SPECIAL REPORT
Managing Cybersecurity Governance Managing Cybersecurity Governance Why Companies Need to Change Course on Cyber Governance Coping with GDPR: The Need for Better Data Management Good Governance: What Companies Must Do to Improve Cyber Security Governance Cybersecurity Governance and the Future
Published by Global Business Media
Reimagine governance for boards, committees, and leadership. Reimagine how your organization manages corporate governance practices for your board, committees and leadership groups, and achieve an entirely new level of effectiveness. As the leading platform for managing board operations, Nasdaq Boardvantage provides governance and collaboration solutions for boards and senior executives, powered by Nasdaq technology and security oversight. Streamline meeting processes, accelerate decision-making and strengthen governance within your enterprise with Nasdaq Boardvantage, purpose-built to meet the critical needs of today’s leaders – functionality, powerful security features, ease-of-use and mobility. Trusted by 4,000 public, private and non-profit organizations worldwide, including over half of the Fortune 500. Visit business.nasdaq.com/boardvantage to Request a Demo.
To learn more, visit business.nasdaq.com/Intel/board-leadership-solutions or contact us at: corporatesolutions@nasdaq.com @MyCorpSolutions
Nasdaq Corporate Solutions
©2018. Nasdaq, Inc. 1139-Q18
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
SPECIAL REPORT
Managing Cybersecurity Governance Managing Cybersecurity Governance Why Companies Need to Change Course on Cyber Governance
Contents
Coping with GDPR: The Need for Better Data Management Good Governance: What Companies Must Do to Improve Cyber Security Governance Cybersecurity Governance and the Future
Foreword 2 Tom Cropper, Editor
Managing Cybersecurity Governance
3
Nasdaq Global Corporate Solutions
Trends in Cyber Threats Trends in Mitigating Critical Vulnerabilities, Phishing and Insider Threats Published by Global Business Media
Published by Global Business Media Global Business Media Limited 62 The Street Ashtead Surrey KT21 1AT United Kingdom Switchboard: +44 (0)1737 850 939 Fax: +44 (0)1737 851 952 Email: info@globalbusinessmedia.org Website: www.globalbusinessmedia.org
Managing Cybersecurity Governance Addressing the Organization’s Risk Appetite Future Threats
Why Companies Need to Change Course on Cyber Governance
6
Tom Cropper, Editor
The Coming Storm
Publisher Kevin Bell
Cybercrime – the Next Generation
Editor Tom Cropper
Developing a Strategy
Business Development Director Marie-Anne Brooks
Coping with GDPR: 8 The Need for Better Data Management
Senior Project Manager Steve Banks
Poor Governance
James Butler, Staff Writer
Advertising Executives Michael McCarthy Abigail Coombes
The GDPR Revolution
Production Manager Paul Davies
The Risks of Technology
For further information visit: www.globalbusinessmedia.org
Good Governance: What Companies Must Do to Improve Cyber Security Governance
The opinions and views expressed in the editorial content in this publication are those of the authors alone and do not necessarily represent the views of any organisation with which they may be associated.
James Butler, Staff Writer
Material in advertisements and promotional features may be considered to represent the views of the advertisers and promoters. The views and opinions expressed in this publication do not necessarily express the views of the Publishers or the Editor. While every care has been taken in the preparation of this publication, neither the Publishers nor the Editor are responsible for such opinions and views or for any inaccuracies in the articles.
People Count
A Lack of Infrastructure
10
It Can Happen to Us Taking Control The Weakest Link
Cybersecurity Governance and the Future 12 Tom Cropper, Editor
Big Data Data Management for the Future
© 2018. The entire contents of this publication are protected by copyright. Full details are available from the Publishers. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical photocopying, recording or otherwise, without the prior permission of the copyright owner.
Testing Defenses
References 14
WWW.CEOREPORTS.COM | 1
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Foreword
C
ybercrime seems to be everywhere these
of the evolving nature of the threat will, in itself, be a
days. Indeed, as I write this, Ticketmaster is
challenge for those charged with safeguarding the
announcing customer details have been hacked,
company’s data.
and I’ve just had a Facebook message, apparently
As well as a more sophisticated opponent, data
from an old friend, claiming to know how I can get a
managers also face greater regulatory scrutiny in the
massive rebate on my council tax. Businesses and
form of GDPR. This not only boosts the requirements
individuals are under attack constantly.
for data managers, but it may also increase the
Unsurprisingly, perhaps, companies are beginning to
penalties for getting things wrong. James Butler takes
give cybersecurity governance much more attention.
a specific look at the requirements of GDPR and how
However, doing so can be quite an undertaking and
firms are struggling to comply.
