{"id":148,"date":"2018-10-03T08:30:16","date_gmt":"2018-10-03T12:30:16","guid":{"rendered":"https:\/\/pbacyber.com\/?p=148"},"modified":"2018-10-03T14:06:50","modified_gmt":"2018-10-03T18:06:50","slug":"five-questions-and-possible-good-answers-boards-of-directors-should-ask-about-cybersecurity","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/10\/03\/five-questions-and-possible-good-answers-boards-of-directors-should-ask-about-cybersecurity\/","title":{"rendered":"Five Questions (And Possible Good Answers) Boards of Directors Should Ask About Cybersecurity"},"content":{"rendered":"

By Joshua Mooney and Kate Woods, White and Williams LLP<\/a><\/p>\n

 <\/p>\n

Data privacy and security can feel overwhelming for a company\u2019s executive management. Unfortunately, that overwhelming feeling can prevent constructive dialogue and action toward improving a company\u2019s cybersecurity program. Recently, the U.K.\u2019s National Cyber Security Centre (NCSC) issued what it called a \u201cBoard tookit<\/a>\u201d \u2014<\/span> five questions a board of directors should ask and know the answers to regarding its company\u2019s cybersecurity.<\/p>\n

 <\/p>\n

These questions are an easy and effective way to begin a cybersecurity discussion between IT and management, as well as between a board of directors and its executive management, to identify (1) the state of a company\u2019s cybersecurity program, and (2) what, if any, immediate program improvement or enhancements are needed. October is National Cybersecurity Awareness Month. Now is the perfect time to begin such a conversation.<\/p>\n

 <\/p>\n

1. How do we defend our organization against phishing attacks?<\/h3>\n

Phishing is a type of social engineering\u00a0attack intended to trick employees into clicking infected links or attachments, surrendering credential information, or engage in other behavior that furthers a criminal\u2019s scheme. Business email compromise (BEC) attacks, sometimes called \u201cCEO Fraud,\u201d are a category of phishing attacks whereby a third party impersonates a trusted source to trick the recipient into wiring money to them. According to an FBI report, BEC claims are a $3 billion problem in the U.S. economy. They strike businesses of all sizes, and have resulted in losses from thousands to millions of dollars.<\/p>\n

 <\/p>\n

The NCSC identified various technical safeguards a company can adopt to mitigate phishing attacks, such as filtering or blocking, and marking external emails with text identifying the message as coming from outside the company. Filtering and blocking makes a successful attack less likely, and reduces the amount of time staff must spend checking and reporting emails. Using controls like Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain-Keys Identified Mail (DKIM) also are useful to mitigate email spoofing (a phishing email that mimics a company\u2019s domain name to make it appear as a trusted source). Companies can also minimize the impact of phishing emails through use of proxy servers to block access to known malicious sites, up-to-date browsers, and use of multi-factor authentication (MFA). Finally, the NCSC recommended that companies make it \u201csimple\u201d for employees to report suspicious emails to IT security and \u201cmake sure they get feedback.\u201d The NCSC warned against overemphasis and overreliance on training programs. Training cannot disarm every phishing attack. According to the NCSC, \u201c[r]ecurrent phishing simulations or tests have been shown to have limited long-term effects, so don\u2019t overburden your staff by running them too often.\u201d<\/p>\n

 <\/p>\n

Boards of directors and a company\u2019s C-Suite should understand the company\u2019s risk mitigation strategies related to phishing emails inclusive of any automated controls in place, employee training programs to ensure against message burnout or mere \u201ccheck the box\u201d compliance activities that do not materially advance a company\u2019s cybersecurity program.<\/p>\n

 <\/p>\n

2. How does our organization control the use of privileged IT accounts?<\/h3>\n

The NCSC warned that elevated system privileges should be carefully controlled and managed, and recommended adoption of a policy known as \u201cleast privilege,\u201d whereby a person is granted only those administrative privileges to enable him or her to perform their job. The NCSC further advised that because the impact of a compromised administrator (elevated) account is significantly higher than a standard user account, administrator account privileges should be limited and given only to those who need them to perform the relevant administrative tasks. The NCSC recommended that individuals who have elevated administrator accounts nevertheless should use a standard account for day-to-day functions, such as email and web browsing.<\/p>\n

 <\/p>\n

Roles and operational workflows change. Employees separate from companies. Boards of directors and executive management should possess a general understanding of the company\u2019s risk mitigation strategy regarding system privileges and role-based access levels. They also should understand protocols adopted by the company, including whether periodic monitoring or auditing protocols exist, to validate ongoing controls to support corporate compliance with system privileges protocols.<\/p>\n

