CISOs, CIOs, and other security professionals are taking on huge roles of some of the largest organizations in the world to provide details on better data protection and security. They win business, which translates into profitability for the firm. In fact, security professionals who report to the board are becoming competitive differentiators.
This is a radical departure from the way these roles has been viewed in the past. Previously, information security officers were considered back-office IT. Compensation for CISOs was much lower, and they were rarely (if ever) asked to report on metrics to the board of directors.
So why the change? Simply put, boards are becoming more savvy about cybersecurity risks and want to do everything they can to get ahead of potential issues. As a result, CISOs and other security professionals are getting a more important seat at the executive table.
In this article, we’ll explain three cybersecurity policies your security team should ensure are in place and examine two of 2016’s largest cybersecurity threats: ransomware and targeted spear-phishing attacks.
First, you’ll want to keep these two simple-but-critical tips in mind when reporting on cybersecurity in the boardroom.
Tip #1: Speak a language the board can understand.
Today’s CISO has to be able to monitor the metrics and communicate the results to board members so they can understand the risk management trade-offs. Some CISOs find themselves too far into the weeds, managing too much detail and not being able to narrow it down so the board can digest it properly. It’s important not to speak in absolutes, and also make sure you talk to the board in their language. It may be helpful to cut out the cybersecurity jargon and talk in terms of risk management, stock price, and bottom line—all things executives understand clearly.
Board members need to be able to see beyond the boardroom and fully understand risks from a business continuity standpoint, a business concentration standpoint, and a cybersecurity standpoint. When they’re armed with this information in a quantitative way—with the right level of abstraction—they can focus on getting behind a solution, changing a process, or adding additional resources.
We highly recommend using board-ready cybersecurity metrics, like peer performance comparisons and incident response rates. You can gather these internally or use an external business solution like BitSight Security Ratings. If you can leverage these simple metrics, you can make your presentation easy to understand and data-driven.
Tip #2: Focus on detection and recovery.
Traditionally, CISOs focus more of their budget on protective and defensive investments—but smart CISOs today are looking to refocus some of that budget to detection and recovery.
Why? Because there will always be some gap in your protection program. CISOs and boards that recognize this gap are able to move around their budget, get the right programs in place, and focus on resiliency and rapid recovery. For instance, one metric BitSight tracks is how quickly companies patch vulnerabilities on their network. The organizations doing very well with their cybersecurity practices are excellent at detecting security incidents and recovering rapidly.
Remember, cybersecurity hasn’t been in the C-suite-level spotlight for long—but today, it’s considered a critical aspect of company operations.
The modern CISO needs to be able to make a case to the board about how cybersecurity practices will impact them and the business directly. This includes expressing why—and how—company-wide cybersecurity policies should be put in place.
There are many reasons why it’s critical for you, the security professional, to be involved in cybersecurity policy. For one, it’s important for employees to know how cybersecurity is viewed in the organization. If the cybersecurity and executive teams are wholly involved with reviewing policies and setting them in motion, employees will not question whether or not cybersecurity is being taken seriously. Some organizations consider employees’ adherence to cybersecurity policies as part of their performance reviews, adding another layer of importance.
Below, we’ve detailed three cybersecurity policies your organization needs to be addressing. This list, of course, is not exhaustive or even comprehensive. But if you aren’t enacting these three policies, you’ll very likely regret it in the future.
3 Cybersecurity Policies To Put Into Place Today
1. Acceptable Use Cybersecurity Policy
An acceptable use cybersecurity policy spells out what employees may and may not do with the work-related devices they use. It should, among other things, detail:
- Online browsing
- Music and movie downloads
- Other web-based downloads
- Email attachment downloads
- Acceptable software usage
These corporate restrictions are critical for several reasons. First of all, if there’s something employees should be aware of, it should be clearly stated to them so they can avoid taking certain actions themselves and help police this internally. If there isn’t a specific written policy in place, employees can’t be held accountable as easily for any downloads they may have initiated that introduced malware into your corporate network.
2. Remote Work & Travel Policy
This policy (which may be divided into many separate policies depending on your organization) should detail where and how employees should (or should not!) access their work-related electronic devices. For example, an employee needs to know the answers to these hypothetical scenarios:
- “Can I work at a coffee shop and use their Wi-Fi?”
- “Do I need to use a personal Wi-Fi device or VPN if I work outside the office?”
- “Can my work laptop leave the office?”
- “I have a meeting in China—should I bring my laptop? What precautions should I use?”
Regardless of the types of scenarios you cover, the point should be to help employees avoid potentially risky behavior that they may not be aware of—and keep all employees in line with the organization’s cybersecurity strategy.
3. Employee Training Policy
It is just as critical—if not more so—to ensure your employees know how to enact your policies as it is to put them into place. Therefore, it’s important to train employees on proper “cyber hygiene” regularly. They should, among other things, be aware of:
- How to use (and not use) company equipment
- Which email attachments they should and should not click on
- How they will be held accountable if they do something that results in a bad action
This should all be spelled out both verbally and physically (in a cybersecurity policy document) so every employee understands the expectations.
Keep in mind, there are hundreds—if not thousands—of policies an organization may put into place with regard to cybersecurity.
