A cyber security roadmap for boards of directors

Business leaders — and especially boards of directors — need to give up on the question of whether cyber criminals will attempt to hack their organization; they will. The important question is when will they attack and what’s their likelihood of success?

Breaches don’t just affect an organization’s ability to conduct business. A well-targeted attack can compromise intellectual property, employee and customer information, and even physical locations. In such cases, the financial, legal, and reputational damages can be difficult to shake and are likely to dwarf the cost and time required to bring systems back online.

Cyber attackers are getting bolder and more knowledgeable, too, which ups the stakes significantly. With every thwarted attack or vulnerability, two or more consistently seem to spring up in its place. There is no end point for cyber maturity; organizations must constantly monitor their systems, threat landscape, and allocation of resources just to keep pace.

Security and privacy are fundamental operational and governance concerns regardless of an organization’s size. Even the largest, seemingly most sophisticated and technologically advanced enterprises are falling prey to breaches. Consider the recent case of an electric vehicle owner who managed to access data and ultimately gain control over an entire vehicle fleet. Thankfully this individual had noble intentions and reported their findings to the organization.[1] However, things could just as easily have turned out much worse.

If a company currently eyeing a $1 trillion market capitalization can fall prey to such an attack, what does that say for organizations with a fraction of the resources?

Remember, though, it’s not just the frequency or sophistication of cyber attacks that’s noteworthy — but the rapidly growing number of potential entry points. The widespread proliferation of smart systems and internet of things (IoT) devices in cars, buildings, homes, organizations, and utilities, provides hackers with a veritable cornucopia of entry points.

As we’ve already seen, modern vehicles — with their vast array of onboard computers, wi-fi hotspots, Bluetooth, diagnostic tools, etc. — are more susceptible than ever to cyber threats. The U.S. Postal Service (USPS) recently announced plans to procure advanced delivery vehicles, which will undoubtedly come with increased cyber risks. There may be obvious benefits for client service and efficiency, but these will only be proportionate to the steps senior leaders take to head off the vulnerabilities.

Even seemingly innocuous devices like key fobs and building heating, ventilation and air conditioning (HVAC) systems, elevators, are becoming more exposed. These internet-connected and Bluetooth systems, which typically prioritize functionality and experience, often treat cyber security as an add on. This leaves many vulnerable entry points for hackers, who can often piggyback on these systems to penetrate deeper into the network — whether to steal data or hold systems for ransom. One casino discovered this the hard way, as the compromise of a simple internet-connected aquarium thermometer gave hackers a direct pipeline to the high-roller database.[2]

Even security systems, which by their very nature are supposed to provide early threat detection and unparalleled peace of mind, can become an Achilles heel without the right oversight and controls. Case in point, a group of hackers recently gained access to 150,000 live security camera feeds at hospitals, businesses, police departments, prisons, schools, and major organizations.[3] The long supply and operations chain of these and other devices make it difficult to pinpoint the weak link, which can come from within the organization, via third-, or fourth, or fifth-party vendors.

Consumers are becoming increasingly worried of how organizations are collecting and using their personal data — especially as data collection becomes more commonplace and breaches continue to make headlines. Regulators are catching up, too. While this increased attention can make leaders feel like they’re constantly under the microscope, it’s also worthwhile to consider the potential competitive advantages a strong privacy posture can offer.

Consumers are better informed and more digitally sophisticated than ever and privacy is fast becoming a leading driver in their purchasing and brand loyalty decisions. What data an organization collects is critical. Equally important is how they collect, use, and secure this data. Strong and transparent data protection policies and rigorous governance are rapidly reaching parity with price, quality, and customer service as competitive value propositions.

Apple Inc. offers an intriguing case study as a large technology company advocating for and actively taking steps to protect user privacy. Even as many of their competitors are shirking demands for greater disclosures and user control over their data, Apple is taking a different tack by vocally championing the concerns and priorities of its loyal user base.

No doubt, there are several up-front costs to building an authentic, rigorous, and outspoken privacy culture. But the opportunities and long-term rewards will more than make up for it.

The days of seeing privacy and security as purely a technology concern are long past. We’ve already seen the outsized role of culture, brand, and policy in mitigating risk and preventing an attack. Senior leaders (and especially directors) therefore must embrace the challenge of creating a culture and policy framework that effectively manages and mitigates cyber and privacy risks. Everyone in the organization has a role to play in preventing, reporting, and responding to an incident. But it begins at the boardroom table.

