Corporate Board Member and FTI Consulting recently conducted a study involving more than 500 directors and general counsel. Among the many interesting findings was a significant rise in concerns related to IT and cyber risk.
When asked, “What keeps you up at night?” directors placed data security at the top of their list. Corporate reputation and crisis preparedness were tied for fifth. General counsel had data security at number two behind regulatory compliance, followed by corporate reputation and crisis preparedness as number three and four respectively.
What does this mean for you? 41% of the directors and 33% of the general counsel indicated that IT/Cyber Risk was an issue they intended to spend “significant time on” in the coming year. Put another way, the board has finally awoken to the impact a breach can have on a company’s valuation. Corporate stewards are getting educated in a hurry and are gearing up to ask some very pointed questions regarding your strategy for protecting the company.
So, in preparation for that first board meeting here are a few simple suggestions to consider as you build out your strategy for the board:
1. It’s no surprise that employees and contractors are viewed as the weakest security link within any organization. Whether it’s malicious or accidental, most data breaches link back to this one common denominator. As a CIO or CISO your ability to successfully stop a cyber attack largely rests with individuals outside of your direct control. Therefore it’s imperative that you establish a firm commitment from the board and executive staff to drive comprehensive education across the organization. Prevention begins the day that employee or contractor is given access to your network.
2. Coming into the organization you clearly have an opportunity to wipe the slate clean and implement a new mindset. When it comes to today’s threat landscape one of the more balanced and objective answers you might hear is that threats often hide in plain sight. They’re using common applications as their infiltration vector, exhibit application-like evasion tactics, and act as, or use common network applications for communications and data exfiltration. Most of these applications are unmonitored, or worse, completely opaque to your security tools.
Take this opportunity to get a network security assessment; rest assured you’ll be astounded at what you find. Take the information from your assessment to design an architecture that brings you complete visibility of all network traffic regardless of what port or protocol is in use, and whether that traffic is encrypted. Use that information to enable only those applications that are critical to your business’ success. Anything beyond that spectrum only increases your risk. And if you really want to impress your board have the report in hand for that first meeting.
3. Do not give up on prevention! There are some disturbing claims as of late that “signature-based defenses are dead”, and that “prevention is futile.” To put it bluntly, this is ridiculous. Yes, your strategy must evolve with a greater emphasis towards detection of advanced threats. And if necessary, immediate remediation. This is a crucial element within your crisis preparedness plan. But detection should also be viewed as a crucial ingredient to an effective prevention strategy. This must be tied to a closed loop system. One that takes what it detects and applies that new intelligence immediately to the front of your cyber kill-chain.
Today’s sandbox tools can detect a wealth of new intelligence during the process of analyzing a previously unknown threat. Each day security firms analyze hundreds of thousands of samples that result in the discovery of new malware, vulnerabilities, malicious URLs, or command-and-control servers. Those discoveries result in new signatures. An effective architecture must immediately apply those new signatures to your prevention tools – IPS, Anti-Malware, URL Filter, etc. No more open-ended architectures, or architectures that rely on manual processes and human intervention to intercede in an attack. Strive for full automation, as this is the only way you can scale long term. And make sure this architecture ties into a broader intelligence community or subscription service. Attacks are often designed for a specific industry. There’s no reason you wouldn’t want to benefit from new threat discoveries detected by one of your peer organizations.