20 minute read
Putting cybersecurity at the top of the board’s agenda
Adopting good cybersecurity practice can make a considerable difference in the resilience of your organisation
Was cybersecurity at the top of your priority list when the WannaCry attack hit? When a cyberattack strikes it can quickly become headline news, causing serious disruption to an organisation for days on end and costing hundreds of thousands of dollars in lost data, reputational damage, lost customers and regulatory fines.
Advertisement
WannaCry, one of the largest cyberattacks ever seen, hit thousands of organisations worldwide within a day, causing severe damage. A summary by the BBC points out that, in the first few hours of the attack, 61 National Health Service organisations in the UK were disrupted – something that was echoed among many other organisations across the globe.
One of the many lessons companies can draw from this attack is that if cybersecurity wasn’t a board-level priority before, it should be now. No company or country, however big or small, is immune to attacks by cybercriminals. In the worst case, breaches can cause major corporate crisis that can paralyse entire corporations for days, often
Toby Chinn
Head of Control Risks’ Cybersecurity practice
causing severe financial damage. According to the UK National Cybersecurity Centre, the average cost of a security breach is estimated today at between £600,000 and £1.15million. Unsurprising then that The World Economic Forum has rated cybersecurity as one of the top three risks for 2017.
Control Risks’ latest State of the Cybersecurity Landscape report found that while most companies now have notional board oversight in matters of cybersecurity, around half of these companies’ key IT and business decision-makers think their boards have no proper grasp of the issues.
Obviously, one of the main challenges board-level executives face in regards to dealing with cybersecurity is the technical complexity of the tools and strategies used. But as with every other kind of corporate risk, business directors don’t need to fully immerse themselves in technology in order to play an effective role in cyber risk oversight.
An understanding at board level of the threats that an organisation faces is a first and vital step in the right direction. Without full board-level support, IT-departments, who are often in charge of dealing with cyber risks, find themselves under-resourced, isolated from the rest of the business and without sufficient budget to manage these risks effectively. In interviewing large organisations of more than 2,000 employees across 20 countries, a number of key issues consistently presented themselves as key management issues concerning cybersecurity. In particular these concerned the approach to cyber risk management as well as the issue of third-party cyber risk.
Effective risk management is crucial to reduce damage
According to Control Risks’ survey, adopting a risk-based approach to cybersecurity is something companies are really struggling with. Worryingly, more than a third of organisations interviewed have not conducted a risk assessment at all within the past year. And even though the other 68 per cent of respondents have performed a risk assessment in the past year, 45 per cent of respondents cited it as their primary challenge.
Furthermore, while the report found that the majority of organisations said the C-suite was most accountable for cybersecurity management and decision-making (77 per cent), almost half of these companies said they do not believe their organisation’s board-level executives take cybersecurity as seriously as they should. Reflecting this, around a third (31
per cent) of the companies interviewed are either ‘very’ or ‘extremely’ concerned that they will suffer a cyberattack in the next year.
Third-party breaches are a growing concern
In today’s business environment, almost all companies rely on third parties in their supply chains. This creates a potential extension of their cyber risk and is especially the case as businesses increasingly outsource sensitive aspects of their business, such as payroll and other finance functions, technology service providers, legal functions and even research and development. A cyber breach on one third party’s systems can have significant consequences for the wider network. As Ben Lawsky, New York State’s top financial regulator, said in a letter to dozens of US banks: “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the security of its vendors.” 1
As found in the survey, 35 per cent of respondents said that a third party cyber breach had affected their organisation. This was lower for organisations in Europe and the Middle East (33 per cent) and Africa (21 per cent), but higher for respondents in Asia (39 per cent) and the Americas (38 per cent), which may lead to the assumption that there are regional differences in companies’ willingness to report cyber breaches to their customers. Measures companies currently take to manage cybersecurity risk beyond their own IT ecosystem appear insufficient
According to the State of Cybersecurity Landscape report, 34 per cent of respondents said that vetting third parties’ cybersecurity standards is a challenge. This was significantly lower for companies in the Netherlands (13 per cent) and higher for companies in Germany (41 per cent). Only 23 per cent of the organisations interviewed described their companies’ approach to cyber risks resulting from the use or acquisition of third parties as excellent.
Of organisations that have a cyber crisis management plan, a quarter say they do not address what third parties should do if they suffer a breach that may impact the respondent’s organisation, though regional differences here are significantly high with 62 per cent for Africa and 26 per cent for the Americas, 23 per cent for Europe and the Middle East and 21 per cent for Asia.
