Cyber threats: how the board can prepare & mitigate risk

In January 2016, Michael Vatis, director of the FBI’s National Infrastructure Protection Center, said: “Companies should be thinking about the legal and managerial decisions that the CEO, the COO and the board will need to make in the event of a cyber-incident.”

Every board member, no matter where they operate in the world, should be aware of the catastrophic impact a cyber-attack could have to their company.

The Business Continuity Institute’s Cyber Resilience Report 2016 states that “…cyber-attacks offer the most significant business risk to organisations”. The report highlights the top-five causes of digital disruptions as being social engineering, malware, spear-phishing attacks, denial of service and out-of-date software.

Symantec, the security software manufacturer, provides some stark statistics in its April 2016 Internet Security Threat Report. It states that zero-day vulnerabilities, such as holes in software that are unknown to the vendor, have increased by 125%; more than half a billion personal records were either stolen or lost in 2015; spear-phishing campaigns rose by 55%; major security issues were discovered in three-quarters of popular websites studied; and ransomware attacks increased by 35%.

Add to this the predictions for the future regarding the increase in attacks on mobile phones from corrupt apps, hacked keyless entry systems in vehicles, vulnerabilities in work products with embedded devices such as webcams and internet phones, and weaknesses in industrial control systems.

Digital strategy

So, armed with the knowledge that digital technology—our saviour—could actually be our downfall, what can you as a board member do about it?

A good place to start is ensuring that the company has an up-to-date cyber-security policy. Many organisations still believe that responsibility for cyber-security sits firmly with the IT department. Board members need to realise that to be effective, the policy aim and objectives must reach into every department, employee and supplier.

Therefore, the policy must bring about a cyber-security cultural change where everyone feels that they are crucial in protecting the organisation and, in turn, their livelihoods. The policy must also provide direction on budgeting, awareness programmes, horizon-scanning for new cyber threats and, naturally, technical solutions.

Board members need to be aware that due diligence must be carried out on the supply chain, to ensure that third-party contractors have equal or greater cyber-security measures in place.

Next should be an effective cyber-incident response plan, which should address the following:

What is our definition of a cyber-incident?
What must the organisation protect?
How will we address technical and end-point protection?
What will the composition and responsibilities of the incident team members be?
Who has the ultimate responsibility for a cyber-incident?
What will our incident management framework look like (detection, containment, mitigation, recovery, closure and follow-up)?
Who are interested parties, and how will we communicate with them during and after an incident?
When should we inform regulators and/or the police?

Outsourcing of non-mission-critical services such as IT, payroll, accounting and financial services, which typically involve the transfer of sensitive data, is now standard company practice. But while the burden of the task can be handed over to the third party, the responsibility and accountability for a cyber-security incident cannot.

Board members need to be aware that due diligence must be carried out on the supply chain, to ensure that third-party contractors have equal or greater cyber-security measures in place. These actions should not just involve software solutions but how the suppliers would deal with an incident, how they would initially notify you, keep you updated and also how they would continue to provide you with the outsourced service during the incident.

Expert incident advice

Obtaining expert incident advice is another area often overlooked by organisations. There are three primary areas the organisation should focus on procuring prior to the incident taking place. First, legal advisors can provide counsel on issues such as data protection legislation, and for potential civil litigation for failing to take reasonable security precautions when storing customer information.

Second, digital forensics/data-breach-response expertise is vital during and after a cyber-incident. Very few companies have the luxury of employing personnel with the technological expertise to understand and remediate today’s cyber-attacks. Engaging an independent investigator ensures integrity of response and creates a defensible record if challenged later by interested parties.

I cannot stress enough the importance of securing prompt crisis communications assistance via an experienced PR firm.

And finally, I cannot stress enough the importance of securing prompt crisis communications assistance via an experienced PR firm. They will provide communication strategies to mitigate damage to brand, reputation, interested party confidence and share price.

Employees are an organisation’s biggest asset and also the greatest risk for cyber-resilience. Good education from strategic to operational-level personnel, including temporary workers and suppliers, is key to ensuring the company does not suffer the “insider threat”, whether through incompetence, malice or criminality. Basic common-sense awareness training that instils good security habits is really all that is needed.

Cyber-security specialist Kaspersky Lab provides guidance for staff and suggests regular updates on current cyber threats, the importance of every staff member’s role in cyber-defence, the dangers of social media, what an attack might look like and how to raise the alarm.

Cyber-insurance

Cyber-insurance can assist in easing the financial pain of an attack. Items that can be covered by insurance include recovery costs in case of data loss, potential loss of turnover, additional costs associated with the detection and resolution of incidents, and incident communication costs. It is worth remembering that there are two critical areas that cannot be insured against: loss of customers and reputation, so prevention is always better than cure.

A cyber-incident may never happen to your company but the first time you experience one should be a practice-run. Preparing your incident teams for an attack via “exercising” is a realistic, low-risk and cost-effective way of ensuring your organisation knows what to do when it is your turn to be attacked. Exercising can be at any or all levels of response.

The FBI’s Michael Vatis believes that “…in the very near future, cyber-security exercises are going to be absolutely expected of all companies by regulators”.

For example, the C-suite focusing on crisis decision-making and communications; tactical-level work on implementing the incident management framework of detection, containment, mitigation and recovery; and operational personnel providing hands-on technical solutions.

The FBI’s Michael Vatis believes that “…in the very near future, cyber-security exercises are going to be absolutely expected of all companies by regulators”.

Top management cannot bury their heads in the sand and consider cyber-security to be someone else’s problem. As Ginni Rommety, CEO of IBM New York, states: “Cybercrime is the greatest threat to every company in the world.” Incidents are inevitable, but boards can mitigate risk and damages by staying informed and ensuring that, in the event of an incident, their organisation is prepared to respond.

Cyber threats: a glossary

Social engineering
This is the art of manipulating people to reveal confidential information, which will then allow someone else to access information systems such as passwords or access to a computer. This may include “phishing” attempts, or sending thousands of fake emails purporting to come from an authoritative organisation and inviting people to click suspect links or reveal private information.

Spear Phishing
Much like phishing, but rather taking a shotgun approach. The suspect emails are highly targeted and focus on a few individuals, depending on the goal of the attack. Selection of targeted individuals will usually be preceded by research through social media channels such as LinkedIn, Twitter and Facebook. Small companies may be targeted as gateways to gain information that will enable attacks on much larger corporates.

Malware
An abbreviation of “malicious software”, the aim of these attacks is to plant a piece of software that will enable attackers to either damage or access computer systems secretly. The designation “malware” is therefore based on the intent behind the use of software rather than the type of software itself. The best advice here is to be very careful about which email attachments you open.

Denial of service
The objective here is to make a machine, network or internet service dysfunctional for its users. The is done by flooding or overloading the network or site with numbers of digital requests. A distributed denial-of-service attack sees criminals secretly co-opt multiple systems or machines to target a victim. One recent example was an attack on bookmaker William Hill, while another headline event saw internet service provider Dyn attacked from multiple servers, affecting millions of servers and affecting scores of high-profile brand names.

James McAlister is the director of Crisis Prepared, an organisational resilience consultancy and vice chair of the Business Continuity Institute. He is a former police officer with over 30 years’ experience in business continuity, civil protection, crisis and major incident management.