attacks are indiscriminate ones launched against many targets in the hope of getting lucky. It’s the cyber equivalent of jiggling door handles on a row of parked cars to find the one left unlocked. Remember the joke about a bear chasing two hikers? “I just have to outrun you” doesn’t just apply to running from bears. It applies to cybersecurity prevention, too.
Tip: Ask your cybersecurity and IT executives about their cyber hygiene. Hygiene refers to executing basic security processes without fail or error. It runs the gamut from requiring default passwords to be changed to applying bug fixes as soon as vendors issue them to keeping track of all your network hardware . . . and so on. If any security process can be skipped or postponed without triggering alerts, your organization is at risk of being caught by “the bear.”
2. Quick Detection — Don’t Give Attackers Time to Settle In
Cyber attackers are like termites, boring their way into your hidden but vital infrastructure. Much like termites, their damage gets worse over time. The cyber term for this boring from within is “Dwell Time”: the delay from penetration to discovery. Firms are reluctant to disclose details of breaches, but dwell time estimates for some significant breaches range from 100 days to over a year! Imagine termites in your walls for a year, and you’ll understand how much damage an undiscovered breach can do!
Tip: Be sure your cybersecurity teams employ tools that continuously scan the information technology (IT) environment looking for anomalies (technical term: IOCs, or “Indicators of Compromise”). The best tools examine every piece of data flowing through the network and every program as it executes, looking for things that seem out of place (For example, why is a payroll clerk in Dallas trying to access engineering drawings in Sao Paulo?). Modern security design should be based on the “zero trust” principle. Zero trust means actors (people or devices) get access only to resources (applications and data) they have been explicitly authorized to access. Moreover, they get only enough access to do their jobs. For example, payroll clerks can view and update data about the payrolls to which they’re assigned. In contrast, a data analyst looking at salary trends can update nothing and see only aggregated data rather than individual employee data.
3. Defense in Depth — Lock Interior Doors, Too
Every retail store has a “customer area” and a locked door (or several) separating customer areas from employee-only areas. It seems like a basic precaution to keep inventory safe, right? It may come as a shock, but few IT networks use the same thinking. Once an attacker breaches your outer perimeter (or sweet-talks their way inside using “social engineering”), they probably have unrestricted access to all parts of your network. A break-in through a subcontractor work-order portal caused the infamous Target breach because this low-security part of the network wasn’t kept isolated from the extremely sensitive card swipes at cash registers.
Tip: Here’s another facet of zero trust: Even your own network devices and applications (resources) can access only other resources they’re explicitly authorized to access. Since the “vendor A/P” app has no reason to access customer data or card swipes, an attacker infiltrating that app would be blocked (and such a request would generate an IOC that would lead to immediate defensive and detective actions).
4. Keeping Secrets Secret — Encrypted Data Doesn’t Leak
Want to impress your CISO? Ask, “Is all sensitive data encrypted at rest and in motion?” (Even better: “Is all data…”) You’re asking whether they store the data on disk and (backup) tape in encrypted form. Additionally, you’re asking if they send sensitive data from place to place in encrypted form.
Anything other than a “yes” is simply unacceptable. Unencrypted data allows an attacker to sell your sensitive data or use it for competitive purposes. It also means they can leak embarrassing details to the press (a la the Sony breach).
Tip: Given today’s encryption technology, encryption should be the norm for all data…but it’s often not turned on. Two excuses are commonly offered:
- “It slows the system down too much” (translation: our storage and networking hardware technology suffers from “technical debt” and is obsolete);
- It’s inconvenient for users who need access (translation: our security is such a mess that we can’t determine who needs what access)
5. Effective Repair and Restoration — Prepare to Repel Boarders
Once you strongly suspect a breach, stop dithering. Break out your incident management plan and execute, execute, execute! There are many facets to an incident management plan, but it should include:
- Triggering criteria (crying wolf can be almost as bad from a PR standpoint as delaying)
- Roles and responsibilities (who gets notified, who owns what tasks, who makes what decisions)
- Scenario plans (immediate responses to each anticipated type of incident)
Tip: Coordinate by creating integrated plans across physical security, risk, legal, PR/IR, etc. Prepare in advance — don’t “wing it” when dealing with fast-developing incidents. Also, pre-engage outside experts — identify likely specialists (legal, cyber, PR/IR) in advance and at least negotiate contracts ahead of time (even better, work out retainer arrangements).
6. Not Keeping All Your Backup Eggs in One Basket
Data in all its forms is the lifeblood of any organization. Ransomware works by silently encrypting your data, rendering it unusable by your organization. If you have good backups, you can quickly restore your data and return to work while taking other recovery steps. The fly in the ointment is that extended dwell time enables attackers to encrypt your backups day by day by day, or even mass-encrypt backups stored within your IT environment until all your valid data gets overwritten. Once that happens, it’s probably time to pay the ransom . . . but be aware that some attackers have no intention of providing decryption keys, even if you pay. In that situation, your recovery can take months to forever (i.e., you close your doors).
Tip: If you can’t keep attackers out, a combination of the previous tips minimizes your risk of permanent data loss: Reduce dwell time to minimize stealthy encryption of files and backups; implement zero trust to minimize illicit access to files and backups; physically isolate backup media to minimize mass encryption of backups.
There you have it: Six core cybersecurity principles were presented without excessive jargon. As a board member, you should verify your organization’s cyber-risk prevention, detection, and restoration plan in case the organization is targeted. I strongly suggest discussing the six cybersecurity principles with management until you’re comfortable with the level of residual risk they’ve designed into their IT systems.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: