<\/p>\n
<\/p>\n
When the WannaCry ransomware attack was launched in May, it shocked businesspeople around the world. But security experts will tell you that it was just part of a larger, ongoing trend in which cyberattacks are constantly evolving\u2014and becoming more sophisticated.<\/p>\n
Dealing with cybersecurity challenges is an unending battle. But CEOs can take steps to help ensure that their organizations are ready\u2014and a good starting point is a comprehensive view of the issue. Cybersecurity needs to encompass people, processes and technologies, says T. Casey Fleming, CEO of the BLACKOPS Partners security firm in Washington, D.C., and it needs to receive top management\u2019s attention. \u201cThis needs to be led and driven by the CEO and board,\u201d he says.<\/p>\n
\u201cWhen in a matter of hours a company can suffer a massive reputation or brand hit, or financial or stock price hit, then it\u2019s clearly a business problem.\u201d<\/p>\n
The Ever-Changing Threat<\/strong> \u201cARE WE IN ALIGNMENT WITH BEST PRACTICES IN IT SECURITY? THAT MAY SEEM OBVIOUS, BUT BUSY IT GROUPS OFTEN FALL BEHIND ON THE BASICS.\u201d<\/p><\/blockquote>\n At the same time, the tools for doing evil are widely available. Software that can be used to launch cyberattacks is increasingly easy to find, as is \u201ccrime as a service\u201d in which, for example, criminals offer to conduct denial of service attacks on an on-demand basis. \u201cIt\u2019s now really easy to get into the cybercrime game as a junior player, which is fundamental to what we\u2019re seeing,\u201d says Roderick Jones, CEO of the Rubica security firm in San Francisco. Criminals simply don\u2019t need a lot of technical expertise to compromise company systems.<\/p>\n The power of crimeware itself has grown by leaps and bounds\u2014largely because much of it is being created by nations that are targeting U.S. institutions and businesses. \u201cThese tools are being developed and then actually given to organized crime groups by Russians and others in opposition to the U.S.,\u201d says Jones.\u00a0\u201cSo there is this enormous kind of asymmetry that CEOs have to deal with.\u201d<\/p>\n Tightening Up the Technology<\/strong> Meanwhile, corporate security technologies are also becoming more sophisticated. Roderick Jones points to tools such as anomaly detection, which uses rules-based systems to spot unusual patterns in network usage and user behavior, and penetration testing\u2014the launching of friendly attacks on networks to identify weaknesses. Looking ahead, companies may turn to active defense techniques\u2014things like embedding data with code that attacks the criminals\u2019 systems if the\u00a0data is stolen. The technology for this exists, Jones says, but its use would raise legal questions.<\/p>\n \u201cBut active defense is an emerging area that CEOs should be aware of,\u201d he says. A decision to use it \u201cwould have to necessarily involve the CEO in the discussion, because of the policy and reputational implications of that process.\u201d<\/p>\n In many IT landscapes, the cloud is an area of special concern. Having infrastructure and software provided as a service over the network naturally involves security risks that differ from those found in the traditional data center operating behind the firewall. \u201cAs a CEO of a company that is very much cloud-enabled, I think about [cloud security] all the time,\u201d says Yong-Gon Chon, CEO of the Focal Point Data Risk in Tampa. \u201cThere\u2019s a blessing and a curse when moving to the cloud.\u201d<\/p>\n The cloud offers significant benefits, such as greater flexibility and less capital expense. It also means losing a degree of control over security policies\u2014time-to-respond when there is a breach, for example, or software patching schedules. CEOs need to balance those factors when looking at the cloud.<\/p>\n \u201cAs a practical matter, when you\u2019re connecting to the Internet and you\u2019re entrusting a cloud provider with your data, there is no such thing as 100% risk mitigation,\u201d Chon continues. However, CEOs should keep in mind that major cloud providers typically have very robust security\u2014often, better than a mid-size company could maintain in-house. In addition, he says, executives should look at ways to transfer risk they can\u2019t mitigate, for example, contracts that transfer some risk to the cloud provider, or by purchasing cyber liability insurance.<\/p>\n Take it Personally<\/strong> The list should also include the CEO and other executives\u2014people who are especially attractive targets because of their authority and their access to a wide range of company systems.<\/p>\n The FBI reported last year that spear-phishing scams that use fake executive emails to direct payments to phony vendors had cost companies $2.3 billion in the previous three years. In essence, the criminals include details that make a recipient view the email as legitimate. To get that information, they are often\u00a0making an end run around corporate security, targeting executives\u2019 personal accounts and online activities outside the corporate firewall, as well as family members\u2019 online activity.