one of the first things companies will need to do is
It’s a difficult tightrope to walk. On the one hand
update their IT infrastructure.
keeping data safe is harder and on the other penalties
Our opening article comes from Nasdaq Global
are more severe. Even so, data is crucial to the future
Corporate Solutions whose Boardvantage portal
of business. The answer, as Jo Roth discovers, is
has set the standard for security in an increasingly
a new approach to corporate cybersecurity. He
complex world. We’ll explore the Boardvantage portal
says that it’s time for board managers to take
and other advanced solutions later in the Report as
real ownership in implementing a company-wide
we look at what the future could bring both in terms
cybersecurity strategy.
of the type of threat firms will be facing and the
Few topics are as important as cybersecurity
measures they take to address them.
governance. It’s not exciting and it can be intimidating
In between, we’ll focus on how the cybercrime threat
to some business leaders, but this could be a crucial
has exploded over the last few years. Many of the
line of defense in the digital age.
same technologies that companies rely on to protect themselves are also being used by cyber criminals to power a new generation of threats. Keeping abreast
Tom Cropper Editor
Tom Cropper has produced articles and reports on various aspects of global business over the past 15 years. He has also worked as a copywriter for some of the largest corporations in the world, including ING, KPMG, and Zurich Insurance.
2 | WWW.CEOREPORTS.COM
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Managing Cybersecurity Governance Nasdaq Global Corporate Solutions
Dashboard metrics demonstrate the likelihood of occurrence of a security event and Trends in Cyber Threats Boards and audit committees have developed a heightened interest in cybersecurity governance over the last three years and even more so in the past year as high-profile cyber issues have dominated the news. “The number of questions we address here at Nasdaq, the interest level, and the number of presentations we share with the board have increased drastically,” says cybersecurity governance management advocate, Louis Modano, CISO, Nasdaq. Cybersecurity intelligence and reporting from the information security team are a high priority among the organization’s updates to the audit committee, says Modano. “I attend every audit committee meeting along with the CIO to report on information security within Nasdaq,” says Modano. Phishing – fraudulent emails that bait employees so that hackers can access the network – is a critical board-level cybersecurity concern. Organizations can also lose sensitive information when employees exhibit malicious insider activity by accessing and abusing data.
Trends in Mitigating Critical Vulnerabilities, Phishing and Insider Threats “It’s imperative that organizations have patch management programs to address critical
vulnerabilities in their environments,” says Modano. When you are running a large technology environment, there’s a level of hygiene that the board should expect, which includes ensuring that you update and patch your systems, according to Modano. Hackers can exploit a vulnerability that remains unpatched for an extended period, and that could severely impact an organization; that’s why the attention to vulnerabilities is so high at the board level, says Modano. Organizations can curb phishing by using testing programs, which train their employees to identify real phishing attempts and reward them for improvement. Nasdaq deploys a related simulation as part of its governance program. “We test our employees to see whether they will click on the fraudulent links that tend to appear in these kinds of emails,” says Modano. “Our testing allows us to measure who is reporting what appears to be an illegitimate email,” Modano adds. Information security teams can mitigate unauthorized access and insider threats by using the Nasdaq Boardvantage board portal software solution, which uses multifactor authentication and full-strength encryption. Nasdaq Boardvantage separates content into individual repositories and protects them with unique encryption keys. “A board portal like Nasdaq Boardvantage ensures
its impact as well as whether the organization is increasing its investment of time and resources to address those events
WWW.CEOREPORTS.COM | 3
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Hackers can exploit a vulnerability that remains unpatched for an extended period, and that could severely impact an organization
fidelity of confidential documents, automates the dissemination of sensitive material, allows you to purge documents centrally, and enables users to exchange comments and messages securely,” says Modano. Nasdaq Boardvantage lives in a highly secure, hardened data center with no third-party access. Nasdaq Boardvantage meets SOC 2 certification requirements to ensure compliance with the highest security industry standards. “Not every board portal is created equal. There are multiple layers of security and mature security activities that must support it, too. You have to weigh that when looking at using board portals,” says Modano.
