We’ve been hearing of so many breaches over the last few years and even months. These are true signs that warn us about how rapidly the cybersecurity industry is progressing. As each day goes by, there are new devices that are connected to the internet. And as newer devices get connected to the internet, there are newer methods of exploitation that are being researched and invented every day. The truth is, you are never going to be completely safe. In fact, one of the most dangerous cyber exploits today is not done remotely via the internet, it’s something that is close in your vicinity and that’s the untouchable mindset.
Having said that, if you are part of the board in your company, here’s a checklist of questions about cybersecurity that you should bring up during your next board meeting.
1. Do we have the information we need to oversee cyber risks?
A recent survey conducted by PWC indicated that only thirty-six percent of board members have confidence in their company’s reporting of cybersecurity metrics. We live in an age where data is the key to business survival. This question asked at a board meeting sets the premise of all other questions to follow. Any action or decision must be taken by informed decision making. Ensure you have a strong team in place that understands cybersecurity to give you a full account report on your business's cybersecurity strategy and infrastructure.
2. How effective is our cybersecurity strategy at addressing business risks?
Following our question of adequate information to oversee cybersecurity, boards need to ask management about the company’s strategy for addressing data security. It is imperative to have versatile minds in your cybersecurity team to ensure that all aspects of your cybersecurity are knitted tight. These days you get hackers starting from the early ages of 5 and over. Count no one out. Arrange for the best team, get the most brilliant minds and ensure that you have a detailed cybersecurity plan in place.
3. How do we protect sensitive information handled and stored by third-party vendors?
According to PWC's survey, employees are still the largest security risk. However, the number of incidents attributed to business partners is rapidly increasing. Is your security team vetting vendors partnering with your business thoroughly?
Are you carrying out regular audits with all your vendors? Ensure that you detail all these questions and more to maintain strict policies that prevent biting you at a time you least expected.
4. Do we have cyber insurance?
As a Board member, you need to understand the scope and details of the company’s cybersecurity insurance policy. Part of an insurance plan is not just to insure your physical assets from a cyber threat. Ask your team if they have the tools and infrastructure that monitor your security parameters on regular if not real-time basis. Investing in the right technology and the team could be your insurance policy to a safe cybersecurity environment.
5. Do we have the right data governance strategy to minimize cyber risk?
This question evolves directly out of question 1. You have all the information, whats your governance strategy? Boards and company management should review current data management and storage processes and fill any gaps that may exist. Ensure that all teams in your business are aligned with your security data and policies.
6. How do we stay current on the cyber threat landscape?
Collaborating on cybersecurity knowledge sharing practices is a great way to get your business up to speed with the current cyber threat landscape. Experts have established by now that this is a constantly evolving landscape and one of the best ways to keep informed is to ensure everyone is sharing adequate information and industry best practices.
7. Do we have a tested cyber breach response plan?
One of the key questions to ask during your board meeting is if your business has a good response strategy. Have we run cyber-attack simulations on our systems? Any bug bounty programs? What is your QRF strategy when you have been breached? Detail these questions as much as possible to ensure that you minimize the damage that's done post-breach. This question is key because it demonstrates preparedness.
8. How Can We Detect Cyberattacks and Respond to Them?
It’s great to know that all your business and customer information is secure but the board of directors would also want to know that there exists a plan of action whenever something gets compromised. Without a doubt, data loss is seriously detrimental to any business and at times leads to its downfall also. That is why, the management would want to make sure that data backup and recovery plans are correctly put to place so that in case of an information breach, the business has the opportunity to fight back and thrive.
It is crucial to understand that there is no tool that can provide you with 100% protection against all security threats. It’s important to aggregate your resources and help them interact in such a manner so as to give you the best possible chance to intercept an incoming security threat.
The operations of an organization often get disrupted in the case of downtime caused by a data breach. The organization can prove its preparedness by outlining a concrete plan to ensure data recovery and put it in place if a breach occurs. Security personnel could use the parameters like the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) to channelize their efforts.
Recovery Time Objective or RTO helps you determine how much time will be taken to restore the system from the occurrence of the breach to the resumption of normal operations. On the other hand, RPO defines in which time frame you should roll back from the time of the breach in order to complete the data backup.
9. Is the Resource Allocation Appropriate? Are We Spending Enough on Resources? Why Are We Overspending?
This question is probably asked by the board members when they want to ensure that the risk mitigation and security maintenance teams of the organization are not standing still and are striving forward to prevent any security occurrence. They would also like to know about the ROI and supporting metrics regarding the same.
The best response to such a question is to follow the balanced scorecard method. Here, the top layer outlines the business aspirations and the corresponding business performance is highlighted using the basic traffic-light technique. It is best to explain business aspirations in terms of performance and not technology.
Robert S Mueller - Ex FBI Chief said 'There are only two types of companies: Those that have been hacked and those that will be hacked'.