[BreachExchange] How does the board make informed decisions on cyber risk?

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 17 18:09:09 EST 2017


http://www.itsecurityguru.org/2017/02/17/board-make-
informed-decisions-cyber-risk/

Picture the scene: your organisations’ name splashed across the papers for
all the wrong reasons. Employee data lost, customer data leaked online,
passwords stolen. With the number of data breaches increasing every day,
this scene is all too familiar. As the challenges of information security
continue to garner the attention of business executives, information
security and risk professionals require accurate, traceable and actionable
data to be able to reduce cyber risk effectively.

An organisation may think that it has all bases covered but being able to
provide accurate analysis and appropriate communication of security metrics
to the board is a vital component of the cyber risk reduction process by IT
and security executives.

A recent survey indicated that cyber risk was the top priority for 26 per
cent of board members, while other risks such as financial, legal,
regulatory, and competitive were the “highest priority” for no more than 16
to 22 per cent of respondents. 40 per cent of IT and security executives
agreed that the information provided to boards contains actionable
information. Worryingly, eight out of 10 rely on manually compiled
spreadsheets to report data to the board. Finally, more than one-third of
respondents indicated that they weren’t even aware of all the data breaches
that occurred within their organisation!

A single breach will send shockwaves throughout an entire organisation. In
today’s data driven world the need for senior executives to comprehend
threats and identify risks has intensified. Data risk is now the top
concern of executives, and if we all adopt the mind-set that a breach is
inevitable, the best course of action for security teams is to better
manage data risk.

With the General Data Protection Regulation’s (GDPR) looming and the ICO on
hand to distribute major fines (up to 4% of global turnover) for
non-compliance boards and senior management can no longer afford to ignore
this security framework. Businesses will need to take responsibility for
the way they collect and process data on European residents (Brexit or no
Brexit), and must take immediate action to align their business systems
with the requirements of the GDPR.

Furthermore, the regulation requires that businesses must protect the
confidentiality, integrity and availability of the personal data they
handle. In a GDPR world, there will simply be nowhere to hide for an
organisation that suffers a breach.

Mandatory breach notification rules, common in the US are now being
introduced to the EU. A company must notify the relevant authorities within
72 hours of discovering the breach. This presents two challenges for
organisations: discovering the breach in a timely manner (breaches are
discovered on average140 days after the initial intrusion) and managing the
reputational fallout after such a breach.

Companies need to be adequately prepared for a breach and have a
well-thought-out mitigation process in place. This shouldn’t be limited to
a technical response, but include managing regulators, customers and media
inquiries. How an organisation responds and manages to a breach can have a
residual effect on reputation and a powerful impact on customer trust. A
complete media blackout while an internal investigation takes place isn’t
an appropriate response.

As we reflect on the past year, one thing is evident: no industry or
organisation is immune from an attack. Cybercrime does not discriminate; it
affects businesses of all shapes and size. Even the most robust defenses
will not disqualify you from being breached. However, there is a silver
lining. Organisation can understand how cybersecurity breaches occur, what
types of data present the biggest risk and what you can do to reduce the
risk, including accurate analysis and appropriate communication of security
metrics.

Given the range of security solutions and services now available, the days
of compiling spreadsheets are over. The focus must now be on identifying
and responding to threats rapidly and robustly – reducing the 140-day
detection period to 140 seconds – and even that will be too long as the
methods of bad actors evolve!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/b3ad514e/attachment.html>


More information about the BreachExchange mailing list