Managing Cybersecurity Governance As a principal governance activity, Nasdaq has a formal program charter outlining information security team responsibilities. The charter covers the authority the team has in addressing cybersecurity matters that come up as the line function in the organization. The board ensures that the information security team performs those functions. In addition to the formal cybersecurity program and strategy document, the board supports line functions for information security team performance with the aid of the audit committee and with periodic updates and approvals by all parties. The security team initiates updated cyber reports to the chain of command. Cybersecurity updates to the audit committee carry equal weight with other business updates in today’s cyber threat environment. The information security team tracks and reports security activities to the board via dashboards using metrics that show increases and decreases in vulnerabilities and threats, according to 4 | WWW.CEOREPORTS.COM
Modano. “The dashboard is a roll-up of metrics we follow monthly,” says Modano. “We use the dashboard to track all the activities we are involved in to mitigate threats. We align these activities with a formal standard known as the NIST 800.53 standard,” says Modano. This standard is a cybersecurity standard from the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce. Nasdaq uses the dashboard to track whether it is investing more in security controls, as well. Tracking enables Nasdaq to warn employees who fall for phishing and then put them through formal training if it continues. “We actively report to the board on how well this is going,” says Modano. The dashboard visualizes trends in employee behavior such as insider activity, where someone is doing something they should not. Dashboards track the quality and effectiveness of security mitigations and controls including patches for current vulnerabilities. Dashboard metrics demonstrate the likelihood of occurrence of a security event and its impact as well as whether the organization is increasing its investment of time and resources to address those events. Boards avail themselves of regular presentations about new vulnerabilities and threats that consider threat capabilities in the proper context. The CISO, CSO, or CIO, or whoever runs security risk should present vulnerabilities and threats in the appropriate context. “Context includes how often such a threat targets such an organization and transparency into the mitigations and controls in place at that institution and their effectiveness against such risks as well as the probability and cost of related security events,” says Modano. Context is important as people can otherwise become worried when they hear about some
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
scary new cyber threat if they don’t understand that someone must have already compromised your systems for these attacks to cause any harm. The Meltdown and Spectre vulnerabilities, which are broad and impact nearly every computing device, are good examples.
Addressing the Organization’s Risk Appetite To determine what the information security team will support, the board must evaluate the company’s risk appetite, i.e., the risks the organization will mitigate, avoid, transfer, or accept. The CISO’s teams, the technical risk committee, the global risk committee, and the management teams conduct thorough reviews of key risks in the organization and prioritize them together with the likelihood/ probability that they will occur, and the financial impact if they do happen. The organization baselines its environment as to the acceptable level of risk across all lines of business. The board reviews these risks annually with these teams. The audit committee tracks those risks to determine whether the organization has exceeded the threshold of the amounts and types of risk the business is willing to accept. When a risk surpasses a threshold, the audit committee and the business line involved communicate the cause and work with the board and the information
security team to confirm how to address the risk more appropriately.
Future Threats The board must remain vigilant as new threats appear on the horizon. In 2018, expect to see increases in attacks intent on destroying infrastructure. Cryptojacking, using someone’s computer without their knowledge to mine cryptocurrency will increase this year as well. The information security team can update its awareness of vulnerabilities and threats using advanced threat intelligence from multiple vendor sources. Cybersecurity governance can further address unforeseen vulnerabilities, threats, and attacks using third-party assessments of the maturity of the entire information security program. The third-party service looks at multiple information security domains and conducts interviews with stakeholders in search of evidence of the maturity of the program. “The third-party service looks at 13 to 20 different domains for evidence, based on interviews with stakeholders, as to the maturity of your security program,” says Modano. The third-party provider reports on their findings to the information security team, which shares it with the board. The results of the findings demonstrate how well the organization’s information security program addresses threats in comparison with the performance of its peers.
To determine what the information security team will support, the board must evaluate the company’s risk appetite, i.e., the risks the organization will mitigate, avoid, transfer, or accept
In 2018, expect to see increases in attacks intent on destroying infrastructure. Cryptojacking, using someone’s computer without their knowledge to mine cryptocurrency will increase this year as well WWW.CEOREPORTS.COM | 5
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Why Companies Need to Change Course on Cyber Governance Tom Cropper, Editor Cybercrime is rising, and regulatory scrutiny is growing – if cybersecurity governance isn’t a top priority by now it should be.
I A lack of expertise within the company, poor execution and insufficient oversight of cybersecurity practices mean many companies are far more vulnerable than they realize
6 | WWW.CEOREPORTS.COM
T’S A crime fit for the 21st century. Criminals have moved into the digital realm taking advantage of an ever more connected business world to create a new and rapidly rising threat to business systems. The days when cybercriminals were small time and relatively disorganized are gone. Today it is a multi-billion-dollar industry and is growing faster than ever before. The threat is developing, both in volume and in sophistication, and that, coupled with the increasing regulatory oversight, is leading business owners to bring IT security from the peripheries to the center of their business strategies.
