“According to the New York Stock Exchange’s definitive cybersecurity guide (October 2015), boards of directors mainly fail:
– To implement and monitor an effective cybersecurity program.
– To identity and protect company assets and business by recklessly disregarding cyber attack risks and ignoring red flags.
– To implement and maintain internal controls to protect customers’ or employees’ personal or financial information.
– To take reasonable steps to notify individuals in a timely fashion that the corporation’s information security system had been breached.”
Suddenly cybersecurity is an issue which is keeping the c-suite awake at night. Just a few years ago, IT security seemed less high profile and threatening. Today, hackers can disrupt and even destroy a business.
And for many board directors, the real problems only emerge in the days and weeks after the security breach has become public knowledge.
First, lawyers will start to hover over the train wreck that was your network. They’ll be looking for individual and class action lawsuits for you to defend.
At a time when the business is already distracted by fixing the network resources, speaking to customers and fielding the media … suddenly you’ll have lawyers adding to your problems.
Shortly afterwards, activist shareholders will be making a public call for key directors to resign.
High profile CEO resignations and/or shareholder litigation have already affected Target, Wyndham Worldwide, TJX Companies, Heartland Payment Systems and others. You can be certain others will follow.
NYSE Cyber Security C-Suite Checklist.
In October 2015, the NYSE published a list of six questions that every board member should be asking about cyber security.
Here’s a quick summary of those points:
1 – What are the most important IT assets to protect?
2 – Does the business have a cyber security strategy, such as ISO 27001?
3 – How integrated is IT security with the role of corporate governance?
4 – Does the IT security protocol cover mobile computing, bring-your-own-device and cloud computing?
5 – Are employees made aware of the need for cyber security?
6 – Has management developed a robust process in the event of breach?
Answer ‘no’ to any of those questions and the c-suite will have a rougher ride with activists and lawyers should a breach occur.
Board Member Daily Cyber Risk Updates.
Many companies rely on a yearly or six-monthly penetration test (if they do a pentest at all) to see how secure their network is. But although a thorough penetration test is valuable, there are about 20 new network vulnerabilities surfacing every day.
So over the months between pentests, hundreds or even thousands of accumulated threats could make your network vulnerable.
That’s why an increasing number of companies rely on a daily vulnerability audit with SecludIT’s Elastic Detector. Running quietly in the background, Elastic Detector checks the entire network against an updated checklist of vulnerabilities every day.
It’s a valuable part of the due diligence protocol for c-suites, and demonstrates that the organization is taking a proactive approach to cyber security.