This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
We’ve reached the summer solstice, a time marked by great festivals in many countries. In bygone years, it was the moment in which bonfires were lit to protect against evil spirits, which were believed to roam when the sun turned southward. Now it’s more of a party, but we still need to protect against the evil cyber spirits, by…
Following the leaders…
Why CEOs need to lead on cybersecurity
“Just because you’re paranoid doesn’t mean they’re not out to get you,” the old line goes, which seems like a fitting way to talk about cybersecurity and leadership. CEOs have the dilemma of rationally thinking about security threats, while recognizing that those threats are very real. In my feature for the latest issue of Associations Now, I wrote about some of the latest cybersecurity threats at associations—including ransomware and exploiting the internet of things—and explored some of the ways organizations have responded. As with most important issues, a proactive approach that anticipates threats is helpful. And one critical element of that, of course, is making sure that top leaders are part of that discussion. Problem is, the CEO often isn’t. An ISACA/RSA Conference survey earlier this year pointed out that while cybersecurity is a concern for an overwhelming majority of boards, only one in seven security chiefs report directly to the CEO. Moreover, respondents see a problem at the top: Fewer than half (43 percent) said their organization’s executive team follows good security practices themselves.
C-suite leadership can cut cyber-attack growth by 50% says new report
A new report published today (June 2nd 2016) by The Economist Intelligence Unit (EIU) highlights the critical role of the C-suite and board in defending their firms against cyber-crime. Data Security: How a proactive C-Suite can reduce cyber-risks for the enterprise, sponsored by Oracle, includes findings from a global survey of 300 C-suite executives conducted in February-March of 2016. A primary driver of success was the adoption of a proactive cyber-defence strategy. The 28% of firms that prioritized this approach were able to cut the growth of cyber-breaches by more than 50%.
Cyber security executives need to step up their game: Here’s why
Board members of large enterprise companies once viewed cyber security threats the same way they saw natural disasters: possible, but unlikely. Those days have changed. According to a new report by cyber risk analytics company Bay Dynamics, based on the results of a nationwide survey conducted by Osterman Research, board members are taking cyber security risks seriously. So seriously, in fact, that 26 percent of those surveyed said cyber risks were their highest priority, a larger percentage than those most concerned with financial, legal, regulatory, or competitive risks. The 125 survey respondents consisted of enterprise executives who serve on the boards of directors of enterprise companies and receive reports about companies’ cyber security programs. “Failing to deliver the cyber risk information that board members want, in a way they understand, will not go unnoticed,” said Ryan Stolte, Chief Technology Officer and Co-Founder of Bay Dynamics. And there will be repercussions. 59 percent of board members surveyed said that there is a good chance that one or more IT and security executives who fail to provide useful and actionable information in their reports would lose their jobs.
5 tips for setting up a security advisory board
Security vendors have had security advisory boards for several years, but ever since the high-profile Target, Sony, and JP Morgan data breaches, other software companies and even mainstream companies are taking a serious look at forming boards of their own. Take data management and data analytics vendor DataGravity, which this week said it has formed a security board mainly as a way to gain expertise across vertical industries such as financial, retail, healthcare, and education, as well as to learn from experts who have done business in Europe.
Into the realm of the CISO…
‘Vendor overload’ adds to CISO burnout
There are multiple reasons for the relatively rapid burnout of Chief Information Security Officers (CISO).They include a combination of pressure and the unrealistic expectation that the CISO should not just lower the risk of major breaches, but prevent them altogether. The modern CISO is also expected to have skills that go well beyond being a technology geek – to understand and “speak the language of business,” and be a strategic participant in business decisions.
Debate continues over where CISOs sit in the C-suite
Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report. Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT. Others say this is a terrible idea because the CISO’s must lock down the corporate network while the CIO is challenged to innovate. A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.
The CISO job market in 2016: Time to jump ship?
For CISOs that are even remotely considering switching jobs, the sky appears to be the limit. A quick search of job offers for CISOs returns thousands of results, and there should only be more to come as organizations realize the importance of having a security leader firmly ensconced in the enterprise. This demand is partly due to organizations globally realizing that cybersecurity risks are now a business issue, and having the right person in the organization is paramount for managing those risks. Naturally, the unprecedented demand for CISOs is also fueling a rapid rise in salaries.
What CISOs need to tell the board about cyber risk
There should be little doubt about cybersecurity’s importance in 2016 given the amount of attention the topic has garnered in the past decade. Board directors and top leadership are under pressure from all sides: from federal and state regulators, from business partners seeking to tackle third-party vendor cyber risks, and from shareholders and their class-action lawyers ready to sue the moment a breach is announced. The SEC’s leadership has been crystal clear about the responsibilities of board directors for proper cybersecurity governance. In his 2015 ABSPE speech, SEC Commissioner Luis A. Aguilar put it very clearly: “In the end, boards have a fiduciary responsibility to ensure that they possess the necessary skills, experience, and judgment to be competent stewards of their companies.”
Mobile workforce exposes businesses to security vulnerabilities
U.S. business leaders are unprepared for the increased threat to information security that comes with flexible office environments. A Shred-it study shows that leaders are not providing the protocols and training needed to ensure information remains secure in a mobile work environment. With the number of mobile workers in the US expected to reach 105 million by 2020, more workers are using the tools of the modern workforce, including laptops, USBs and cloud storage to connect outside the traditional office environment.