The Coming Storm The modern business world creates an environment ripe for the cybercriminal. Companies are more connected than ever. They are sharing data across multiple platforms and in many different locations. Even relatively junior members of staff have access to quite sensitive areas of their internal systems. They are dependent on technology with much of their IT infrastructure migrating onto the cloud. Best of all, awareness of the level of threat is patchy and defenses vary in sophistication from company to company. Small wonder the criminals are on the march. The last few years have seen cybercrime emerge from the side-lines to become a major business in its own right. According to the National Cyber Crime Security Centre, attacks against UK businesses increased in 2017 as hackers found new ways to attack businesses and citizens around the world1. Research from McAfee and the Centre for Strategic and International Studies calculated that the global cost of cybercrime has risen to $600bn, an increase of $150bn since 20142. The threat comes from a growing range of sources including data loss, theft from cloud storage devices and ransomware, with the
latter proving particularly popular. Ransomware and denial of access attacks have skyrocketed in recent years. Ransomware alone recently became a $2bn a year criminal industry according to figures from cybersecurity firm Bitdefender3.
Cybercrime – the Next Generation High profile attacks such as the Wannacry virus, which wreaked havoc with organizations around the world in 2017, demonstrate the scale of the threat firms are facing. Criminals are targeting major organizations including Government agencies, financial institutions and airports with great success. In May this year two of Canada’s largest banks, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial were hacked with 90,000 customer details being stolen4. Social media also leaves people and organizations open to attack. Using the vast amount of personal information available online, criminals can impersonate people and organizations that targets may work with. They can see if they are working on a project or using a service and send convincing emails which look and feel as if they have come from a genuine source. The waters are further muddied thanks to an under-reporting of breaches. This not only makes it difficult to assess the overall scale of the problem, but it also hinders attempts to identify trends and learn from attacks.
Poor Governance One thing is clear is: many companies have a lot of work to do if they are to get their defenses up to scratch. A lack of expertise within the company, poor execution and insufficient oversight of cybersecurity practices mean many companies are far more vulnerable than they realize. A report in 2017 found that the majority of UK firms are not prepared for cyberattacks. The
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
annual Cyber Governance Health Check found that 68% of boards had received no training about what to do in the event of a cyberattack despite more than half identifying it as a major threat to their company5. There is, then, a considerable difference between understanding the nature of the threat and getting prepared. However, it’s not just the criminals that should be pushing companies into action, it’s the regulators. In May 2018 Europe’s General Data Protection Regulations (GDPR) came into force. This new regulation represents one of the most significant changes to data security law ever and, although emanating from the European Union, they will have implications for firms around the world. If a company is doing business with or managing the data of someone within the EU they will have to comply with GDPR. Walmart, for example, which has subsidiaries in Europe including Asda in the UK could be liable to a sizeable fine for a data breach which hits its UK arm. Other regulators around the world are also updating their own guidelines to bring themselves up to speed with Europe’s regulators. The rules impose stricter requirements on data use for all companies including giving customers greater ownership of their own data, achieving more informed and active consent and taking measures to ensure that the regulators are notified of a breach in a timely fashion. All these will have major implications for any company which is using data.
Developing a Strategy If companies are falling behind with cybersecurity governance, they need to address matters immediately. Not only are the cyber criminals
waiting, but so are the regulators. The impact on finances and brand reputation could be profound, which is why more and more companies are placing cybersecurity governance at the heart of their business strategies. This means firstly creating and implementing an effective cybersecurity governance strategy which stretches across every part of the organization – from the most senior executives to the most junior office staff. It must include third parties and any freelance staff the company works with, as these can also create a vulnerability for which the company will be held accountable. Most of all, ownership should move from within the IT team to the very top of the company. In the past many business leaders might have been reluctant to assume full control over technical details such as these. They see it as something beyond their area of expertise or something they are simply not comfortable with. Either way, although they should harness the knowledge of experts, it is they who will be accountable and they who must take overall control. It is a change in mindset, a change in culture and a change in approach. However, some may find their existing systems are unable to provide the oversight and effective data management strategies necessary, which is why one final change will perhaps be more important than anything else: technology. New IT solutions can enhance a firm’s capacity to use and control data, increase transparency, improve security and make it easier for them to satisfy the demands of regulators. New systems will involve an additional cost, but as we’ll see elsewhere in this Report, they deliver a sizeable return on investment.
Research from McAfee and the Centre for Strategic and International Studies calculated that the global cost of cybercrime has risen to $600bn, an increase of $150bn since 2014
WWW.CEOREPORTS.COM | 7
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Coping with GDPR: The Need for Better Data Management Tom Cropper, Editor GDPR is here and many data management systems are struggling to cope which is why the next generation of technologies will be so important.