Most (93 per cent) respondents’ organisations say that they have taken steps to evaluate their third parties’ cybersecurity measures. Around half acquire signatures on contracts that legally oblige the vendor to adhere to security and privacy practices (53 per cent), obtain evidence of security certification (49 per cent) or conduct an independent audit of the vendor’s security and privacy practices (48 per cent). Despite this, nearly half (48 per cent) of those surveyed agree that their organisation does not consider the impact of partners/vendors’ cybersecurity as much as it should. The way cyber threats are assessed and communicated throughout a business is key
Control Risks’ advice is always to start with the threat. This should involve considering the specific cybersecurity threats to the organisation, what impact these threats might have and how current controls mitigate them. Having assessed these risks, the organisation can then integrate them into the organisation’s overall risk management strategy.
Taking the wider business through the process of how an external threat actor (e.g. a cybercriminal) may utilise a specific attack to gain access to data and systems and exploit them will help to explain exactly why other departments and senior leaders need to take action and champion relevant parts of any cybersecurity strategy. Such an approach also ensures that the variables that indicate how a risk may evolve over time (threat, likelihood, impact) are clearly understood, leading to clearer discussions on prioritising spending and focussing effort on the areas that matter most. Building confidence in the board’s cybersecurity management capabilities
are a good way to educate employees on cybersecurity threats that the organisation might face.
4Conduct a risk assessment
A comprehensive assessment is required to identify gaps in cybersecurity across the wider organisation and potential legal, reputational and financial implications of a breach. An assessment usually starts by taking employees through the process of how an external threat actor (e.g. a cybercriminal) may utilise a specific attack method to gain access to data and systems and exploit them. Assessing risks on this basis will help to explain exactly why other departments and senior leaders need to take action and champion relevant parts of any cybersecurity strategy. Such an approach also ensures that the variables that indicate how a risk may evolve over time (threat, likelihood, impact) are fully understood, leading to clearer discussions on prioritising spending and focusing effort on the areas that matter most.
5Take steps to understand the impact a third-party breach could have on
the business This should go beyond simply acquiring a signature on contracts to legally oblige the vendor to adhere to security and privacy practices. Therefore, cybersecurity should be included in a company’s broader vendor vetting process, which should consider the company’s broader risk strategy and account for accepted risks as well as proactive It is important that everyone across all mitigations. Beyond this, a company should levels of an organisation, including those at ensure that its crisis management plan C-suite and executive board level, approach accounts for circumstances that may lead cybersecurity as an enterprise to a loss of customer risk and develop a mitigation Moving towards a data, or fines as a result strategy that not only protects the company, its assets and its operations, but also common perception of cybersecurity as of a third-party breach. When it comes to a cyberbreach, it really enables business. Actionable a holistic business isn’t a case any longer of recommendations include: risk, and educating ‘if’ but ‘how badly’ your organisation could get hit. 1 Ensure cybersecurity becomes a regular board agenda item This all employees on the importance of WannaCry serves as just one of many examples why having cybersecurity should include reviewing good cybersecurity on the board’s ‘to do’ list your external cyber threat landscape and include an IT expert; or create a practice, must be the next steps in is no longer sufficient. Moving towards a common perception of cybersecurity committee to address the tackling today’s as a holistic business risk, issue as a wider business threat. This also ensures that challenges and educating all employees on the importance of good the cybersecurity budget is cybersecurity practice, must being spent in the most effective way. be the next steps in tackling today’s challenges. 2 Conduct regular cyber crisis management exercises that involve all There is no magic formula for protecting your organisation against the rapidly evolving relevant parties Include the C-suite, IT, legal, world of cyberattacks. But acknowledging communications and any other members of the this and adapting your cybersecurity crisis management team – so that all parties measures to match the threat landscape as understand their roles and responsibilities and well as upskilling the entire organisation the potential implications of a cyberattack. based on this understanding can make a 3 Ensure all employees, including the board, are educated to understand considerable difference in the resilience of your organisation to resist the next their potential cyber exposure This cyberattack that you might face. includes how a breach might occur in any part 1http://www.reuters.com/article/us-regulatorof the business. Risk assessments in particular cybersecurity-lawsky-idUSKCN0IB03220141022
KEY TO CYBER SUCCCESS
Boards that stay informed on security issues are likely to respond better to an attack
Cybersecurity: A fiduciary duty
Practicing good cybersecurity hygiene will not make directors ‘WannaCry’
The #CyberAvengers are:
Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma & Christophe Veltsos
The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.