<\/p>\n With all that in mind, CEOs not only need to be cautious\u2014they might also want to rethink their own access to company information. Instead of directly accessing certain HR systems, for example, might they rely instead on reports from others? \u201cIn some ways, the less you know digitally, the better,\u201d says Jones. \u201cYou may not want to access some of the core systems in your business, because you are the most prominent person and you\u2019re that most obvious person that will be\u00a0attacked.\u201d<\/p>\n Organizing the Defense<\/strong> With that in mind, CEOs can:<\/p>\n GET A CHIEF INFORMATION SECURITY OFFICER (CISO).<\/strong> Today, the CIO often oversees cybersecurity, but cybersecurity has grown into a separate discipline, and experts recommend that companies name a CISO to oversee the many facets of cybersecurity.<\/p>\n Ideally, this will be someone with a deep background in the field. Such individuals are in short supply, and some companies may not be in a position to support a CISO function. In that case, appoint a non-specialist, which will at least put a person in place who can maintain a big-picture perspective and work with outside cybersecurity consultants as needed. Also, it\u2019s important that the CISO not report up through the CIO. \u201cYou want to be able to bring them into a board\u00a0meeting separately so you get two different viewpoints,\u201d says Fleming. \u201cDon\u2019t have the CISO\u2019s reporting sanitized by the CIO.\u201d<\/p>\n IMPROVE COMMUNICATIONS WITH THE BOARD.<\/strong> Security professionals have their own perspective, and it often differs from the board\u2019s. To help bridge the gap, CEOs can encourage CISOs and CIOs to use business language. Focal Point\u2019s Chon also suggests using a cyber balance sheet. This lists assets and liabilities in categories such as data, human capital and so forth, with a checklist showing a risk profile for each\u2014all of which helps the board and security experts understand each other.<\/p>\n ASSUME THE WORST.<\/strong> In reality, companies are very likely to experience breaches of their systems. Thus, it can be useful to assume that it will happen, and then give some thought to how the organization will deal with such an event. \u201cIf breaches are a fact of life, worry about the stuff you can control as opposed to the stuff that you can\u2019t control,\u201d says Chon, who says that key questions include, \u201cWhat happens to our business when the most valuable data that we have gets stolen? How does that impact our ability to make money or our brand? How do we manage the business disruption?\u201d<\/p>\n The answers to such questions should be documented in a written response plan spelling out how systems and data will be recovered and how the issue will be Altogether, a lot of this puts the CEO on familiar ground. Managing financial and operational risk is central to the CEO\u2019s job, and now cyber risk needs to be added to the list. As with other major initiatives, CEOs need to lead by example. \u201cThey must own it and they must lead it,\u201d says Fleming. \u201cWe\u2019re talking about a\u00a0cultural change. We\u2019re talking about policy changes and funding allocation changes. And that is all done at the CEO level.\u201d<\/p>\n <\/p>\n
\nKeeping business information secure is not getting any easier. The proliferation of mobile technology and connected Internet of Things devices creates an array of entry points to corporate systems. It also means that a great deal of corporate technology is outside the direct control of the IT department\u2014including\u00a0a lot of data and applications. \u201cIt\u2019s not just about compromising a network and utilizing computers and servers to do evil things anymore,\u201d says Christopher Ensey, COO of Dunbar Security Solutions, in Hunt Valley, Maryland. \u201cIt\u2019s also about these new applications that are the new data troves for the really powerful or valuable corporate information.\u201d<\/p>\n
\nIn this environment, CEOs need to work on several fronts. The traditional IT department is still key to security. Thus, says Ensey, CEOs need to ask their CIOs, \u201cAre we staying in alignment with best practices in IT for security?\u201d That may seem obvious, but busy IT groups often fall behind on some of the basics of security, such as updating systems. It\u2019s worth noting that the WannaCry ransomware exploited systems that had older software or had not installed a recent\u00a0security patch.<\/p>\n
\nCybersecurity experts have long recognized that the weakest point in corporate defenses is not the technology, but the people using the technology. And today, that is truer than ever. \u201cIt\u2019s important to remember that one single \u2018insider\u2019\u2026 can render all cybersecurity hardware and software investments useless,\u201d says\u00a0BLACKOPS\u2019s Fleming. And insiders are not just employees\u2014think of supply chain partners, vendors and ex-employees as well.<\/p>\n
\nCybersecurity is indeed a business issue, and it needs to be dealt with that way. \u201cCybersecurity is everything from the training department to the marketing
\nteam to HR, legal, risk governance and compliance,\u201d says Ensey. \u201cEvery piece of the business is involved in the solution to cybersecurity challenge.\u201d<\/p>\n
\ncommunicated to customers, shareholders and regulators.<\/p>\n