2
Many organizations have migrated onto the cloud to increase their capacity and ability to use data in a more proactive fashion. This next generation of technologies not only increases the storage capacity of an organization, but it also makes it possible to view, access and analyze data in real time
8 | WWW.CEOREPORTS.COM
018 HAS already been a busy year for corporate regulation. We’ve had MiFID II and PRIIPs in the financial world, but nothing is more far reaching than Europe’s General Data Protection Regulation (GDPR). Not since Y2K have we seen businesses being more concerned by an incoming perceived threat and, as the deadline approached in May, people found themselves wading through email after email asking them to update their consent.
The GDPR Revolution GDPR was not before time. The rise of mobile and internet services has placed a huge amount of personal information online. Thanks to our willingness to bank online and make purchases online, that data can be incredibly dangerous if it falls into the wrong hands and the wrong hands are certainly looking hard. GDPR has several aims. It intends to improve cybersecurity by increasing the responsibility of firms for the data they handle, and it aims to give customers control over their own personal information. Rather than passive consent, which might once have been adequate, firms must obtain clear, unambiguous active consent which is freely given for each way they intend to use their data. In practice, this means that customers must actively opt in to have their data used in a certain way rather than opting out. They must also be able to pick and choose how their data can be used. For example, they might be happy for their information to be used to drive more personalized marketing, but they might not be happy for it to be shared with third parties. Most of all, customers must remain in control of their data once that consent has been given, meaning they can ask for it to be deleted at any one time. Businesses which hold data will also have to maintain higher standards when making sure that data stays safe. They must have disaster
recovery practices in place and, if a breach occurs, they must notify the regulator within 72 hours of becoming aware of it. This creates a logistical and reputational headache for many businesses. On the one hand they will have to notify the regulator when a breach occurs – effectively telling the world that their systems have been compromised. On the other, they will need to have excellent control and oversight over the data that they manage on their system.
A Lack of Infrastructure Many companies are not set up to deliver the required level of data transparency. As the deadline approached, a report from Capgemini warned that 85% of firms in Europe and the USA were struggling to comply with GDPR6. A study from Forrester Consulting has also found that 62% of companies don’t know where their most sensitive data resides7. They would struggle to understand what data they hold about individuals, whether it complies with GDPR and how to access it if required by the regulators or the individuals themselves. The problem often lies in the software used to manage data. As the amount of data coming into companies has exploded in recent years, infrastructure has struggled to cope. Traditional data storage facilities lack the capacity or the agility to manage the vast amounts of structured and unstructured data coming into an organization. Sifting through what information a business holds and manages is a major undertaking. Many organizations have migrated onto the cloud to increase their capacity and ability to use data in a more proactive fashion. This next generation of technologies not only increases the storage capacity of an organization, but it also makes it possible to view, access and analyze data in real time. This can deliver much improved oversight of operations within a company. For example,
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
financial reports which might once have taken days or weeks to compile and been quickly out of date, can be drawn up quickly and show a real-time picture of the state of a company. It’s a crucial tool for companies in an increasingly competitive landscape. It can help to optimize cashflow management, improve financial planning and gain additional insights into where a business is profitable, where it is losing money and which products are performing well. By bringing customer data into one platform from multiple sources, it can also deepen insights into buying patterns, improve relations with customers, allow firms to offer more personalized services and improve marketing strategies. Systems can also aid collaboration, reducing the amount of paperwork involved in board meetings by giving all participants a central repository into which they can input all notes and documents for meetings. They can encourage remote working by allowing people to communicate wherever they are in the world. This allows working with a wider pool of remotelybased freelancers, increasing the talent pool available for any company. The benefits are enormous which is why companies are laying aside their previous caution surrounding the cloud and making the move. The public cloud market is predicted to grow at more than 20% per year up to 20228. Meanwhile, Gartner predicts that Infrastructure as a Service is likely to be the fastest growing sector of the cloud market at 35.9% CAGR9.
All that data will have to comply with GDPR, but by giving users greater visibility of the data the company holds and easier access to it, makes complying with the regulations simpler and less time consuming. Data managers can see what data they have, its location and the levels of consent; they can alter consent levels if required and delete them if needed. Bringing all data into one place reduces the administrative burden involved with complying with GDPR as well as the risks of being penalized.
The Risks of Technology There is of course one black cloud on the horizon. The biggest obstacle preventing users from migrating onto the cloud is cyber risk, and with good reason. Cybercriminals are actively targeting cloud services. Although security measures have improved dramatically, any data held or stored online may be vulnerable depending on how secure the cloud provider’s infrastructure is. Furthermore, under data protection regulations, every company is responsible for any data it uses – even that which is stored by a third-party provider. So, if the cloud provider were to be compromised, its client would still be deemed liable by the regulators. Such is the value of the cloud and of agile data management systems, that businesses are making the leap despite the risks. However, in order to stay safe and remain the right side of the regulations, they must choose the right partner and take active steps to ensure that they manage data in the right way, which is what we’ll explore in the next article.