In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100 per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as: 1 A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for
2An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid
3A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems
WannaCry had all these factors, and more. First, even though WannaCry was thought to be a zero-day exploit, it was not truly unknown. It had been disclosed in March 2017 as part of a broader announcement of related exploits allegedly stolen from a US government agency. At that time, the software company involved (Microsoft) announced an emergency or ‘critical’ patch designed to fix the vulnerability that was ultimately exploited by WannaCry. A fix had been available for many systems in March 2017. Were all affected systems patched on time? Were all affected systems patched at all? We do not know for sure. The effectiveness of the WannaCry attack, however, gives a strong indication as to the answer.
Secondly, and much worse for the companies and hospitals involved, this was not the first ransomware attack of 2017 (or 2016) or cyberattack on hospitals. A Michigan State University report examined US Department of Health and Human Services data and noted that almost 1,800 cyberattacks occurred in hospitals
across the US over a seven-year period. Ransomware, in fact, has established itself as the bane of corporations. According to the FBI, ransomware is reported to have caused losses in 2016 of close to $1billion. This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware. No prudent, risk management-conscious executive or director could have been surprised by these broadly recommended best practices, nor by the more specific need for companies to have properly segmented back-up tapes, media or hard drives.
Despite this, WannaCry surprised people across a myriad of roles and responsibilities. People were surprised that a simple patch existed that would have enabled companies to avoid the whole issue. Unfortunately, many were caught without back-up media. Serving on the front lines of the cybersecurity battlefield, we were not surprised, but were in fact saddened that WannaCry was so effective, unnecessarily. WannaCry could have been much, much worse.
How to tackle cyber threats
The purpose of this article is not to shame or call out any one particular company or hospital that was affected by WannaCry. The organisations that are bravely dealing with the aftermath of WannaCry have enough on their plates already.
Rather, we write from a different point of view, i.e. that of a board of directors or board of managers of a company that is charged generally with a fiduciary duty of overseeing the cybersecurity posture of a company or organisation. This duty is part and parcel of their duty to oversee the entire enterprise risk management as a whole. As board members, the duty of the directors is not to ‘plug into the computer network’ but to:
■ Ask questions designed to bring out potential improvements ■ Engage directly with cybersecurity resources inside the company ■ Continuously review and improve cybersecurity policies and procedures within the company
This article provides ‘the questions’ that boards should ask regarding the prevention and mitigation of ransomware, as well as provide our suggested ‘right’ answers to those questions. We will leave it to the board members to exercise their fiduciary duty accordingly.
Rather than having a ‘direct’ role in the information technology affairs of a company, a board has an ‘oversight’ duty. That means directors have a duty to (1) become reasonably informed about the company’s cybersecurity posture, policies and procedures implemented by the company’s senior executives, (2) ask questions of relevant personnel in the company (IT and executives) concerning the cybersecurity posture to see if those policies and procedures are being properly and effectively implemented, and (3) make suggestions or pose thoughts and ideas about how to improve this posture and the cyber risk culture of the company.
In a speech at the New York Stock Exchange on 10 June 2014, former
WHO ARE THE #CYBERAVENGERS?
The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help our countries by defeating cybercrime and slowing down nefarious actors operating in cyberspace seeking to exploit whatever their tapping fingers can get a hold of. How? We do this by raising our collective voices on issues of critical importance so that we can keep America in the lead – both economically and technologically – and to keep it safe and secure. All the issues are intertwined and more complex than ever, which is why we have differing backgrounds, but have common cause. We complement each other, we challenge each other, and we educate each other. What do we get out of writing articles like this? Nada. Goose egg. We are friends. We are patriots. And we are not satisfied to sit around and do nothing. We want to keep our nations and their data safe and secure.
Securities and Exchange Commissioner Luis Aguilar stated: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber risk also must be considered as part of boards’ overall risk oversight. The recent announcement that a prominent proxy advisory firm is urging the ouster of most of the Target Corporation directors because of the perceived ‘failure…to ensure appropriate management of [the] risks’ as to Target’s December 2013 cyberattack is another driver that should put directors on notice to proactively address the risks associated with cyberattacks.”
Cyber risk must now be viewed as an integral part of the overall enterprise risk management (ERM) framework for a board of directors and must be evaluated, documented and addressed/mitigated, according to the risk profile and economic realities of the company. Each company will have different economic constraints and a unique risk appetite. The exercise of evaluating the risk for the entity and coming to a decision about mitigation within an ERM framework is an essential part of the board’s fiduciary duty.
This fiduciary duty is extremely important (in the age of WannaCry and others). Cyberattacks not only cause costs and business disruptions, but also can cause negative publicity, reputational harm, litigation and regulatory proceedings, each of which negatively impacts the company or organisation involved. Examples of such high-profile cases in the United States are Target Corp, The Home Depot, and Wyndham Hotels. Though there is little case law in the area, courts in the US generally note the duty of a board member is ‘reasonable’ oversight. Not perfect oversight. Not flawless oversight. Just reasonable oversight.
