SIX CY­BER­SE­CU­RITY QUES­TIONS EV­ERY BOARD SHOULD ASK

Mint ST - - LONG STORY -

CRAVI VENKATESAN & NITIN BHATT

yber­se­cu­rity has be­come a crit­i­cal busi­ness con­ti­nu­ity is­sue. There truly are only two types of com­pa­nies: those that know they have been hacked, and those that do not. The op­er­a­tional, fi­nan­cial and rep­u­ta­tional costs of breaches are ris­ing as well. In some cases, CEOS and board mem­bers have been forced to re­sign. Many boards, how­ever, are just wak­ing up to this risk. The fol­low­ing ques­tions can pro­vide a frame­work for cor­po­rate di­rec­tors as they ful­fil their fidu­ciary re­spon­si­bil­i­ties. Which as­sets “must” we pro­tect?

It is crit­i­cal to risk-rank data as­sets to iden­tify which ones can make or break an or­ga­ni­za­tion. For in­stance, the clin­i­cal tri­als data of a phar­ma­ceu­ti­cal com­pany, call data records of a tele­com en­ter­prise and pa­tient care records of a hos­pi­tal would fall in the high-risk cat­e­gory. How can such crown jewels be pro­tected? The main­stream ap­proach is to iden­tify po­ten­tial threat-ac­tors and vul­ner­a­bil­i­ties, im­ple­ment con­trols, and fi­nally, thwart at­tacks by lev­er­ag­ing an­a­lyt­ics-en­abled threat-mon­i­tor­ing tools. An­other ap­proach—sug­gested by lead­ing cy­ber­se­cu­rity ex­perts—is to iso­late crit­i­cal as­sets from the in­ter­net, min­i­mize their dig­i­tal foot­print, and mon­i­tor them by us­ing ana­logue de­vices and trusted hu­man be­ings.

Which vul­ner­a­bil­i­ties should we be most wor­ried about?

In­flu­enced by tech­nol­ogy com­pa­nies’ ef­fec­tive mar­ket­ing, busi­ness lead­ers spend an in­or­di­nate amount of time wor­ry­ing about new-age threats and in­vest­ing ever more in new se­cu­rity prod­ucts that can help them stay ahead of tech-savvy hack­ers.

While it is true that or­ga­nized crim­i­nals are in­creas­ingly de­vis­ing new tech­niques, most at­tacks— in­clud­ing those at the largest cor­po­ra­tions—are rel­a­tively un­so­phis­ti­cated. They suc­ceed be­cause or­ga­ni­za­tions do not take key pre­cau­tions such as en­crypt­ing crit­i­cal data, im­ple­ment­ing timely patches, mon­i­tor­ing ac­cess con­trols, seg­ment­ing the net­work, sched­ul­ing data back­ups and im­ple­ment­ing strong password man­age­ment prac­tices.

How ro­bust is our in­ci­dence re­sponse?

Most com­pa­nies do not have a com­pre­hen­sive cri­sis-re­sponse strat­egy. For in­stance, an Ey-led cy­ber­at­tack sim­u­la­tion ex­er­cise with 79 lead­ing CEOS re­vealed that many were un­sure about how to han­dle ran­som de­mands from cy­ber­crim­i­nals. The most proac­tive com­pa­nies con­duct pe­ri­odic “war-games” with the board and top man­age­ment to en­sure that their cri­sis-re­sponse plans are ex­haus­tive and ro­bust.

Are we in­vest­ing pru­dently in the area of cy­ber­se­cu­rity? Three prin­ci­ples should guide fund­ing de­ci­sions. First, com­pa­nies must spend more to strengthen their weak­est link: peo­ple. This in­cludes strength­en­ing the lead­er­ship by hir­ing a sea­soned chief in­for­ma­tion se­cu­rity of­fi­cer (CISO) and equip­ping the se­cu­rity team with the right tools and skill sets. Sec­ond, or­ga­ni­za­tions must in­vest in im­prov­ing in­tru­sion-de­tec­tion ca­pa­bil­i­ties. This in­cludes ac­cess­ing threat in­tel­li­gence and en­hanc­ing SOC ef­fec­tive­ness by analysing log alerts in con­junc­tion with be­havioural pat­terns and end­point sig­nals.

Third, or­ga­ni­za­tions could con­sider in­vest­ing in ad­vanced se­cu­rity tech­niques such as threat-hunt­ing and de­cep­tion tech­nolo­gies, which baits hack­ers into at­tack­ing de­coy servers, thereby en­abling se­cu­rity pro­fes­sion­als to an­a­lyse the mo­tives of the threat-ac­tors, all the while pro­tect­ing real data as­sets. Does our board gover­nance sup­port cy­ber re­silience? Do board mem­bers set aside time to re­view crit­i­cal cy­ber­se­cu­rity con­trols, emerg­ing risks and breach-pre­pared­ness? Do they seek ex­ter­nal in­puts to val­i­date man­age­ment’s cy­ber­se­cu­rity as­ser­tions? Does the or­ga­ni­za­tion’s CISO re­port di­rectly to the CEO or COO to en­cour­age in­de­pen­dence? Are em­ploy­ees, cus­tomers and third-par­ties reg­u­larly ed­u­cated and au­dited to en­sure they are ful­fill­ing their cy­ber­se­cu­rity re­spon­si­bil­i­ties?

How ma­ture are our cy­ber­se­cu­rity prac­tices when com­pared to in­dus­try-lead­ing stan­dards?

Or­ga­ni­za­tions of­ten bench­mark the ma­tu­rity of their se­cu­rity prac­tices against sec­tor-ag­nos­tic stan­dards such as NIST and ISO27001, as well as sec­tor-spe­cific stan­dards such as HITRUST for health­care and PCI-DSS for on­line re­tail­ing. How­ever, such com­pli­ance-driven ap­proaches do not guar­an­tee cy­ber re­silience. Strength­en­ing one’s se­cu­rity pos­ture also re­quires the shar­ing of threat in­tel­li­gence and anonymized at­tack data among peers—much like hack­ers who ac­tively col­lab­o­rate and share sys­tem vul­ner­a­bil­i­ties. Do­ing so en­hances an or­ga­ni­za­tion’s abil­ity to sense, re­sist and re­spond to at­tacks.

Cy­ber vul­ner­a­bil­ity is at an all-time high. The pro­lif­er­a­tion of in­ter­net-con­nected de­vices—many with poor se­cu­rity—along with the ex­plo­sive growth of data, au­to­ma­tion and out­sourc­ing are cre­at­ing ex­po­nen­tially higher risks. Boards that are in­formed, en­gaged and ask the right ques­tions are per­haps the most crit­i­cal line of de­fence in strength­en­ing an or­ga­ni­za­tion’s se­cu­rity pos­ture. Ravi Venkatesan is the for­mer chair­man of Mi­crosoft In­dia. Nitin Bhatt is EY’S global risk trans­for­ma­tion leader and heads the firm’s tech­nol­ogy sec­tor in In­dia.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.