GDPR has several aims. It intends to improve cybersecurity by increasing the responsibility of firms for the data they handle, and it aims to give customers control over their own personal information
WWW.CEOREPORTS.COM | 9
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Good Governance: What Companies Must Do to Improve Cyber Security Governance Jo Roth, Staff writer Want to create a good culture of cybersecurity governance? It’s time for the people at the top to take control.
Establishing an effective strategy, though, is only part of the battle. A firm will also have to account for what is one of its biggest security vulnerabilities. The flesh and blood people who work for the firm
T
HE CYBER criminals are on the march, but are corporate defenses evolving quickly enough to keep pace? Sadly, the answer in many cases is no. The dramatic increase in the use of digital technology and the amount of sensitive data that companies hold has created a lucrative opportunity for cyber criminals – even more so given the fact that defenses are variable from company to company. To stay safe in the interconnected world of digital business, companies have to rethink their attitude to cybersecurity governance.
It Can Happen to Us In 2017, Equifax became the latest high-profile organization to be hacked by cyber criminals as millions of customer details were lost10. They follow an increasingly growing list of victims: The Friend Finder network in 2016, the NHS in 2017 and many others. For those watching on, the lessons should be clear: if it can happen to them it can happen to us. The penalties, if that happens, can be severe. Aside from the obvious financial loss of any hack into the systems, companies face the immense reputational damage that data loss can have for a company. Customers have shown a remarkable willingness to allow sensitive personal data to be stored and used by companies. However, they need to have faith that those companies will keep their details safe and sound. If one firm cannot demonstrate the ability to do this, they will choose another which can.
Taking Control The first lesson to take on board is that the leadership team should take a much greater role than it has done in the past. However, in many cases serious gaps exist. Directors often lack the expertise or the inclination to take a proactive role 10 | WWW.CEOREPORTS.COM
in cybersecurity, preferring instead to shift this into the realm of the IT department. It’s understandable. These are complicated issues and it’s tempting to shift responsibility onto the technical teams and hope they get it right. Even so, this is now a mission-critical issue for companies. It can have a dramatic impact on the fortunes of a company. For example, when FedEx became one of many victims of the NotPetya attack in 2016 they estimated that it contributed to a $300million hit to its earnings – not counting any reputational damage it may have suffered11. Add to this the potential fines which, thanks to the arrival of GDPR, could now stretch into the millions, and you have a serious threat to the health of the business. Directors should start by asking themselves searching questions about the state of their cybersecurity culture including: • Where are we most exposed to attack? • What is our appetite for risk? • What are the consequences of an attack? • Do we have expertise within the company to build effective defenses? • Can we recover data and system functionality quickly if we are attacked? Directors must ask themselves these questions and take full ownership of a comprehensive strategy of cybersecurity governance which details what risks the company faces, what measures they have taken to defend against attacks, who will manage the strategy and how they can recover and maintain operations in the aftermath of an attack. Once the board has established what it expects, it can develop a company-wide strategy giving each department responsibilities.
People Count Establishing an effective strategy, though, is only part of the battle. A firm will also have to
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
account for what is one of its biggest security vulnerabilities. The flesh and blood people who work for the firm. For all the many ways in which technology has changed the landscape, human error is still amongst the biggest weakness in many companies’ defenses. For example, in 2016 Ubiquiti revealed that an incident involving what it described as ‘employee’ impersonation targeting their finance department resulted in the transfer of funds totaling more than $46million12. In 2015 a spear phishing attack breached the systems of the Pentagon and accessed 4,000 military accounts. Investigations may have centered on where the attack came from but there should also have been questions asked about how the phishing attack infiltrated the organization’s defenses13. Such questions can be awkward because the chances are that they will lead back to an employee, which could lead to recriminations, disciplinary measures and, in some cases, dismissal. It’s a process nobody wants to go through but can be inevitable given the high degree of access even relatively minor employees often have to key corporate systems.
The Weakest Link Attackers will naturally focus on the weakest link in any one system. That often means junior administration staff who may not be fully aware of the company’s strategies and what expectations are placed on them. Companies need every
individual to buy into the overall approach. They need to be trained in what attacks they should be looking for and how they should manage their access. They should know, for example, to never click on a link within an email and that if they receive an email from a colleague with an instruction which could compromise security they should always double check with that individual. On top of that, companies must establish clear protocols for the ways in which staff access is managed. In an ideal world, each member of staff should only receive the level of clearance he or she needs to do the job. When a staff member leaves, there should be a clear process in place for deleting any passwords and access privileges they had. It is a network which should penetrate every corner of the organization. Consideration must be given to the endpoints where data loss can happen including incoming emails, business partners and freelance operatives. It must look at any mobile devices used to access central systems and what level of protection the company has. Individual departmental managers should assume overall control for the operation and tier these up through the organization back to the top. Directors may not be comfortable taking a more proactive ownership of cybersecurity governance. They may feel that they lack expertise in some of the issues involved. However, this is a growing threat to the future stability of the organization and, as such, is something which must be treated with all due urgency.