The risk of cyber vulnerability
So, what is reasonable oversight? What questions should be asked to get the board there, especially in cybersecurity, where there is often no right answer (just multiple ‘less wrong’ answers)? The courts will ultimately decide what constitutes reasonable oversight. But in our view, here is how an effective board director might be able to get to the right place and demonstrate his or her oversight was reasonable:
1Get the cybersecurity policies and procedures of your company. All of them. Including training manuals. Read them thoroughly and become acquainted with them. Remember, if something goes wrong and your company gets hacked, some third party might say those policies were ill-advised, not enough, or just plain wrong.
2Understand how your company or organisation is regulated and by which regulatory body. No two regulators are alike. There are material differences, especially between US and UK and EU regulators. Remember, regulators generally get involved when something bad happens and then look at things through a 20/20 hindsight view (which might not show a pretty picture). It is best to be proactive when it comes to cybersecurity.
3Does your company perform employee training on a semi-regular basis (at least twice a year or more)? Does this training address email policies and social media sites that employees might visit? If your company does not, or performs training only when it is convenient, this area alone could be a ‘red flag’ to regulators.
4Does your company have in place some sort of email ‘filtering’ system in order to reject any emails that might appear normal, but are actually sent from a spoofed or copycat address? In general, a company email address should be the only address used by company employees (and board members). Filters catch things which change the .com email address of a company in subtle ways to make it appear to be a legitimate email, when it is in fact very illegitimate.
5When are critical patches and updates made to the network? Once a week, once a month? How quickly are critical or emergency patches made? 48 hours, 72 hours, two weeks, or longer? In general, critical patches should be made in 72 hours or less (e.g. WannaCry patch). Waiting too many days to make a patch effective could be your worst nightmare. Waiting months to make a critical patch effective might spell doomsday to your company.
6Does your company have enough IT staff to handle not just security alerts that need to be investigated, but also handle patching, applications, the Cloud, and a host of other daily jobs that need to be performed? The lack of skilled cybersecurity workers in the US and UK is critical at this moment, and many companies are simply unable to hire as many people as they need, or as many skilled IT executives they need at a reasonable price. Now is not the time to have an understaffed IT department and there is nothing worse than having an understaffed IT department in a company that gets hacked. There are solutions for this, like managed service providers, and machine-learning driven cybersecurity orchestration and automation solutions. But you need to find the staffing answer first. Then, seek out the help of professionals if necessary.
7What is your company’s password policy? Is it complex enough, with both letters and numbers and symbols, or can a password, such as ‘password’ or ‘0123456’ be held as sufficient? The answer to this question will be self-explanatory. Complex is good. 0123456 is bad. And ‘P@$$w0rd2017’ is almost as bad as ‘0123456’ as it will be one of the top 100 passwords tested by attackers.
8Finally, what is your company’s back-up procedure and what back-up media are used by your IT department? This is a more complex question, but the generally rule is ‘back it up’ daily in at least three places: on site, off-site, and in the Cloud. Back-up solutions (which are relatively inexpensive and plentiful for both networks and desktops) should be enacted on a segmented basis, meaning that following the back-up they should be taken off-line and disconnected from the network so an encryption exploit cannot get to them. Remember, this is not like the old days where back-ups were few and difficult to employ. Major companies, such as Amazon (for the Cloud) and Carbonite (for smaller organisations) exist and can train your IT employees to become not only proficient, but fanatical about your company’s back-up policies and procedures.
Everyone is a target
Several factors existed in WannaCry that made us sad and all factors relate to the above questions we are asking you to consider: (1) improper or insufficient patching, (2) aging network architecture which was susceptible to ‘not’ being patched or not having patches readily available, and (3) insufficient back-ups. Unfortunately, each of these factors were and are, for the most part, entirely preventable or fixable at a reasonable cost. Yet they were not.
Why? We don’t know. Is cybersecurity ‘an enigma shrouded in mystery’? Is cybersecurity too hard to understand by most people? Are companies not investing enough in cybersecurity? Do companies think they are simply too small and thus ‘not a target’? We don’t know, but each of these questions begs the following answer: if your company has data that is valuable or computer hardware that is critical to running its business, it is a target. And, even if your company simply sends a lot of email and has employees, it is still a target. Simply put, everyone and every company is a target.
SECURING ALL YOUR SYSTEMS
Ensure policies and procedures are firmly in place
