[BreachExchange] Six data security questions that every board needs to ask

Mon Nov 27 19:15:46 EST 2017

https://www.helpnetsecurity.com/2017/11/22/data-security-questions/

As data breaches become a constant headline, data security should be a
major concern for company boards everywhere. Unless a board member has been
hired specifically to provide oversight for cybersecurity programs, many
boards may find themselves unprepared to perform the necessary level of due
diligence.

This lack of understanding and the inability by the board to challenge
cybersecurity assumptions is one of the key reasons why Chief Information
Security Officers perennially lack the resources and funding to prevent
data breaches, like that at Equifax.

The good news is that boards can take the risk management concepts they
already know well, and apply those to cybersecurity by properly framing the
conversation using these six questions.

1. Which threats does our company face?

Company boards already understand the various lines of business for their
organization but also need to understand which kinds of attackers target
each line of business. Different industries and different company sizes
must defend against different threats. For example, a small manufacturer of
government satellite components should expect to be targeted by
nation-states, while a nationwide property management company might focus
on employees that mistakenly or maliciously expose information.

At a board level, this process is very similar to the analysis that they do
for identifying threats to revenue. Discussing and determining whether a
revenue forecast is threatened by quality issues, labor disputes,
competitive pressures, and other factors is very similar to a discussion of
which threats must be considered as part of an overall cybersecurity
program.

2. What motivates the threats/attackers?

Understanding which threats and attackers your business must deal with is
just a portion of the information that boards need to ask for.

Boards must also understand what motivates the different threats. For
example, outside cyber-criminals have very different motivations than
malicious insiders such as disgruntled employees. The former are motivated
by financial gain and will target information they can readily monetize.
Malicious insiders will target information that promises to do the most
damage to the business when made public. Boards must understand why
different threats exist so they can begin to understand what information
needs to be better secured.

Again, the process to answer this question is very similar to the process
that boards already use to understand the threats to product sales. For
example, during or before an anticipated labor dispute the board will learn
what the workforce wants and why. In fact, answering this question is very
similar to negotiating in that the board must learn what the other party
wants, why they want it, and how much energy they will expend to get the
desired outcome.

3.What is the impact of a breach?

Data breaches and privacy compliance violations cause financial impact to
businesses in the form of fines, class action lawsuits, damage to
reputation, and loss of competitive advantage, to name a few.
Unfortunately, there is a lot of real-world data about the costs of data
breaches that can help boards arrive at a realistic number and an
understanding of the wide-reaching ramifications. Company boards need to
understand the impacts that result from a variety of data breaches,
including accidental unauthorized access, partial data theft and data theft
on the scale of the recent Equifax breach.

4. How likely is a data breach or compliance violation?

Measured over a long enough period of time, the likelihood of a data breach
is 100%. While it is important to understand that fact, boards must use a
more practical time period that aligns with the data the business needs to
secure. For example, sensitive employee information is valuable for a much
longer period of time than an upcoming earnings announcement.

Cybersecurity consultancies and research organizations produce publicly
available and also bespoke analysis to help boards gain an impartial
assessment of the probability that their organization will experience a
data breach.

5.What is our level of risk?

The role of the board is to identify and manage risks. Cybersecurity risk
is defined as the impact of a data breach multiplied by its likelihood.
Boards must define the acceptable levels of data breach and privacy
compliance risk for the business. If the risk is unacceptable then the
business much take action to reduce the risk to within tolerance. The
board’s ability to assess risk directly depends on its ability to
understand the threats, data, impacts and probabilities previously
discussed.

Board members and other executives should participate in (at least) annual
exercises that simulate post-data breach crisis management. It is important
for them to get simulated experience with the disruption, expense, and
stress of a data breach so they can better understand the importance of
cybersecurity risk reduction.

6.How do we reduce risk?

To reduce risk, the business must reduce the impact and/or the likelihood
of a data breach. For businesses being attacked by ‘Advanced’ Persistent
Threats (and most breaches are the result of persistence as opposed to
sophistication), it is extremely difficult to significantly reduce the
likelihood of data theft. It is important for boards to understand that
cybersecurity insurance is does not reduce risk, it just offsets it. As
such, cybersecurity insurance should be used to cover risks that cannot be
reasonably addressed by a cybersecurity program.

A data-centric approach

Businesses can reduce the impact of a breach by making it harder to steal
useful information. Historically, security teams focused on making servers
and networks more difficult to compromise. That approach continues to fail.
More recently, cybersecurity efforts focused on detecting a compromise.
These efforts have helped to some degree, but still do not make it more
difficult for an attacker to steal data.

To make data more difficult to steal, businesses must encrypt it, protect
that data from unauthorized access, and control how information travels. Of
course, all of this must be informed by an understanding of where valuable
information resides. You cannot secure what you don’t know you have or
cannot find.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171127/d58173ee/attachment.html>