Directors often lack the expertise or the inclination to take a proactive role in cybersecurity, preferring instead to shift this into the realm of the IT department
WWW.CEOREPORTS.COM | 11
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
Cybersecurity Governance and the Future Tom Cropper, Editor If you think the last few years witnessed a surge in the amount of data businesses use, you ain’t seen nothing yet. Unfortunately, the same can be said about cybercrime.
I An army of cyber criminals is on the march armed with tools which are more affordable, effective and easier to use than ever before. In their sights are firms which are data rich, involve the transfer of sensitive material and whose defenses are less than optimal
12 | WWW.CEOREPORTS.COM
T IS no coincidence that the rapid increase in cyberattacks has coincided with the increase in the amount of data companies are handling. Cybercrime is big business for a very simple reason. All that data represents an extremely lucrative opportunity and the fastmoving nature of the environment is placing businesses at risk.
Big Data The last few years have witnessed a surge in enterprise data use, but the next five years will see that increase further still. According to a report by IDC, total global data usage could reach 163TZ by 2025 – a 10-fold increase on the current situation with most of that being created and held by enterprises14. Managing this data will place enormous strain on data managers, especially as cybercrime is already rising. An army of cyber criminals is on the march armed with tools which are more affordable, effective and easier to use than ever before. In their sights are firms which are data rich, involve the transfer of sensitive material and whose defenses are less than optimal. The good news from the cyber criminals’ point of view is that there are plenty of firms in all industries which have work to do when developing an effective counter strategy. Cybercrime is going high tech. It is turning to advanced technology to make attacks seem more convincing. For example, as reported by TechRepublic, artificial intelligence is sparking a new wave of cybercrime with AI-based servers hacking into bank accounts15. Not only are cyber criminals using the technology themselves, but they are targeting its use by financial institutions. For example, many are using chatbot technology to communicate with their customers. However, as Finance Monthly reported recently, those chatbots are not entirely secure and, once hacked, criminals have access to data flowing through those interfaces16.
Moving into the future, therefore, firms will have to be aware of the ways in which cyber criminals are using next generation technology and the vulnerabilities it creates within their own systems.
Data Management for the Future The ubiquitous nature of data will create vulnerabilities, but data will also be crucial to the future of business. Firms will need systems which can help them leverage that data in a way which is secure and reliable. Solutions such as Nasdaq Boardvantage show where this is going. In 2017 it was named best operational risk provider at the RiskTech 100 Awards17. It starts by offering an enhanced approach to cyber security. It sits in an ultra-secure hardened data center without third party access. It complies with the highest industry security standards including SOC 2 certification, ensuring there are multiple layers of security to protect the data the system holds. Access requires multifactor authentication and full-strength encryption and pulls content into separate individual repositories and protects them with unique encryption keys. Such an enhanced level of security is crucial for board management portals which facilitate the easy collaboration between stakeholders from multiple locations. Documents can be stored in a central repository making it much easier for meeting organizers to produce packs for each meeting, which means digesting a large amount of information in a very short time. Rather than printing off reams of documents and wasting paper, all that information can be viewed within the single Boardvantage platform. This makes it much easier to manage and prepare for meetings. Attendees can prepare in their own time and at their own pace. It also saves paper, helping a firm meet its sustainability targets as well as saving money. One of the principal benefits, though, is security.
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
When using paper-based documents it’s all too easy for delegates to mislay a copy and leave the sensitive data it contains vulnerable to attack. By shifting it into the digital realm that information is locked safely behind a secure portal. Documents from past meetings can also be accessed at any time.
