Just look at the news every few weeks and you will learn yet another company or organization has suffered a cybersecurity breach. Have you really ever considered just how deep this impacts that company or organization? What are the real costs? How did this this breach occur, how could their IT department let this happen? Who is responsible and how? And ultimately is that company or organization board culpable or responsible in some way?
There is no doubt that the costs of a cyber incident can be staggering with first party breach response expenses, business interruption loss, and third-party litigation all having a noticeable impact on the bottom line. In some cases, the fallout may affect a brand’s reputation, strain a company’s ability to serve customers, or prevent a nonprofit organization from effectively fulfilling its mission. Given the existential threat posed by cyber risks, the issue has gradually risen from solely an IT department problem to one that concerns top-level management.
In recent years, there have been several high-profile shareholder derivative lawsuits aimed at directors and officers of publicly-traded companies following data breaches, often alleging a breach of fiduciary duty, negligence, or gross mismanagement. Boards of directors for private companies, organizations, and nonprofits alike have a duty of care to their organizations, and individual directors and officers may be held personally liable for their failures, negligence, or inaction. In an era where the prevention of cyber attacks is virtually impossible, it is imperative that boards recognize their exposure to cyber risk and proactively take the steps to manage it. Boards and management should recognize that your cyber security risk exposure is directly related to your IT Management Processes and Practices also. Because of the direct correlation and connection between your IT management processes and practices and your IT Security boards should pay close attention. Boards should ensure that all the aspects of IT management within a company or organization is following foundational processes and controls specifically around change, configuration, and release management due to the quantitative science that proves these foundational controls drive an IT organization’s success and SECURITY. Boards must begin to realize companies and organizations simply can’t afford NOT to demand these methodologies are practiced because failure to follow them could be creating the highest un-recognized critical risks and exposure for both the board and the company/organization.
Here are some of the major topics that boards should contemplate when assessing and addressing their organizations’ cyber risk and overall approach to managing your IT assets and systems:
1) Cyber Risk Assessment: Depending on the size of your organization and resources available, a security audit or cyber risk assessment can provide a clear outline of the most likely sources of cyber threats, identify vulnerabilities in your network, and provide recommendations to address these exposures from both technological and procedural standpoints. Recognize this starts by assessing your overall IT systems, people, processes and adhering them to IT best practices, which is just as paramount as knowing what inherent risks you can identify and assess. It should be noted that if your IT processes are broken it is a good indicatory your IT security is weak too.
2) Regulatory Environment: Boards should educate themselves on the types of information the organization typically handles; which state or federal laws may govern the collection, retention, use, or disposal of such data; and what the organization should be doing to comply with those laws from a best-practices standpoint.
3) Information Security Leadership: Whether it’s a chief information security officer, chief technology officer, or director of information technology, there should be one individual who is responsible for overseeing all cybersecurity operations, preferably with regular and direct communication with the board and management. Looking for ways to improve the IT organization’s security posture and following best practices within the IT Organization has proven results and is not only better security, but also delivers more effective and efficient IT overall. Your security leadership should integrate with every part of your IT management and processes. Being proactive in managing your security as well as your IT systems, making sure you have the foundational controls and processes in place is not easy, but should be a priority for every company and organization.
4) Incident Response Planning & Proactive IT Management: In conjunction with the chief information security officer (or equivalent), the board should approve an enterprise-wide cyber incident response plan that contemplates a variety of incidents, including data breaches, system outages, denial of service attacks, and ransomware. The best incident response plans will outline specific roles and responsibilities in the event of a cyber incident, and will be reevaluated, updated, and practiced on a regular basis. Again, the best defense is a good offence, so while you should implement and manage an up to date incident response plan, you should also be looking to provide continual improvement to your IT processes and practices in managing all of your IT systems. This offensive focus on managing IT with rock solid Configuration, Change, and Release Management processes will provide an excellent back-stop if the bad guys do breach your systems.
5) Culture of Security: Despite the sophistication of present-day technology, most successful data breaches and cyber incidents can ultimately be traced back to human error or carelessness. This highlights the need for boards to encourage a “culture of security” from the top down, educating all personnel on proper “cyber hygiene” and empowering employees to report suspicious emails or other threats as soon as they are identified. It is imperative this starts with the IT team itself; are they taking measures to include security in all aspects of how they or the managed services partners they have selected are managing the organization’s IT assets?
6) Risk Retention and Transfer: While there are many ways to reduce the likelihood of a breach and even mitigate the impact of a cyber event, boards must also consider risk transfer as a financial backstop. Purchasing a dedicated Cyber-Insurance Policy is paramount and something every organization should have these days. Not only does it provide protection from first party losses and third-party liability but will often offer access to a network of experienced claim specialists, forensic experts, and data privacy attorneys.