Don’t bite! 9 essential steps to prevent cyberattacks
Hackers never sleep. They also use tech innovations better than many of us. In recent months, we’ve seen criminals take computer systems hostage at hospitals across the U.S., target banks around the world via the SWIFT system, and steal $12.7 million in a massive ATM heist in Japan. As mobile devices proliferate and everything from TVs to cars gets plugged into the Internet, things will only get worse. Fear is changing online behavior. A survey by the U.S. National Telecommunications and Information Administration recently showed that data security worries in the U.S. have curtailed online activity among 45% of households. We need a sea change in our collective thinking to defend ourselves against this onslaught.
Security threats hiding in plain sight
Data breaches have become so common that it’s easy to overlook them. There were 781 known data breaches in 2015, according to the Identity Theft Resource Center, enough to read about mistakes being made twice a day if the media chose to write about every incident. Websites like haveibeenpwned.com list dozens of breaches affecting high-profile websites. The potential threat posed by insiders is well known, even if employees, contractors, and partners don’t represent the most significant threat vector. According to Verizon’s 2016 Data Breach Investigations Report, 172 data breaches around the world last year were attributable to insiders and privilege misuse out of 2,260 breaches analyzed.
5 ways to protect your network from new graduates
Graduation season is wrapping up and a new generation is entering the workforce. Youth and a fresh perspective is always appreciated in the enterprise, but what about when these new grads pose a security risk to the network? The graduating class of 2016 was born the same year that Google was founded and were nine years old when the first iPhone was released. Smart technology and access to high-speed internet has been a part of their lives from the get-go, making this group incredibly tech savvy. But, their hyperconnected behavior doesn’t come without its drawbacks.
How to prepare for a data breach
Organizations are battling with sophisticated, conniving cyber adversaries who are constantly evolving their techniques to steal and profit from their valuable and sensitive information. Since no environment can ever be 100 percent secure, a determined, skilled attacker will eventually penetrate even the most well-protected company’s defenses. Ensuring the right people and processes are in place before a security incident occurs can make a significant difference in how a breach impacts the organization’s operations, reputation, and bottom line. After all, when an organization is under attack, or has suffered a potential breach, time is money. The less resilient the organization, and the slower it is to respond, the longer it will take to bounce back, and the more expensive the loss (and recovery) will be.
Do employers give enough security training?
More than half of UK office workers say their employers have provided no cyber security awareness training, according to ISACA’s 2016 Cyber Security Perceptions study of more than 2,000 UK consumers online. 36% of respondents say they could not confidently define a phishing attack, and 19% have fallen prey to phishing emails. Additionally when asked to prioritise between a fast Internet connection and a secure one, 1 in 3 chose speed. “It is critically important that we create awareness in cybersecurity and in multiple roles within an organisation,” said Christos Dimitriadis, chair of ISACA’s board of directors. “The human factor is critical when creating cybersecurity capability, and education based on practical guidance is key to reducing the related business risks.”
Spearphishing attacks target boards
With great power comes great responsibility — and also a great big target painted on your head. At least, that’s the case lately with corporate boards of directors and cybercriminals launching spearphishing attacks. ” Since the beginning of the year we have serviced about 350 different clients that have had spearphishing attacks,” said Michael Bruemmer, vice president for data breach resolution at Experian Information Solutions. “About a third were specifically targeted at board members.” Board members get emails asking them for tax information or requesting bank transfers, which they typically forward to the company employee who is responsible and asking them to take care of it.
The best defense is a good offense?
From hunted to hunter
All over the world, businesses have crafted detailed plans for dealing with a cyber attack. What many have not done is plan to become the hunter rather than the hunted, and prevent attacks before they begin. “There used to be this old concept of defend, detect and respond,” said Dave Amsler, president and founder of Raytheon Foreground Security. “Now it’s detect, isolate and eradicate. You have to proactively hunt for the skilled attacker in your network.” In numerous organizations, IT leaders duck instead of covering their digital assets ahead of any attack, according to a worldwide survey titled “Don’t Wait: The Evolution of Proactive Threat Hunting.”
The Chinese hackers in the back office
BELLEVILLE, Wis. — Drive past the dairy farms, cornfields and horse pastures here and you will eventually arrive at Cate Machine & Welding, a small-town business run by Gene and Lori Cate and their sons. For 46 years, the Cates have welded many things — fertilizer tanks, jet-fighter parts, cheese molds, even a farmer’s broken glasses. And like many small businesses, they have a dusty old computer humming away in the back office. On this one, however, an unusual spy-versus-spy battle is playing out: The machine has been taken over by Chinese hackers. The hackers use it to plan and stage attacks. But unbeknown to them, a Silicon Valley start-up is tracking them here, in real time, watching their every move and, in some cases, blocking their efforts. “When they first told us, we said, ‘No way,’” Mr. Cate said one afternoon recently over pizza and cheese curds, recalling when he first learned the computer server his family used to manage its welding business had been secretly repurposed. “We were totally freaked out,” Ms. Cate said. “We had no idea we could be used as an infiltration unit for Chinese attacks.”
Hunting the hackers: Why threat intelligence isn’t enough
Threat intelligence: it’s the latest buzzword in the security industry and the shiny new solution coveted by CIO’s. The theory goes that by adopting a proactive stance, and monitoring activity not just on the network but externally too, you’ll have advance warning of an attack. Events or triggers can be spotted that indicate, like ripples on a pond, the approach of a predator, robbing the attacker of the element of surprise and giving the organisation time to raise its guns and throw up the defences. The trouble with this scenario is that big business has been doing this type of monitoring for some time and with some expensive tools… yet attacks are continuing unabated. Anti-virus, intrusion prevention systems (IPS), data loss prevention (DLP), and Security Incident and Event Management (SIEM) systems are all being used to automatically collate and log data and events in a bid to crunch sufficient data to stymie an attack.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
June 28, 2016