Testing Defenses The solution also enables board teams to have more oversight over cybersecurity strategies. They can view reports on progress and recommendations from IT teams and see clear metrics on performance. They can also develop comprehensive security tests which illustrate to what degree guidelines are being followed. With these tests, staff can be sent suspicious looking emails. They can then track who opens them and who does not and who reports suspicious emails to their supervisors. This makes it possible to rate the status of cybersecurity governance strategies, monitor compliance and take corrective measures. Identifying staff members who need help and further education in mitigating cyber security
risks is much less expensive, risky and painful than dealing with a breach after it has happened and taking disciplinary procedures against members of staff. Technology like this will be crucial in helping departments to keep pace with the rapidly evolving nature of cybercrime. They can see where the company is performing well, where it needs help and what it must do to keep up with the latest attacks. Additionally, it comes with the very latest security protocols enabling senior board members to share even the most sensitive corporate information across multiple locations. This is what the future looks like. It is high tech, agile, mobile and – most importantly of all – extremely secure. While it is impossible to ensure 100% safety, this does the next best thing. By turning the organization into a secure and hard to reach target, hackers are likely to move on to something else. Like any other criminal, they are more likely to take aim at the weakest targets. The stronger are a firm’s defenses the less likely it is to be a target and the safer it will be.
Identifying staff members who need help and further education in mitigating cyber security risks is much less expensive, risky and painful than dealing with a breach after it has happened and taking disciplinary procedures against members of staff
The ubiquitous nature of data will create vulnerabilities, but data will also be crucial to the future of business. Firms will need systems which can help them leverage that data in a way which is secure and reliable
WWW.CEOREPORTS.COM | 13
SPECIAL REPORT: MANAGING CYBERSECURITY GOVERNANCE
References: Cyber Attacks Against UK Businesses Increase: https://www.theguardian.com/technology/2018/apr/10/uk-businesses-face-growing-threat-from-cyber-attacks-report 1
2
Cybercrime Costs $600bn: http://www.cityam.com/281006/cybercrime-costs-global-economy-600bn
3
Ransomware is Now a$2bn a Year Criminal Industry: https://www.cyberscoop.com/ransomware-2-billion-bitdefender-gpu-encryption/
4
Two Canadian Banks Hacked: https://www.csoonline.com/article/3276275/data-breach/2-canadian-banks-hacked-90000-customers-data-stolen.html
Majority of Big British Firms Not Prepared for Cyber Attacks: https://www.scotsman.com/future-scotland/tech/majority-of-big-british-firms-not-prepared-for-cyber-attack-1-4537313 5
6
85% of Firms Struggle to Comply with GDPR: https://www.capgemini.com/gb-en/news/85-of-firms-struggle-to-comply-with-gdpr-by-deadline-but-opportunity-exists-for-organisations-who-get-it-right/#
62% of Companies Don’t know Where Their Most Sensitive Data Resides: http://www.itsecurityguru.org/2017/01/25/62-companies-dont-know-sensitive-data-resides-report/ 7
8
Gartner Forecasts Public Cloud Market to Grow at 21.4%: https://www.gartner.com/newsroom/id/3871416
IAAS to be Fastest Growing Sector of the Cloud: https://www.computerweekly.com/news/252438790/IaaS-emerges-as-fastest-growing-sector-of-the-global-public-cloud-market 9
10
Equifax Reveals Full Horror of that Cyber Heist: https://www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/
11
FEDEX TNT NotPetya Blew a $300 Million Hole in Our Numbers: https://www.theregister.co.uk/2017/09/20/fedex_notpetya_damages/
12
Ubiquiti Stung for $46million: https://www.theregister.co.uk/2015/08/09/ubiquiti_stung_by_email_spoofing_fraud/
13
Spear Phishing Attack at Pentagon Network: https://www.hackread.com/pentagons-network-hacked-with-phishing-attack/
14
Data Use Could Reach 163 ZB by 2025: https://solutionsreview.com/data-management/idc-data-creation-to-reach-163-zettabytes-by-2025/
How Artificial Intelligence is Unleashing a New Type of Cybercrime: https://www.techrepublic.com/article/how-artificial-intelligence-is-unleashing-a-new-type-of-cybercrime/ 15
Here’s how Cybercriminals can Hack Finance Chatbots: https://www.finance-monthly.com/2018/02/heres-how-cyber-criminals-can-hack-finance-chatbots/ 16
Nasdaq Wins Risktech 100: http://business.nasdaq.com/mediacenter/pressreleases/1642119/nasdaq-wins-risktech100-best-operational-risk-grc-category 17
14 | WWW.CEOREPORTS.COM
CEOs Find Solutions To Their Business Challenges With CEO Reports
For the past decade, CEO Reports has been helping CEOs and their management teams to find new solutions to their commercial, technical and operational challenges. Our Special Reports provide readers with an unparalleled depth of information on specialist subjects, which receive limited coverage in the mainstream business media. Each report is designed to help CEOs to make more effective business decisions, by providing a unique mix of: • Subject specific technical information • Insight and knowledge from internationally recognised key opinion leaders • Independent data and analysis • Unbiased editorial content
subscriptions@globalbusinessmedia.org www.globalbusinessmedia.org