A Cybersecurity Cheat Sheet For General Counsel and The C-Suite By Chuck Brooks

The Covid19 pandemic has awakened the globe to our era of global connectivity and has also exposed our vulnerabilities in cyberspace.   As we have transitioned to remote work on our home on secured portals, devices, and personal Wi-Fi, we have become more of a target to cybercrime. 

According to Barracuda networks, The number of coronavirus COVID-19-related email attacks has increased by 667 per cent since the end of February. And between March 1 and March 23, Barracuda researchers detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19.

This predicament has caught the attention of C-Suite leadership in industry and agencies. They have had to enact new policies, administer virtual private networks to employees working off site, and gain visibility into their networks and what they need to protect.

The reality is that we are all playing catchup in cybersecurity. The Internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the Internet. According to Statista, last year, the United States experienced 1,244 data breaches and had 446.5 million exposed records.  An FBI IC3 2019 Internet Crime Report indicates that more than $3.5 billion was reported lost as the result of cyber-crimes in 2019 alone.

Corporate board director roles have been traditionally reserved for those with expertise and leadership experience in management and best practices. Cybersecurity expertise historically has not been a primary concern for Directors. but it has become an evolving requirement for accountability in the era of digital connectivity.

The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber-threats are ubiquitous. The frequency and maliciousness (including Ransomware and Distributed Denial of Service attacks to networks) of cyber-attacks has become alarming. There are growing cyber-threats to corporate operations, reputation, and theft of IP that not only can affect stock prices, but the viability of a company.

The growing threat of data breaches from hackers has made cybersecurity a global urgency. According to IBM, the cost of an average data breach has now risen to about $4 million. Varonis reports that there are approximately 7 million data records compromised each day, and 56 records compromised each second. A Clark School study at the University of Maryland quantified the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average.

Dr. Chris Brauer, Director of Innovation in the Institute of Management Studies at Goldsmith’s in London, sums up the state of cybersecurity for board members succinctly: “overcoming the threat boils down to two things: accepting that you will be breached (awareness) and the ability to do something (readiness).”

Targets of the increasing incidence of phishing and other types of social engineering breaches include many corporate giants, such as Target, Anthem, and Yahoo.   Even the federal government has been targeted, most notably the breach at the Office of Personnel Management where 22 million personnel records were taken.

In spite of this, there is still a lack of awareness and specialized knowledge on most corporate boards. For example, according to a National Association of Corporate Directors (NACD) survey, only 14% of the board members queried expressed a deep knowledge of cybersecurity topics.

The cybersecurity landscape is complex, and it is extremely difficult to encapsulate all the various aspects that may confront a corporate board. Suzanne Vautrinot, President of Kilovolt Consulting and Major General and Commander, United States Air Force (retired), does provide a very good framework for addressing the landscape: “The board’s role is to apply the principles of risk oversight, to advise on strategy and help push to overcome challenges—in this case, cybersecurity gaps and challenges.”

Following that strong lead from General Vautrinot, I developed a condensed “cheat sheet” with themes to hopefully provide boards with insights and impetus to address the cybersecurity threat at the C-Suite level. The four themes include: risk management, responsibility, communication, and expertise.

THE CHEAT SHEET

At its very core, the practice of cybersecurity is risk management. It requires being vigilant and encompasses educating employees, identifying gaps, assessing vulnerabilities, mitigating threats, and having updated resilience plans to respond to incidents. Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. They should also be knowledgeable on the guiding axiom of the National Institute of Standards and Technology (NIST) Framework: Identify, Protect, Detect, Respond, Recover.

Cybersecurity is a responsibility. Elements of cybersecurity include policies, processes, and technologies. Every company is unique in culture, mission and capabilities, but in terms of cybersecurity, the management (including board members) and employees are accountable for overseeing those elements. A requirement for every board member should be that cybersecurity must be treated as a company priority.

Cybersecurity’s backbone is effective communication. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks.   Communication enables readiness by the sharing intelligence on threats and new security innovations. Security awareness training is also an important mandate for everyone at any company, especially the board.

Cybersecurity requires expertise. Ideally, a corporate board should include a blend of internal and outside subject matter experts. It is always useful for executive management to get perspectives and ideas from experts on the outside. It helps avoid complacency. Areas of special knowledge should incorporate: legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy. Information security management should include people with an ISO 27001 standard expertise and a knowledge of best practices.. Prudent policy advice necessitates that companies develop strong relationships with government. The recent passage of The Cybersecurity Information Sharing Act promotes public/private cooperation on data threat sharing, especially with the Department of Homeland Security.

Cyber Hygiene. An essential element for any company or individual. The graphic below by The #Cyberavengers (of which I am a member) illustrates the components of good cybersecurity awareness and hygiene.

Good Cyber Hygiene Checklist

Of course my cheat sheet is just a starting point. There is certainly room for more items and description. I highly recommend several books to increase cybersecurity knowledge and awareness:

Paul A. Ferrillo  and Christophe Veltsos wrote a must read book for anyone in the C-Suite,  “Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives” for an in depth analysis of cybersecurity and corporate board issues.

Another really great resource is “Hacked Again by Scott Schober” According to renowned  Cybersecurity expert Dan Lohrman, “Hacked Again is a well written book that I recommend without hesitation — especially as a primer for business owners or even government business pros who want to understand what really happens before, during and after data breaches or security incidents that occur regarding your own accounts.”

I most highly recommend reading the timely and informative book by Dovell Bonnett, “Making Passwords Secure: Fixing the Weakest Link in Cybersecurity.”  As companies, individuals are increasingly being subjected to breaches and ransomware attacks, the need for cybersecurity awareness and safeguards have become paramount., Dovell’s book offers a one-stop guide book on how to mitigate cyber threats by explaining the basis and tactics of authentication security.

A must read book just off the shelves is “Cyber Minds: Insights on cybersecurity across the cloud, data, artificial intelligence, blockchain, and IoT to keep you cyber safe” by Shira Rubinoff.  Cyber Minds brings together an unrivalled panel of international experts who offer their insights into current cybersecurity issues in the military, business, and government.

The surface cybersecurity threat landscape has expanded exponentially with  smartphones, wearables, and the Internet of Things. These mobile devices, social media applications, laptops & notebooks are not easy to secure and pose a big challenge to the C-Suite and everyone else. I hope that these resources, books, and cheat sheet to promote awareness, readiness, and communication can be of help in the ongoing battle with mitigating the growing scourge of cybercrime.

Chuck Brooks

Chuck Brooks a globally recognized thought leader and evangelist for Cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.”  He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to FORBES. He has also been featured author in technology and cybersecurity blogs by IBM, AT&T, Cylance, General Dynamics, Xerox, Tripwire, and many others.

Chuck Brooks LinkedIn Profile:

https://www.linkedin.com/in/chuckbrooks/