It’s 10:00 am Monday morning and management is in the hot seat. The stock has lost 15 points since the opening bell and is going in a downward spiral. The company is being maligned on the news and trolled on social media. Shareholders are demanding to know how the company allowed a breach to happen over the long weekend, exposing 100 million pieces of personally identifiable information. An emergency meeting with all available board members is called for 1:00 pm to discuss the state of affairs and the question, “What do we do now?”
Ready to present, management and IT hastily put together a presentation of what happened. As soon as the presentation starts, the unthinkable occurs: ransomware takes control. Its demands are simple: $50 million in Bitcoins within one hour, or at 2:00 pm the hacker group dumps corporate R&D and emails from the last year into the public domain. There is no way for the company to recover once this information goes public.
How was all of this allowed to happen?
In times of desperation – and yes, we should consider ourselves in those times right now – friends help friends out with honest and straight talk, not with fluff, pats on the back, or empty comments of consolation. You need to address the illness, however blunt that may be.
If you ever find yourself in the nightmare scenario listed above, it is for one of the following reasons:
- You did not spend enough time discussing all matters cybersecurity.
- You did not ask the right questions – as a director – on all matters cybersecurity.
- You honestly and legitimately did not know how these cybersecurity matters could impact your company.
- You had an IT department and/or CISO/CIO/CSO tell you everything was “A-OK” and you – naively or not – believed them.
It is harsh truth to hear this, but better to hear it from us than from plaintiffs or regulators. All we can do is make you look down at your shoes and feel bad. Courts (and the markets) make you feel pain.
If the WannaCry attack did not get your attention, it should have. But you may be asking: “What could I, as a board member, have done to stop these ransomware attacks? Is not that a job for my IT department?”
Yes, it is a job for the IT department but it is also a job for you – as a board member – to make sure the organization is run in reasonable and “heads up” manner. Remember, if everything tears apart at the seams, you will be asked: “Dear Director, what did you do to prevent this?”
If your response is a blank stare or a Homer Simpson-like “I dunno,” then sunshine, you’re going to have a problem on your hands the likes of which you may have never seen before.
By contrast, if your response is, “Well, Senator, we performed a vulnerability assessment in the following areas, found these deficiencies, and took these corrective actions,” you may find yourself in a much better place.
So, what questions should you ask of your organization?
Vulnerability Assessments May Not Be Perfect, But They Sure Do Help
The first problem you may be faced with is, “Where do I start?” Our advice: start with the obvious and ask your team, “When is the last time you performed a vulnerability assessment?” If your team responds with anything more than 90 days, you have a problem.
Because cybersecurity challenges change like moon phases, if you let two or three phases go by before updating your vulnerability assessment, you may be seen as waiting too long. That is why we suggest you make vulnerability assessments a priority and habit – like a regularly scheduled oil change for your car.
The next problem you may be faced with is, “What should my vulnerability assessment look at?” Now it gets a bit trickier. We normally see one of two things: doing just enough (compliance) or going way overboard (planning for an EMP attack when you really don’t need to). Neither of these may be right for you and your organization.
Here are a few tips to help you decide:
- Do not be fooled by compliance; it is just a buzzword. Just because you comply does not necessarily mean you did enough or you did what is right for you. This is why we prefer frameworks over standards. Do not fall into the trap of thinking a bunch of checked boxes makes you safe.
- Systems are vulnerable; so are the people who click on the link or attachment because they are curious to see what is behind “door number one.” How many times per year do you conduct spearphising training? How about social media awareness? Once? Twice? Ever? Or is your training on an automated and continuous cycle? People matter.
- If your staff is conducting the assessment from a purely technical perspective (such as network scanning, infrastructure build, system connectivity, and so on) this is not enough. You need to conduct an assessment that addresses your all operations, both inside and out. If you are not looking at supply chain or trusted third-party affiliates, you are likely not doing enough.
- If, after review, you find that your existing controls in place have holes or gaps, how are you controlling for them? With just a firewall or something that will give you more visibility, like a machine learning solution?
Yes, this can easily become an exhaustive piece of work, but you do not go from your bed to the final race in one day. Instead, you create a system where you maintain your organization overtime. Sure, we would all love to wake up one morning in near-perfect health and fitness, but life does not work that way.
To get to that stage – and maintain it (this is key) – you need to work towards that level. Conducting a vulnerability assessment is a goal. Cyber health and hygiene is a system of skills, built up over time, tweaked and tuned, that makes your organization more resilient.
Onwards, and we hate to be so blunt about the next point but we have to: your job isn’t done by completing vulnerability assessment. You actually have to do something about those vulnerabilities you have found.
Go back to being questioned by the Senator and imagine your response is, “Well, Senator, we performed a vulnerability assessment in the following areas and found these deficiencies.” The follow up question will be, “Dear Director, what did you do about those deficiencies?”
You are going to have a miserable day if your response is, “Well, Senator, we have yet to follow up on these deficiencies because (fill in the blank).”
Here is our last tip for this article: go for the low-hanging fruit before you try to implement some technical master plan that is more complicated than world domination scheming. If you are not training your employees regularly, start. If you are not using encryption, start. If you are not patching on a regular basis, start. If your supply chain is a weak link, strengthen it or consider replacing that part of your supply chain with another party. If your vendor is not delivering as promised, reconsider your relationship with them.
Our approach seems very rudimentary but it is so because we see basic problems that seem to linger too long in the ecosystem without prompt discussions or fixes. So, if you are a director, ask the basics like, “How’s our blocking and tackling? Are we up to par?”
Ask these questions because one day they may be asked of you.
About the Authors:
Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.
George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.