Five Cybersecurity Questions Every Executive Should Ask

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/blogs/five-cybersecurity-questions/


There was no let-up in cyber-attacks during 2015. The scale and impact of
incidents, best highlighted by the Office of Personnel Management breach,
proves that executives need to quickly get familiar with cyber-risk.
Lawsuits following data loss events may mean executives have to defend
their cyber-risk management decisions in court.

While a data breach is broadly accepted to be inevitable, executive
resignations and long-term business impacts that often follow need not be.
Executives should regularly ask five questions of those responsible for
cybersecurity concerning the level of cyber-risk their organization is
carrying.

1. Does every member of staff take responsibility for protecting the
organization’s data?

Cybersecurity should be a key responsibility of every job role and that
means continually educating users on cyber-risk awareness (not just during
onboarding), drafting and communicating policy, and sharing best practice.
Users should feel comfortable in reporting when they may have made a
mistake without the fear of repercussions.

Awareness programs cannot guarantee protection, though any extra help in
identifying socially engineered emails or suspicious activity on a computer
is valuable. Executives, along with others who have access to the
organization’s most sensitive data, should receive extra awareness training
due to the heightened risk they face of being targeted. Relevant metrics
that track the organization’s progress should be agreed and recorded.

2. Is the organization effectively assessing and managing cyber-risk?

Which data, processes or services are most critical to the business and how
well is each of those protected? A cyber-risk register with a simple
traffic light status overview demonstrates to executives the degree to
which risks are being managed.

Establishing risk exposure by identifying vulnerabilities and key assets is
the pre-cursor to decision-makers being able to opt whether to avoid,
control, transfer, or accept risks. Cyber-risk acceptance is a valid
strategy if the decision makers are fully aware of the risk, though not a
recommended course of action where any business critical data is at stake.

3. Is the organization equipped to deal with the attackers and attacks it
faces?

Countering cyber-attacks doesn’t start and end with technology. People and
processes are the other pillars of security. Executives need a clear
picture of how well prepared the organization is to protect against
attacks, as well as its ability to detect, respond to, investigate and
remediate intrusions. Conducting a threat assessment on the actors, their
capabilities, the likely data targets of their attacks, and their methods
can help in prioritizing defensive measures and in directing preparedness
exercises.

Tabletop exercises involving the leadership team can simulate responses to
state sponsored IP theft, customer PII compromise, denial of service,
destructive malware and even the publication of all corporate data online,
as happened in the Sony Pictures Entertainment and Hacking Team
compromises. Exercises should be prioritized to complement projects to
identify critical data.

Establishing executive roles and responsibilities in the event of a breach
is essential, but equally important is having a NDA and purchase order in
place with third-party experts to reduce reaction times following an
incident.

4. What is the potential impact of a cyber-event?

Executives require a clear understanding of the potential impact following
a cyber-attack and this requires some imagination. What do Doomsday
scenarios of attacks looks like? Tabletop exercises prepare executives for
the most probable events, but it pays dividends to consider the low
probability, high impact events such as having all emails stolen and
published or losing all corporate data to a destructive malware attack.

Organizations should also consider the legal and regulatory impacts of
losing data and prepare accordingly. If the organization is part of a
supply chain, what effect could a breach have on the confidence of
customers? Cyber-insurance is a safety net for many organizations, but is
it clear in which circumstances the claim would be paid?

5. Are our suppliers treating cybersecurity seriously?

Businesses routinely carry-out due diligence on their suppliers to ensure
they are reputable, financially sound, and not affected by sanctions.
Third-party cyber-risk due diligence is equally important: how is a
supplier protecting their data? What would a compromise of that supplier
mean for your data? Is risk increased by dealing with particular suppliers,
or suppliers in particular geographies? Cyber-risk does not end at the
network boundary.

Conclusion

Cybersecurity is doubtless a very complex technical subject, though at the
executive level that complexity must be distilled into the language of
business risk. Executives cannot afford to ignore cyber-risk given its
breadth and the potential for an attacker to infiltrate the network,
regardless of motivation, and steal business-critical assets.

Security solutions, whether traditional or ‘next-gen’, cannot be relied
upon to safeguard data, nor can insurance be expected to cover all losses
resulting from a compromise. A holistic risk-based approach must be
implemented, with appropriate solutions found for discrete challenges,
requiring engagement from across the business and sponsored by an
executive, often the Chief Information Officer or Chief Financial Officer,
who maintains oversight and drives improvement initiatives. The challenge
is considerable, but the consequences of ignoring it are potentially
devastating.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.