You know that cybersecurity risks exist for your company; so does your board. They know cybersecurity is a business issue, and they also know they need to be concerned about what it means to their business. But more often than not, the board doesn’t have a concrete understanding of how they can actually help. In a recent paper, Top 5 Tips for Communicating Information Security to the Board, David Meltzer suggests tethering a breach to an example the board may be familiar with and then attaching it to an important security control. This approach can build understanding for your board, as well as increase your own credibility on your security strategies. What follows are three examples you can use as a jump-off point to try this tactic with your own board of directors.
Network Segmentation and Identity and Access Controls
Inside scoop: A third-party vendor’s security credentials were stolen and used as a pivot point into the network of a major global retailer. Attackers were able to leverage the initial breach and gain access to the retailer’s point-of-sale ecosystem. In this case the third party vendor only needed access to a very limited section of the network; they did not need access to business critical POS systems. Why it’s important: Ensuring everyone can do everything they need to do to work is critical to running a business. Ensuring they have everything they need, but no more is critical to effective security operations. What your board should consider: Understanding that the principle of least privilege allows a business to run productively and securely. This security control is a security fundamental every business should implement.
Security Awareness Training
Inside scoop: A phishing scam that targets the users of a well-known and respected consumer device business with a global footprint that sells more hundreds of millions of devices every year. The phishing scam can be used to deliver a payload for cybercriminals. Verizon’s 2015 Data Breach Investigations Report (DBIR) indicates that 23 percent of users open phishing emails and 11 percent click on links – meaning with 10 phishing emails inside an organization there is a 90% chance that at least one employee will click on a malicious link. Why it’s important: As phishing scams grow more elaborate and ubiquitous employee security training is critical. Security skills training helps users understand how to put security goals into practice. What your board should consider: Policy, procedure and training are key parts of defense-in-depth strategies for a company. Making sure that the business has documented security policies and procedures in place is instrumental in guiding employee behavior. Furthermore, training to ensure employees can follow these practices helps to reduce an organization’s security risks.
Detecting Malicious change
Inside scoop: A major social media vendor had to defend themselves against public breach accusations; what initially appeared to be a breach was actually an internal error based on a technical change introduced into their systems. With hundreds of malware attacks per day, many businesses can be victim to distributed denial of service (DDOS) attacks, where an attempt is made to make a resource unavailable to its intended user(s). Why it’s important: The principle of protect, detect, respond applies here. Being able to protect your perimeter where possible is an important first step. Next, being able to detect a change in your systems is critical to an appropriate response plan. A baseline configuration of your systems, also known as a “golden image,” will help your business separate “business-as-usual” changes from those that may be malicious. What your board should consider: Leveraging business unit leaders to identify critical data and assets is a critical first step. Once this is done, collaboration with the security and IT teams can define a secure configuration of those assets to ensure the business can identify and respond to security incidents and get back to their actual business as quickly as possible. Tying high profile breaches to concrete examples of common security risks provides excellent object lessons for your board. This approach can help them understand how they can help improve your business’ security posture. This tactic is a great way to foster discussions about their support of your organizations’ security posture and help identify appropriate security controls for your organization’s size, industry, and risk appetite. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock