Leadership’s engagement with cybersecurity is not only internally driven. Regulators have also begun to raise expectations. In countries like the United States, the Securities and Exchange Commission has affirmed the importance of including cyber security processes and events in a public company’s disclosure of risk factors and material events. In the Asia Pacific region, strict laws are emerging in several countries to enable the government and regulators to require companies to take measures to ensure cyber security threats are looked into.
The increasing frequency and business impact of cyber threats have moved cybersecurity planning and protection from an operational concern of information technology departments to a key theme on the agenda of most company boards and CEOs. A recent survey by global consulting firm FTI Consulting which polled 500 board members found that the cost of cyber security breaches has gone up by 30 per cent over the past year and cybersecurity threats have now come front and centre in corporate boardrooms, taking top spot in the list of worries by both board members and general counsel, and displacing concern over succession and leadership transition.
Similarly, in its annual Global CEO survey of 175 banking and capital market chief executives in 54 countries released last February, PriceWaterhouseCoopers said about four out of five CEOs polled, or 79 per cent, today see cyber security risk as the top threat to business growth. The study also showed that the majority of global CEOs – 93 per cent – consider cybersecurity as a strategically important category of digital technologies in their organisation.
Despite the board’s responsibility for overseeing cybersecurity, they often overlook one critical link in the cybersecurity chain: the board’s own role as custodian of company information. After all, a board routinely handles, stores and internally shares sensitive financial and sales data along with confidential strategic plans, senior executive compensation policies and other privileged information. Unauthorised access to any of this information could have severe consequences.
There is also the undeniable fact that all cybersecurity options entail a compromise between convenience and effectiveness. Because of the senior status of board members and leadership, there is a natural tendency to minimise any inconvenience on their part. As a result, board members often opt to access, store and share information in ways that may be convenient but are considerably less secure than what is done by the organisation as a whole.
These include the sending of hard-copy packs of board materials or the emailing of PDFs.
Another compromise is where passwords are required. Instead of mandating secure passwords that contain no recognizable words and that consist of a combination of different character types, simple passwords such as a child’s name may be permitted. While these practices often arise from ad-hoc decisions rather than deliberate policy, they are nevertheless resistant to change due to inertia.
Given the heightened level of threats in these times, boards and senior management must do more than provide oversight of an organisation’s cybersecurity. They must set an example of security best practices from the top.
Developing a framework for evaluating board security
Leaders who want a firm, intuitive grasp of how to judge their board’s cybersecurity practices can easily end up in a tangle of jargon. Fortunately, however, it can be easily straightened out by asking three basic questions:
1. How is the board data stored?
2. How strong are the locks?
3. Who controls the keys?
Posing these questions can help with the evaluation of the board’s current solutions for information sharing, communication and collaboration – as well as any it may be considering.
1. How is the board data stored?
Any security evaluation should begin with the examination of who controls the data. Not knowing where information is and having an inability to control where it goes mean the solution is highly unsecure.
This is why emailing board documents as PDF files is not a secure solution. Files can be accidentally forwarded by directors to others outside the board, or housed in personal email accounts with minimal consumer-level security.
The same holds true for public file-sharing systems where files are stored “in the cloud.” What this really means is that your files could be on any server in the file-sharing network; you as a customer have no way of knowing exactly where they are. This ambiguity is why it’s called a “cloud” in the first place.
One reason for the popularity of cloud based storage systems among consumers has been the assumption that such systems are relatively secure. But high-profile cases of hacking, such as revelations of passwords and celebrity photos from cloud providers, demonstrate just how flawed that assumption is.
Although hosted board portals do seem cloud-like and are often mistakenly referred to as “cloud-based storage” – there are important differences. For one thing, they carefully control where your data is stored on the hosted system.
What’s more, they keep the information of each hosted organisation segregated from each other. Knowing where data is located as well as its protective security measures provides greater control and assurance over who has access to the information
2. How strong are the locks?
Keeping close tabs on data’s whereabouts is certainly crucial, but so is ensuring that only authorised users can access it. This is accomplished through encryption, i.e., the enciphering of data into a string of meaningless 0s and 1s. Only those with the correct digital key can decipher it.
Of course, paper board packs have no digital key at all; the information can easily be read by anyone who gets their hands on it. And while it may be true that PDFs that are emailed or stored on file-sharing systems can be encrypted and protected by passwords, it puts the onus on whoever is distributing and receiving the material to manage password protocols. Furthermore, documents “protected” in this way still remain vulnerable to “brute force” attacks via readily available software.
Higher-quality hosted board portals typically use 256-bit encryption – a key of 256 0s and 1s. Since there are more possible combinations than stars in the universe, it’s safe to say that it would take an infinite amount of time for even the most determined hackers using the most advanced technology to crack the code.
3. Who controls the keys?
No matter how strong an encryption system may be, anyone with the right key can still access the information. For example, anyone who has the password to a password protected PDF virtually owns the document. Stolen passwords mean stolen documents.
However, with a hosted board portal, a password only goes so far. Yes, it allows access to the portal. But because control of the encryption keys protecting the board documents resides within the system, the person logging in will only see what he or she is allowed to see. A strong portal never loses control of the documents.
The security implications are significant. If a password is stolen, the administrator can simply deny access for that password. And after sensitive documents are no longer needed, the administrator can conduct a “virtual purge,” closing off the documents to anyone trying to access that user account with the stolen password.
Beyond the protection of needing the right password to gain access, a board’s administrator can limit access to specific board documents according to criteria such as a committee membership, allowing them to be visible only to members of the audit committee or compensation committee, for instance. The administrator can also control from which specific device a director may access the system.
The Right Message Starts At The Top
While cybersecurity may have a permanent place on the agendas of boards and senior management in more and more organisations, that’s not enough. Security must also be a permanent part of boards’ behaviour.
Having the right platform to handle board information, communication and collaboration will ensure essential security practices are followed in the boardroom. It also sends the right message, namely: cybersecurity is everyone’s business.
View the original content and more from this author here: http://ift.tt/1GhAwRh
from cyber security caucus http://ift.tt/1CnwFAo
via IFTTT
No comments:
Post a Comment