I am often asked this question: “Are hackers just not targeting systems and IT users with specific privileges?”
It’s important to understand that these people are not only powerful within their own business but also potentially within a wider industry. Their knowledge of trade secrets, interaction between various lines of business, human resources and key staff, internal policies, security setups, and strategies make them good targets because that knowledge can be exploited by malicious users—internal users as well as external hackers.
In addition, the blur between digital life and real life makes it impossible for key people to fully protect their knowledge unless they are extremely disciplined. People with intimate knowledge of business processes and policies need to be fully trained as to what they can and cannot do on social media and public forums. Their digital footprint is potentially bigger and riskier than that of other team members.
While the right balance needs to be struck between a CEO’s public disclosures regarding travel and people met for PR and marketing purposes, the CEO also needs to take into account the potential for increasing their own and the company’s risk exposure in providing unnecessary ammunition to malicious users and hackers.
Also, the concept of Bring Your Own Device, aka BYOD, must be taken into consideration. Very senior people expect flexibility regarding the devices they use. In fact, board members are often not issued company-owned devices because they are not full-time employees. Yet, in the course of their duties for the company, they will get access to data systems and trade secrets governed by company policies, as well as procedures relating to data security and information governance. In practice, some board members prefer to use their own email address, perhaps even a generic email from a mainstream provider like Gmail. It then becomes very difficult for the security and compliance teams to police data usage, transfer, and storage, to implement security policies and procedures, and also to provide assistance should a security issue occur.
A perfect example of this situation is a board of a large organization made up of executive and nonexecutive members; some use company email, and some use private emails. Board minutes, including details of strategic decisions, need to be circulated. The company must adapt to this challenging work environment from a compliance perspective. Very confidential strategic decision data must be fully monitored, greatly increasing risk surface and the ability to react should a security incident, data breach, or data leak occur.
While I am concentrating on the private sector, most, if not all, of my comments also apply to state and semi-state organizations. Indeed there have been many examples of government officials not complying with basic security measures including, but not limited to, sending confidential government data to private email servers without authorization or the right levels of additional security put in place to facilitate the process.
Cyber-accountability in the boardroom: five stages of grief
Have you ever heard of the five stages of grief? They are as follows: stage one, denial; stage two, anger; stage three, bargaining; stage four, depression; stage five, acceptance. This way of looking at how people deal with difficult situations is not new. It can apply to many business and personal challenges.
As key executives and board members often refuse to accept any type of responsibility or accountability for anything to do with cybersecurity, data security, information governance, or system security within the firm, they often, eventually, go through these stages. Let’s put the five stages of grief in place for cybersecurity.
Stage One: Denial
Board members and key senior executives are in complete denial regarding their responsibility toward ensuring that the organization protects its data, trade secrets, employee data, data pertaining to third parties, and any other type of confidential data. Mostly they are not even aware of the type of data the organization is either entrusted with or is creating, making it easier to deny the very existence of any legal contractual or industry requirements to put a cybersecurity program in place.
Stage Two: Anger
The board and the organization’s key executives have woken up to the fact that they are responsible for designing, implementing, and maintaining a strong cybersecurity program to protect data and systems. However, they are not happy. The CFO is trying to understand the potential cost of such a program and where the budget will come from, and she is extremely frustrated because the CIO responsible for systems cannot easily quantify the amount of work required to purchase additional solutions or systems in order to comply. The chief security officer, on the other hand, is reasonably happy that cybersecurity has finally made it to the board meeting; however, he or she is facing intense questioning and scrutiny. After all, it was the chief security officer’s job to build, implement, and maintain a strong cybersecurity program, wasn’t it? The chief risk officer is angry: most risks applying to the organization have already been mapped many times; cyber was always one of them. The board now needs to be educated on cyber risk, exposure, impact, and, of course, countermeasures.
The head of HR now faces an additional task, which is to implement a security awareness program for all staff across all business units within the organization. This will take time, and it’s going to add a burden on all team members. Generally speaking, all key executives and board members realize that this is going to cost time and money and huge efforts from many business units, and their anger is made even worse by the fact that they don’t fully grasp the extent of what needs to be done and how to do it. This is typically when a third-party firm is brought in to perform a gap analysis and write a report on the current security roster at the firm, identifying key risks and key exposure and providing a high-level remediating road map.
Stage Three: Bargaining
By now the board and all key executives are well aware of what needs to be done for compliance and to address immediate vulnerabilities. But they are fighting internally as to who is going to do what to get to a security posture deemed acceptable not only internally but also by regulators and enforcement bodies. So naturally they do what every firm tends to do: they start prioritizing projects within the remediation plan. They then begin to bargain internally and sometimes with regulators and enforcement bodies. For instance, they will agree to upgrade their first line of defense including firewalls, antivirus, and antispyware, but the idea of implementing a needed second line of defense will have to wait, so there’s no intrusion detection system, no tokenization, no data on discovery. All of this will have to wait; the focus is on the first line of defense, and that should appease the regulator.
Stage Four: Depression
By now cybersecurity is item number two on the agenda, after finances. Everyone knows the remediation plan nearly by heart. Some prioritization has been done, some projects have been started, some quick wins have happened, but in the meantime, the regulators and enforcement bodies are still not happy that actual corrective action has not been taken. In all fairness, the board and the key executives feel the pressure. A cybersecurity program is not easy to put in place; in fact, they wonder if it can actually be done. Is there really any point in continuing with the program? Is it really going to cost as much as the CFO is indicating? Are they really out of compliance, as the chief security officer now demonstrates at every meeting? Has the risk surface of the firm really increased that much in the last while? Why is there no silver bullet? The atmosphere is really gloomy in the boardroom.
Stage Five: Acceptance
The board and the key executives come to the inevitable conclusion that the program must go on. Yes, it is going to cost a lot of money, but if it’s done properly, it can be done quite cost-effectively. The chief security officer is now able to demonstrate compliance with some key regulations and standards that apply to the organization, and there’s more to follow. It’s a work in progress. It’s traceable. It’s visible. The chief risk officer is now able to show that thanks to the remediation plan, the risk surface of the organization has actually decreased. Key risks have been mitigated, and where risks have to be taken, it is done in a calculated manner, taking security and compliance into account. From HR’s perspective it has actually been a win-win, because all employees across the organization are now much more security aware, able and willing to report suspicious activity as well as security incidents, therefore addressing key security mandates and improving the overall security levels within the organization.
And one fine day during the board meeting where cybersecurity is still number two on the agenda, the firm is able to give itself a good mark for cybersecurity, including full accountability and responsibility from the board.
This story is extremely common. I have seen many organizations of all sizes refuse to accept their role regarding security and compliance. That was always somebody else’s department. That is fine until there is a security incident, major data breach, request from a data subject who wants to see your data, a hacker who manages to steal confidential data, or a ransomware attack. Until faced with an incident, and unless fully educated in their roles regarding cybersecurity and compliance, most board members and CXOs will happily pay lip service to cybersecurity and turn a blind eye to their responsibility and accountability.
This is an extract from The Cyber-Elephant in the Boardroom, published by Forbes Books. Mathieu Gorge is a global data security, information governance and compliance expert.