As board members continue to lead from the front, these mindsets can help set the tone by guiding decisions, informing priorities, and influencing discussions.

1. Cyber risk is enterprise risk: Technology is inseparable from the business. Incorporate cyber and privacy concerns within enterprise risk planning (ie: Risk Register) to understand the likelihood, source, and the steps to take to avoid (or reduce the harm of) a potential breach.
2. Cyber risk requires cyber perspective: Invite cyber security experts to join the board and regularly include cyber and privacy on the agenda at board meetings. Create a technology committee to discuss priorities, trends, concerns and emerging controls.
3. Cyber risk management begins with policy: Create and promote a culture of cyber incident prevention by emphasizing privacy protection, good technology hygiene, and risk awareness throughout the organization.
4. Cyber risks have legal implications: Be aware of any legislative changes, compliancy or regulatory needs, and legal cases pertaining to privacy, cyber security, reporting guidelines and repercussions for businesses that experienced a cyber breach.
5. Cyber risks and attacks are always evolving: Focus on the fundamentals and strive for excellence in cyber maturity — and stay on the lookout for new breach techniques, incidents and risks; especially those occurring within your industry or sector.
6. Cyber risks are not all equal: Know which cyber risks you want to avoid, need to mitigate, are willing to accept or transfer through insurance — along with your strategy for each.
7. Data collection and privacy needs a policy: Be aware of the data you collect and stay on top of new and existing regulations in your jurisdiction(s). Be conscious of what stakeholders know and want, and invest in policies that consistently exceed their expectations.

Board members are also in a unique position to influence and re-shape an organization’s culture from the top down. As the seven principles above can go a long way in shaping the attitudes and objectives of the board itself, the following six steps can similarly set the stage for an enduring and cyber resilient culture.

1. Establish effective policies and procedures: Align your organization with applicable privacy laws and create comprehensive privacy protection rules and best practices for all team members.
2. Create (and test) an incident response plan: Ensure everyone understands how to identify a breach, who to communicate with about a known or suspected breach, how to contain the breach, and what to do in the aftermath.
3. Conduct a maturity threat assessment: Periodically review your controls (i.e. policies, technology) to determine whether they’re suitable and effective for your enterprise risk profile.
4. Review your technology infrastructure: Periodically assess your technology framework (i.e. firewalls, anti-malware, software versions, etc.) to determine whether they will protect against a breach.
5. Penetration test your systems: Proactively hunt for vulnerabilities in your technology systems to understand the effectiveness of your cyber controls and the potential damage of a breach.
6. Manage your third-party vendors: Understand how any arm’s-length organizations protect your data, how they will protect you in the event their systems are breached, and what your liabilities are.

The COVID-19 pandemic has seen a glut of scams, frauds and misleading claims from malicious and opportunistic actors. The Canadian Government reported the cumulative volume of coronavirus-related emails and threats is possibly the largest ever collection of attacks exploiting a single theme. The pandemic has created a perfect storm of fear, uncertainty, doubt, and chaos — and the bad guys have stepped up to the occasion. Organizations, and especially boards, must do the same.

It would be foolhardy to perceive the current crisis as a blip in the radar and expect a return to the status quo once the broader issues subside. A return to normalcy will bring new challenges as organizations adapt to hybrid operating models, a growing divide between people working in the office and from home, and reinvest in digital initiatives that may have temporarily been shelved in favour of more pressing concerns.

Concerns and vulnerabilities around the pandemic have been especially salient over the past 12 months, which has a drawback for criminals as much as a benefit. Sure, there are vulnerabilities to exploit, but people can become wise to the tactics. Will you be ready when the hackers change their modus operandi?

It’s happened before and it will happen again. A top-down approach for risk management and resilience is the only way you can answer that question with any degree of confidence.

To learn more, or to request a free consultation, contact Danny Timmins.

Danny Timmins, CISSP, is a Partner and MNP Digital’s National Cyber Security & Privacy Leader. Danny and his team have extensive experience advising business leaders and boards of directors on cyber security risks, trends and opportunities and have helped many Canadian organizations improve their resilience to attacks.

Sources

• [1] Lambert, F. (2020, August 27). The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy. Elektrek.
• [2] Larsen, S. (2017, June 19). A smart fish tank left a casino vulnerable to hackers. CNN Business. 
• [3] Turton, W. (2021, March 9). Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals. Bloomberg.