As data breaches become a constant headline, data security should be a major concern for company boards everywhere. Unless a board member has been hired specifically to provide oversight for cybersecurity programs, many boards may find themselves unprepared to perform the necessary level of due diligence.
This lack of understanding and the inability by the board to challenge cybersecurity assumptions is one of the key reasons why Chief Information Security Officers perennially lack the resources and funding to prevent data breaches, like that at Equifax.
The good news is that boards can take the risk management concepts they already know well, and apply those to cybersecurity by properly framing the conversation using these six questions.
1. Which threats does our company face?
Company boards already understand the various lines of business for their organization but also need to understand which kinds of attackers target each line of business. Different industries and different company sizes must defend against different threats. For example, a small manufacturer of government satellite components should expect to be targeted by nation-states, while a nationwide property management company might focus on employees that mistakenly or maliciously expose information.
At a board level, this process is very similar to the analysis that they do for identifying threats to revenue. Discussing and determining whether a revenue forecast is threatened by quality issues, labor disputes, competitive pressures, and other factors is very similar to a discussion of which threats must be considered as part of an overall cybersecurity program.
2. What motivates the threats/attackers?
Understanding which threats and attackers your business must deal with is just a portion of the information that boards need to ask for.
Boards must also understand what motivates the different threats. For example, outside cyber-criminals have very different motivations than malicious insiders such as disgruntled employees. The former are motivated by financial gain and will target information they can readily monetize. Malicious insiders will target information that promises to do the most damage to the business when made public. Boards must understand why different threats exist so they can begin to understand what information needs to be better secured.
Again, the process to answer this question is very similar to the process that boards already use to understand the threats to product sales. For example, during or before an anticipated labor dispute the board will learn what the workforce wants and why. In fact, answering this question is very similar to negotiating in that the board must learn what the other party wants, why they want it, and how much energy they will expend to get the desired outcome.
3.What is the impact of a breach?
Data breaches and privacy compliance violations cause financial impact to businesses in the form of fines, class action lawsuits, damage to reputation, and loss of competitive advantage, to name a few. Unfortunately, there is a lot of real-world data about the costs of data breaches that can help boards arrive at a realistic number and an understanding of the wide-reaching ramifications. Company boards need to understand the impacts that result from a variety of data breaches, including accidental unauthorized access, partial data theft and data theft on the scale of the recent Equifax breach.
4. How likely is a data breach or compliance violation?
Measured over a long enough period of time, the likelihood of a data breach is 100%. While it is important to understand that fact, boards must use a more practical time period that aligns with the data the business needs to secure. For example, sensitive employee information is valuable for a much longer period of time than an upcoming earnings announcement.
Cybersecurity consultancies and research organizations produce publicly available and also bespoke analysis to help boards gain an impartial assessment of the probability that their organization will experience a data breach.
5.What is our level of risk?
The role of the board is to identify and manage risks. Cybersecurity risk is defined as the impact of a data breach multiplied by its likelihood. Boards must define the acceptable levels of data breach and privacy compliance risk for the business. If the risk is unacceptable then the business much take action to reduce the risk to within tolerance. The board’s ability to assess risk directly depends on its ability to understand the threats, data, impacts and probabilities previously discussed.
Board members and other executives should participate in (at least) annual exercises that simulate post-data breach crisis management. It is important for them to get simulated experience with the disruption, expense, and stress of a data breach so they can better understand the importance of cybersecurity risk reduction.
6.How do we reduce risk?
To reduce risk, the business must reduce the impact and/or the likelihood of a data breach. For businesses being attacked by ‘Advanced’ Persistent Threats (and most breaches are the result of persistence as opposed to sophistication), it is extremely difficult to significantly reduce the likelihood of data theft. It is important for boards to understand that cybersecurity insurance is does not reduce risk, it just offsets it. As such, cybersecurity insurance should be used to cover risks that cannot be reasonably addressed by a cybersecurity program.
A data-centric approach
Businesses can reduce the impact of a breach by making it harder to steal useful information. Historically, security teams focused on making servers and networks more difficult to compromise. That approach continues to fail. More recently, cybersecurity efforts focused on detecting a compromise. These efforts have helped to some degree, but still do not make it more difficult for an attacker to steal data.
To make data more difficult to steal, businesses must encrypt it, protect that data from unauthorized access, and control how information travels. Of course, all of this must be informed by an understanding of where valuable information resides. You cannot secure what you don’t know you have or cannot find.