It is hard to believe that the Internet, which has had a revolutionary impact on mankind, has been around just for 25 years (since the mid-1990s). In these 25 years, most of us have gone from having no internet presence to having a large part of our lives online. Whether it is personal or professional, individual or corporation, many entities have a lot of personal and private data available online.
There is absolutely no question that the internet has brought a lot of improvements to our day-to-day lives, like faster communication, in-home purchasing, online billing, and the list goes on. However, it has also opened another type of crime against individuals and corporations – cybercrime.
Over a decade ago, people’s lives were made simpler by a certain change: employees who were not tethered to the company network became able to access corporate data. This change made company financials, key Intellectual property (IP), and other such proprietary information accessible by employees from outside the digital perimeter. Until this change, employees needed to be physically connected to the corporate network (via LAN or WAN) to access such data. Now, employees could work from anywhere, at any time and on any device, providing a high degree of flexibility to employees. However, this opened yet another avenue for cybercrime, as the company’s crown jewels could also be attacked by cyber criminals.
Cybercrimes against corporations are done primarily for a few reasons. The one people mainly think about is to steal something of value – such as money or Intellectual property. There are other reasons however, such as to deface the image of a company or its executives, or to take a company’s assets down and make them unreachable by others.
Here are some statistics from a CNBC article published in 2019 to illustrate the reach of cybercrime:
- 43% cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.
- These incidents cost businesses of all sizes $200K on average, reveals insurance carrier Hiscox.
- More than half of all small businesses suffered a breach within the last year.
To protect personal data from cyber criminals, various governmental bodies are creating regulations that put the onus of data protection on the corporations that hold that data. The EU created the General Data Protection Regulation (GDPR), Brazil created the Lei Geral de Proteçao de Dados (LGPD), and California created the California Consumer Privacy Act (CCPA). Similar regulations were created in Australia, Japan, South Korea, Thailand, and China. One thing is common amongst all these regulations: the impact of data breaches would result in financial impact to the corporation.
It is important to understand the role of the board of directors for any corporation. Amongst other things, the board of directors are responsible for
- Representing the shareholders of the corporation to the executive team
- Providing oversight to finances and financial choices of the corporation
- Protecting the external image of the corporation
Since cybercrime intends to damage the image and financials of the company, it actively tries to harm the things that the board of directors is installed to protect. As such, cybersecurity should be of major concern to company executives and board members. However, the board and executives cannot simply try to throw money at the problem. Corporations can invest too much money into protecting themselves by being best-in-class with the latest technology. This strategy cannot guarantee success, as every piece of technology will be flawed in some way and will be exploited given enough time. It is instead more valuable for the board and executives to have a constant dialogue with the information security team and constantly update and reinforce its protections against cybercrime.
Below is a suggested list of top 10 things for the board of directors to review periodically with the CISO. I strongly suggest that the board bring in an outside party (like PwC) to perform an audit on these 10 items and bring in an ethical hacker to measure their strength. There is no need to be the best in these areas – it is more important to judge risk reduction against the investment made.
- Secure the company perimeter – Is the company’s digital perimeter secure from unauthorized personnel accessing company information? For example, are there up to date firewalls?
- Secure the access path – Are employees using secure access paths when they access the company network? For example, do they use secure Wi-Fi or VPN from public places?
- Secure the data at rest and in motion – Is data encrypted when it is stored on disks in data centers or in the cloud? For sensitive data, does the company use data encryption when moving it from one place to another?
- Secure the endpoints – Are the endpoints from which employees access data secure from rogue programs? Do the end points have virus detection software?
- Secure access to the endpoints – Are the endpoint devices protected well with strong passwords and device lockouts after X minutes of not being used? Many unauthorized accesses happen due to legitimate devices being accessed by unauthorized people.
- Teach employees safety – Employees need to be trained well to protect themselves against scams that trick them into giving up their credentials. Phishing and spear phishing are still common ways attackers get access to protected data. It is necessary to train employees and test them periodically to ensure anti-phishing is always something they look out for.
- Identify insider threats to security – Another common area for fraud is employees leaking information – either intentionally or due to negligence. How can the executives in the company prevent employees from having access to key data they do not need access to? For example, is critical information spread in such a way that it takes a team to get access to all its pieces? Data should also be structured such that any individual component without the rest is of no value.
- Identify sender of information – Too many phishing emails come from known people like the CEO of the company or some celebrity. How can the receiver of information check the authenticity of the sender before opening any email?
- Speed to identify cyber-attacks – Even with all the protection being provided there is still a chance that the organization will be compromised by cyber criminals. How quickly can these compromises be identified? Are front-end tech support agents trained to identify security breaches? The average time for corporations to identify data breaches is still north of 10 days.
- Incidence response to cyber-attacks – If a security incidence does happen, how does the organization respond? It is both important to re-secure the broken perimeter, and to provide information to the customers or employees impacted.
The benefits provided by the capabilities of the internet have unlocked new ways for cyber criminals to attack companies and their data. In addition, data privacy rules are cropping up globally, which add more concerns for a company’s executives and board of directors. To ensure the company is doing everything in its power to protect itself and its shareholders, there are basic checks that need to be performed on a periodic basis. The board of directors is responsible for ensuring that these checks are carried out, to guarantee the corporation did everything in its power to defend against cyber-attacks.