The Board’s Role in Driving Change and Strategy: Cybersecurity Hygiene
Know your company’s risk profile when guiding cybersecurity decisions.
Boards can benefit their companies by setting up optimal governance policies around organizational cybersecurity and ensuring management establishes controls that adhere to the agreed-upon appetite for risk.
What runs through board members’ minds when they hear “cybersecurity?” Chances are the term generates anxiety about cost, which is a legitimate reaction unless a reasonable approach is used to manage risk and maintain a hygienic information technology environment. Ensuring this reasonable approach is in place is part of the board’s responsibility and should be covered in every meeting agenda as part of the board’s responsibility to be proactive about strategy, market/competitive landscape and risk management.
Every company faces risks by not automating, but these advances must also be coupled with proper controls for business continuity and data security. In most businesses, the IT department is viewed as an expense, but a well-run function can provide new-market competitiveness and save money through data breach prevention. Breaches can require significant expenses to retain legal counsel, hire forensic auditors and restore any affected customers, not to mention the potential reputational loss.
Management is responsible for ensuring that the IT environment is well maintained. The board is responsible for ensuring the establishment of proper governance policies for the company’s risk profile, which includes risk identification, measurement, monitoring and control failure remediation tracking.
Layers, layers and more layers
When we discuss cybersecurity hygiene, we are talking about conditions and practices to maintain health and prevent ill effects, such as viruses or breaches. The most effective hygiene approach is defense in layers. Just like an onion, if one layer is peeled away, the next one is already in place and ready to do its job.
Cybersecurity defense in layers is typically broken down into five categories: IT security frameworks, data security, infrastructure security, knowledge and third-party vendor management.
IT security frameworks. IT security frameworks are the starting point for establishing good policies, procedures and operational activities, and are proven to reduce the risk and impact of cybersecurity issues. Frameworks can range from high-level concepts to specific controls, so companies should evaluate their risk tolerance and ability to establish repeatable procedures and controls, as well as the level of senior leadership.
Data security. Data security deals with how team members gain access into applications and infrastructure in order to perform daily responsibilities. Access management may seem straightforward, but it is the most cited reason for control failures due to lack of consistency and insufficient documentation. Establishing good access management controls is an essential building block of any IT environment. Another key control in this category is management of significant applications. Make sure that only authorized and tested updates are installed to ensure these applications are up to date with all available security patches.
Infrastructure security. Cybersecurity hygiene requires the proper maintenance of established servers, storage devices and perimeter controls devices (i.e., firewalls). Any servers being used to support the company’s operations, whether they are maintained directly by the company or by a third-party vendor, should be patched with the most recent security updates to address new vulnerabilities in a timely manner. Regardless of where the infrastructure is maintained, it is up to management to ensure that the team members overseeing the equipment have the relevant and appropriate experience to respond timely to any unforeseen issues or hold third-party vendors accountable for their actions.
Knowledge. Corporate knowledge and collected data are valuable IT assets. The main emphasis of knowledge is social engineering and the weakest link, which is humans. Social engineering is nothing new, but it continues to be a breaking point in IT environments. It is also the most common manner by which companies are breached. Consistent training and consequences for noncompliance are necessary to address the weakest links or remove them from the environment.
All businesses collect data concerning their customers, vendors, employees, competitors and more. So it is important to make sure a solid data-classification policy is in place to define and capture data as public or nonpublic (sensitive or confidential) information. Data should be treated and safeguarded based on its type and the risk related to its contents.
Vendor management. When a company hires third-party vendors to perform critical IT responsibilities, such as data processing or storage, they become part of the company’s IT risk profile. As such, the board must ensure that management has a reasonable and appropriate process to evaluate vendor-security capabilities, financial stability and continuity of service. Performing these evaluations – when selecting a new vendor, but also on a regular basis for ongoing security and capacity checks – is essential. Hiring a third-party vendor to help with customer service does not absolve the company from its responsibility to safeguard customer data.
Today’s companies must take advantage of opportunities provided by rapid technological advancements in order to stay competitive. Every advancement, however, increases board members’ responsibility to ensure management has established proper controls that align with the risk profile maintained and accepted by the board. Not only will the return on cybersecurity hygiene investments exceed the costs of a well-maintained and secure IT environment, but also the company’s lower security risk may even offer a market advantage against their less prepared competitors.
Michael McAllister is partner and leader of the IS assurance and advisory services practice at Pennsylvania-based advisory firm RKL LLP.
This article is the second in a two-part series. Read more on the risks of not leveraging automation and technology.