3. How do we ensure that our software and devices are up to date?<\/h3>\n

Patching is the process of applying the updates that suppliers and vendors regularly issue to hardware and software. According to the NCSC, companies should have an audited, risk-based patching strategy. Key IT staff know what\u00a0vulnerabilities\u00a0are present within the company\u2019s information systems and have a formal process to manage those vulnerabilities. The NCSC stated that executive management should be as aware\u00a0of the major vulnerabilities in their company\u2019s information systems \u201cas they are of their financial status,\u201d and they should understand how those vulnerabilities could impact the core business.<\/p>\n

 <\/p>\n

In addition to an audited, risk-based patching strategy, acceptable answers to this question include having an appropriate network architecture designed to mitigate and contain the impact of a compromised information system so that such compromise does not have a catastrophic effect on the company\u2019s whole system. NCSC warned that \u201c[f]lat networks with no segregation are dangerous,\u201d and advised that executive management \u201cshould be able to describe controls or monitoring that will manage the compromise of any device or service on your network.\u201d Use of third-party cloud services also may help. Some third-party service providers may provide computing services and security at a scale that a company cannot achieve itself (and at a lower cost).<\/p>\n

 <\/p>\n

4. How do we make sure our partners and suppliers protect the information we share with them?<\/h3>\n

Third-party vendor management is a critical component of data privacy and security. It does not matter how strong or effective a company\u2019s cybersecurity defenses are; if that company permits a third party to access its network with an infected computer, the malware is in. Ask Target. For this reason, many federal and state laws are imposing requirements on companies of critical infrastructure to perform due diligence on the cybersecurity hygiene and habits of their vendors.<\/p>\n

 <\/p>\n

The NCSC advises that companies choose organizations \u201cthat have been certified under the government\u2019s Cyber Essentials Scheme, as this demonstrates they take the protection of their data seriously.\u201d Employing companies certified under the U.K.\u2019s Cyber Essentials Scheme is not a realistic option for companies operating in the U.S., but they still should conduct due diligence to determine their vendors\u2019 written cybersecurity programs. A vendor that has not taken affirmative steps to protect the confidentiality, integrity, and availability of its data and information systems is a vendor that could expose a company to significant risk. Cybersecurity requirements should be built into vendor agreements, and companies should check and audit their vendors\u2019 cybersecurity programs pursuant to those agreements.<\/p>\n

 <\/p>\n

Companies also should consider employing controls that would minimize the impact of a compromised business partner or vendor, including limiting information that is exchanged to a necessary minimum, implementing user and system authentication and authorization before access is granted, and auditing sensitive actions or data exchange\/access. If a board of directors or C-Suite has not already done so, it should understand its company\u2019s third-party vendor oversight program, and how that program is managed. Management also should understand how incidents of non-compliance by vendors of their cybersecurity obligations are addressed.<\/p>\n

 <\/p>\n

5. What authentication methods are used to control access to systems and data?<\/h3>\n

Passwords are an easily-implemented, low-cost security measure. However, passwords can be a weak method of authenticating users. The NCSC advised implementing complementary controls to safeguard access such as restricting the number of login attempts, and two-factor authentication. Two-factor authentication can be very effective because even if a password is compromised, a hacker will be unable to access or reset your account. The NCSC also advised that personnel should be able to change forgotten passwords easily.<\/p>\n

 <\/p>\n

A board of directors that understands that a company has undertaken baseline data security requirements is better positioned to engage in transparent and open dialogue with executive management regarding the company\u2019s cybersecurity program. It also allows executive management and the board of directors to use their time together more effectively by engaging in strategic conversation around cybersecurity programs in lieu of operational minutia.<\/p>\n

 <\/p>\n

The ability to understand its company\u2019s current cybersecurity program posture in conjunction with its anticipated cybersecurity program needs are, without exaggeration, distinguishing characteristics of exemplary and informed boards of directors. At a minimum on an annual basis, a board of directors should ensure that it has an accurate and strategic view of a company\u2019s cybersecurity program, including the company\u2019s current technology platform, maintenance and innovation goals, and budget planning. Additionally, boards of directors without a member experienced in cybersecurity should seek to find such a candidate.<\/p>\n

 <\/p>\n

___________________________<\/span><\/p>\n

Joshua Mooney<\/em><\/a> is a partner at White and Williams LLP in Philadelphia. He is co-chair of the firm\u2019s Cyber Law and Data Protection Group.<\/em><\/p>\n

 <\/p>\n

Kate Woods<\/a> is counsel at White and Williams LLP in Philadelphia.<\/em> She is a member of the Cyber Law and Data Protection Group and Healthcare Group.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

By Joshua Mooney and Kate Woods, White and Williams LLP   Data privacy and security can feel overwhelming for a company\u2019s executive management. Unfortunately, that overwhelming feeling can prevent constructive dialogue and action toward improving a company\u2019s cybersecurity program. Recently, the U.K.\u2019s National Cyber Security Centre (NCSC) issued what it called a \u201cBoard tookit\u201d \u2014
Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,18],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/148"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=148"}],"version-history":[{"count":7,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":156,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/148\/revisions\/156"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}