Five Questions (And Possible Good Answers) Boards of Directors Should Ask About Cybersecurity
By Joshua Mooney and Kate Woods, White and Williams LLP
Data privacy and security can feel overwhelming for a company’s executive management. Unfortunately, that overwhelming feeling can prevent constructive dialogue and action toward improving a company’s cybersecurity program. Recently, the U.K.’s National Cyber Security Centre (NCSC) issued what it called a “Board tookit” — five questions a board of directors should ask and know the answers to regarding its company’s cybersecurity.
These questions are an easy and effective way to begin a cybersecurity discussion between IT and management, as well as between a board of directors and its executive management, to identify (1) the state of a company’s cybersecurity program, and (2) what, if any, immediate program improvement or enhancements are needed. October is National Cybersecurity Awareness Month. Now is the perfect time to begin such a conversation.
1. How do we defend our organization against phishing attacks?
Phishing is a type of social engineering attack intended to trick employees into clicking infected links or attachments, surrendering credential information, or engage in other behavior that furthers a criminal’s scheme. Business email compromise (BEC) attacks, sometimes called “CEO Fraud,” are a category of phishing attacks whereby a third party impersonates a trusted source to trick the recipient into wiring money to them. According to an FBI report, BEC claims are a $3 billion problem in the U.S. economy. They strike businesses of all sizes, and have resulted in losses from thousands to millions of dollars.
The NCSC identified various technical safeguards a company can adopt to mitigate phishing attacks, such as filtering or blocking, and marking external emails with text identifying the message as coming from outside the company. Filtering and blocking makes a successful attack less likely, and reduces the amount of time staff must spend checking and reporting emails. Using controls like Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain-Keys Identified Mail (DKIM) also are useful to mitigate email spoofing (a phishing email that mimics a company’s domain name to make it appear as a trusted source). Companies can also minimize the impact of phishing emails through use of proxy servers to block access to known malicious sites, up-to-date browsers, and use of multi-factor authentication (MFA). Finally, the NCSC recommended that companies make it “simple” for employees to report suspicious emails to IT security and “make sure they get feedback.” The NCSC warned against overemphasis and overreliance on training programs. Training cannot disarm every phishing attack. According to the NCSC, “[r]ecurrent phishing simulations or tests have been shown to have limited long-term effects, so don’t overburden your staff by running them too often.”
Boards of directors and a company’s C-Suite should understand the company’s risk mitigation strategies related to phishing emails inclusive of any automated controls in place, employee training programs to ensure against message burnout or mere “check the box” compliance activities that do not materially advance a company’s cybersecurity program.
2. How does our organization control the use of privileged IT accounts?
The NCSC warned that elevated system privileges should be carefully controlled and managed, and recommended adoption of a policy known as “least privilege,” whereby a person is granted only those administrative privileges to enable him or her to perform their job. The NCSC further advised that because the impact of a compromised administrator (elevated) account is significantly higher than a standard user account, administrator account privileges should be limited and given only to those who need them to perform the relevant administrative tasks. The NCSC recommended that individuals who have elevated administrator accounts nevertheless should use a standard account for day-to-day functions, such as email and web browsing.
Roles and operational workflows change. Employees separate from companies. Boards of directors and executive management should possess a general understanding of the company’s risk mitigation strategy regarding system privileges and role-based access levels. They also should understand protocols adopted by the company, including whether periodic monitoring or auditing protocols exist, to validate ongoing controls to support corporate compliance with system privileges protocols.
3. How do we ensure that our software and devices are up to date?
Patching is the process of applying the updates that suppliers and vendors regularly issue to hardware and software. According to the NCSC, companies should have an audited, risk-based patching strategy. Key IT staff know what vulnerabilities are present within the company’s information systems and have a formal process to manage those vulnerabilities. The NCSC stated that executive management should be as aware of the major vulnerabilities in their company’s information systems “as they are of their financial status,” and they should understand how those vulnerabilities could impact the core business.
In addition to an audited, risk-based patching strategy, acceptable answers to this question include having an appropriate network architecture designed to mitigate and contain the impact of a compromised information system so that such compromise does not have a catastrophic effect on the company’s whole system. NCSC warned that “[f]lat networks with no segregation are dangerous,” and advised that executive management “should be able to describe controls or monitoring that will manage the compromise of any device or service on your network.” Use of third-party cloud services also may help. Some third-party service providers may provide computing services and security at a scale that a company cannot achieve itself (and at a lower cost).
4. How do we make sure our partners and suppliers protect the information we share with them?
Third-party vendor management is a critical component of data privacy and security. It does not matter how strong or effective a company’s cybersecurity defenses are; if that company permits a third party to access its network with an infected computer, the malware is in. Ask Target. For this reason, many federal and state laws are imposing requirements on companies of critical infrastructure to perform due diligence on the cybersecurity hygiene and habits of their vendors.
The NCSC advises that companies choose organizations “that have been certified under the government’s Cyber Essentials Scheme, as this demonstrates they take the protection of their data seriously.” Employing companies certified under the U.K.’s Cyber Essentials Scheme is not a realistic option for companies operating in the U.S., but they still should conduct due diligence to determine their vendors’ written cybersecurity programs. A vendor that has not taken affirmative steps to protect the confidentiality, integrity, and availability of its data and information systems is a vendor that could expose a company to significant risk. Cybersecurity requirements should be built into vendor agreements, and companies should check and audit their vendors’ cybersecurity programs pursuant to those agreements.
Companies also should consider employing controls that would minimize the impact of a compromised business partner or vendor, including limiting information that is exchanged to a necessary minimum, implementing user and system authentication and authorization before access is granted, and auditing sensitive actions or data exchange/access. If a board of directors or C-Suite has not already done so, it should understand its company’s third-party vendor oversight program, and how that program is managed. Management also should understand how incidents of non-compliance by vendors of their cybersecurity obligations are addressed.
5. What authentication methods are used to control access to systems and data?
Passwords are an easily-implemented, low-cost security measure. However, passwords can be a weak method of authenticating users. The NCSC advised implementing complementary controls to safeguard access such as restricting the number of login attempts, and two-factor authentication. Two-factor authentication can be very effective because even if a password is compromised, a hacker will be unable to access or reset your account. The NCSC also advised that personnel should be able to change forgotten passwords easily.
A board of directors that understands that a company has undertaken baseline data security requirements is better positioned to engage in transparent and open dialogue with executive management regarding the company’s cybersecurity program. It also allows executive management and the board of directors to use their time together more effectively by engaging in strategic conversation around cybersecurity programs in lieu of operational minutia.
The ability to understand its company’s current cybersecurity program posture in conjunction with its anticipated cybersecurity program needs are, without exaggeration, distinguishing characteristics of exemplary and informed boards of directors. At a minimum on an annual basis, a board of directors should ensure that it has an accurate and strategic view of a company’s cybersecurity program, including the company’s current technology platform, maintenance and innovation goals, and budget planning. Additionally, boards of directors without a member experienced in cybersecurity should seek to find such a candidate.
___________________________
Joshua Mooney is a partner at White and Williams LLP in Philadelphia. He is co-chair of the firm’s Cyber Law and Data Protection Group.
Kate Woods is counsel at White and Williams LLP in Philadelphia. She is a member of the Cyber Law and Data Protection Group and Healthcare Group.