With every day bringing news of a new cybersecurity breach – Sony, JPMorgan, RSA, Global Payments, ADP, Symantec, International Monetary Fund, Home Depot and countless others – boards rightly are concerned about how best to provide oversight and governance to a company’s cybersecurity governance efforts, particularly when many board members are uncertain they even know the right questions to ask.
Using the “Four Pillars of Cybersecurity Governance” as a framework can help boards of directors create a structured approach to governance that organizes board oversight areas of responsibility, improves coverage of critical areas, and most importantly enables directors to have clearer visibility into cybersecurity risk. By dividing risks into four categories: External, Internal, Ecosystem, and Social/Reputational, boards can obtain greater assurance that all potential areas of cyber risk are being examined by the company, and that the company has adequately planned both appropriate protection against, and responses to, the inevitable breaches that may occur. While the underlying technologies to address each of these areas may be similar, it is the board’s responsibility to examine not just the technology but the processes governing each of these areas.
The Four Pillars
First let’s define the Four Pillars of Cybersecurity Governance, then take a look at questions directors should be asking.
This is the area most people immediately think about when the word cybersecurity governance is mentioned. External risks consist of outright attacks by entities external and hostile to the company. The entities may be cybercriminals intending to steal information such as intellectual property or corporate assets such as customer lists, credit card information, design documents or other confidential information. Other external risks may come from nation-states intending to either steal information or – as in the recent Sony case – to affect a particular outcome. Cyber attacks could come from competitors seeking market advantage or from hacker activists who target companies for their political or social statements. Attacks can range from more passive attacks such as obtaining information about pending M&A activity but with no damage or active malicious use of obtained data, to potentially crippling attacks such as conducted against Saudi Aramco, where 30,000 servers had data deleted. Typical external attacks include denial of service, password-based attacks, man-in-the-middle attacks and others.
As has been seen from numerous well-publicized riks, employees deliberately releasing information can create potentially as large or even larger risk than outright attacks from external sources. However, employees accidentally revealing information can pose great threats as well, especially when that information is used by intelligent cybercriminals. For example, putting together a list of names and email ids together with a detailed organization chart can enable phishing attacks which appear to come from valid internal mail id’s coupled with the proper chain of command for approvals – thereby enabling funds or confidential information to be sent to outside parties by employees unaware of the deception.
Every company today is an internet company, and partner/vendor access to internal information. If the partner/vendor has weaker security than your company, and their relationship to your company is known, cybercriminals may take the easier approach and attack partner/vendor systems to obtain information which then enables them to crack the company’s security by leveraging the acquired information
Social and Reputational Threats
Brands and reputations can be put at risk from more subtle forms of cybercrime which can lead to loss of market value, brand reputation and customer confidence. Typical uses include counterfeiting a company’s brand, fraudulently using the brand to impersonate brand content or products or drive search engine results which drive traffic to competitive web sites or unauthorized content, selling or using pirated digital content, and brand-jacking to reduce brand value.
Questions Directors Should Ask: Using the Four Pillars as a Guide
While clearly each director must deeply think about the most appropriate questions on cybersecurity governance to ask given a company’s particular situation, below is a sampling of questions that should initiate a serious and considered discussion at the board level.
What types of cybersecurity attacks is the company protecting against and what is their probability of occurrence? For risks which are lower in probability and are less well defended against, what is the exposure in case such a breach does occur? What type of IT infrastructure has the company put in place, and how does it compare to best-of-breed practices? What processes are in place to monitor exposure, and what is the timeframe for detection? In case of breach, are there planned company responses to the likely types of breaches? When and how is the board informed?
It is important to best practices in cybersecurity governance to query management on the steps taken to protect against intentional or accidental exposures. What type of access controls are in place for access to sensitive information and key systems? When was the last time that those access controls were tested? Who determines who has access to what information, and when was that last reviewed? Are there online document management systems in place to limit what employees can download/email? What systems are in place to enable remote wiping of mobile devices in the case of a device being stolen or a disgruntled employee taking a device with them with confidential information? Does HR monitor online chat forums where employees post anonymous or named opinions about the company? While anonymous posts may not reveal specific individuals, if there are many negative posts, the likelihood of risk increases significantly. Perhaps the most important question to ask is whether, as part of its internal controls evaluation process, the company tests the impact of a catastrophic employee breach. This should be part of every internal controls process.
What are the system touch points between the company and its partner/vendors? If email is the primary communication exchange, what steps are taken to ensure information is not further disseminated? If online communication systems are used, what is the process to manage access? How frequently does the partner update their access controls? If one of their employees leaves their company, are they instantly removed, or can they continue to access your company’s data through their former employer?
Social and Reputational Threats
What is the quantitative value of the brand? If the brand is used in a fraudulent fashion, what are the potential consequences and financial exposure? Does the company have digital content that could be used inappropriately, or fraudulently used? What is the customer satisfaction levels? Are there situations where a dissatisfied customer could create social media disruption that would harm the brand?
By focusing on the Four Pillars of Cybersecurity Governance approach, boards can more easily understand the different types of cyber risk and the questions to ask of the company to ensure that proper steps are being taken to protect against, respond to, and recover from, the attacks that will, in all likelihood, occur at some point in the company’s life.