Some fall into “internal organization and engagement” while others specifically target “third-party engagement.” They may include:
- Escalating an IT security incident
- Notifying senior executives and board members
- Engaging with third parties about cybersecurity
- Dealing with cybersecurity in the supply chain
- Managing information sharing in an organization
- Handling highly sensitive data and information
Having a formal set of cybersecurity policies is the best way to create a complete cybersecurity program—so if you’re implementing these steps, you’re headed in the right direction.
These policies are in place to help prevent some of the top threats in cybersecurity.
Two of the largest threats in 2016 were ransomware and targeted spear-phishing attacks. Below, we’ll take a deeper dive into these threats and examine several countermeasures that should be taken to help avoid them.
The Top Cybersecurity Threats Of 2016: An Overview For Board Meetings
Below, we’ve detailed two of 2016’s biggest threats—ransomware and targeted spear phishing attacks—with details your board will be interested in hearing.
In early 2015, the FBI issued a guidance post and a podcast on this threat. The bureau noted that there has been a recent increase in reported instances of ransomware and warned against paying ransoms. Lately, we’ve seen several reports of hospitals being targeted by ransomware. Take these two cases, for example:
1. Hollywood Presbyterian Medical Center
On February 5, 2016, a hacker used CryptoLocker software to hijack the hospital’s network and demanded a ransom of 40 bitcoin in exchange for access to their files. At the time, this was equivalent to about $17,000. The hospital purportedly paid the ransom before reaching out to law enforcement, which is contrary to FBI advice.
2. Lansing, Michigan, Board Of Water & Light (BWL)
In April 2016, the Lansing BWL was the victim of a ransomware breach. An employee opened a malicious email attachment, which then encrypted files on BWL’s file servers. It is unclear whether a ransom was demanded, but it has all the other indications of a ransomware breach.
What should boards keep in mind about ransomware?
Often the dollar amount demanded by the attackers is relatively small, especially if you’re a large organization. What seems to be more difficult to deal with is the loss of productivity. In the case of a hospital, the loss of time when you’re forced to send people back to paper and pencil to document and process health records is a problem.
There are a few pieces of advice that are important to keep in mind when it comes to ransomware:
- Back up files regularly. Not only should your files be regularly backed up, but they should also be stored somewhere that isn’t directly accessible from your desktop system. If you are hit by a ransomware attack, you’ll have a backup of files and likely will not have to pay the ransom if they’re updated.
- Stay up to date on patching. Hackers will try to exploit some kind of vulnerability—or even multiple vulnerabilities—which makes your patching cadence important.
- Make sure your company network is segmented. If you are hit with a ransomware attack and it starts to infect the network, it’s best if the attack is only able to hit a segment of the network and not the entire infrastructure.
Targeted Spear-Phishing Attacks
Ransomware is definitely hot in security news right now, but another thing we’re seeing pop up quite a bit are targeted, sophisticated spear-phishing attacks.
Phishing attacks have changed substantially over the years and are far more targeted than they once were. Hackers today will often use names of administrators or C-level executives to give their emails the gravitas they need. These spoofed emails are then used to request, say, W-2 information or a bank transfer.
Several schools fell victim to spear-phishing attacks in 2016:
- Kentucky State University — KSU experienced a phishing attack in late March 2016, when an attacker spoofed the email address of a senior administrator and was able to obtain “KSU W-2s for 2015 and University identification information.”
- Tidewater Community College — Also in March 2016, an employee of Tidewater Community College in Norfolk, Virginia, was sent a request for information from a spoofed employee email address, which resulted in the compromise of tax information of 3,000 school employees. The information compromised included “names, Social Security numbers, 2015 earnings, withholding and deduction information.”
What should boards keep in mind about spear-phishing attacks?
1. Train employees to be skeptical. User awareness training should be mandatory so employees are skeptical of what they’re sent and diligent about following up on potential threats through the proper channels.
This training can cover myriad topics, but should certainly cover the following:
- Employees should not ever rely on a single email to take some kind of action or give up information.
- Attachments in suspicious emails should not be opened.
- Links in suspicious emails should never be opened. Even emails to view bank or credit card statements can be altered to the hackers advantage, so it’s best to log in to see information through the typical portals.
2. Consider employing email authentication technologies. There are some technologies, like Open SPF, DKIM, and DNSSec, that any organization with a website should consider using to limit the possibility of their domain being used for a phishing scam. This solution isn't a panacea against spear phishing, but it can reduce an organization's likelihood of exploitation. That won’t stop you from being the target of a spear-phishing attack, but it will reduce the likelihood of your domain being used in one.
The commonality between ransomware and targeted spear-phishing attacks is the end user. Both threats are typically the result of some kind of user action. So while it may seem (particularly from the examples above) that users are a weak point, they’re also an important point of strength. If your employees—your last line of defense against these types of cybersecurity threats—are well-trained on detection, you will have a strong cybersecurity system.
Cybersecurity briefings were once considered a check-off-the-box conversation at the board level—but today, executives understand the regulatory, fiduciary, organizational, and personal liability that could come from a data breach. Furthermore, the importance of proper vendor risk management is well-known in executive circles. Boards realize that they need to focus on identifying whether there’s an issue with a vendor, communicating regularly about security issues, and managing vendors at scale. As a security professional, this increased awareness plays in your favor!
To further prepare for presenting security information to the executive team, download this free guide. It will walk you through how to nail down your presentation goals and style, how to select the most compelling metrics for your board, and a number of critical things to keep in mind before and after a board presentation.