October 13, 2016
Cybersecurity threats to organizations have never been greater. The severity and impact of cyber threats have changed the landscape in which governments, corporations, individuals and, specifically, financial institutions of all sizes and complexities operate, according to the Department of Defense. Data compromise and system breaches have become commonplace in our society—1 billion personally identifiable information records were stolen in 2014 alone—and boards and executives recognize they’re being held accountable for the data entrusted to their organization. A mistake or malicious act in cybersecurity can lead to loss of data, trust, customer base and more. If not properly managed, cyber risks can lead to an organization’s demise. To effectively manage cybersecurity risks, boards and executives need greater transparency in the IT activities of their companies and an independent evaluation of the adequacy of what their organizations are doing to protect data.
One of the greatest challenges facing most boards and executives is the complexity of the IT world. For most organizations, those responsible for managing IT systems operate in a bubble. People outside the IT group (and even some within it) understand little of the technologies or operations that provide the most basic technology-based services that businesses rely on, like email or web services. When in recent history have businesses been so dependent on a service they know so little about? When have boards and executives been so ill prepared to manage the risks posed by a critical aspect of their business, specifically the security of their IT operations?
In general, IT departments operate in one of three communications models:
Most organizations fall into the second category. These IT departments view themselves as an open book, willing to assist management when requested. Their intentions, although good and admirable, leave boards and executives in a difficult position as they attempt to ascertain and manage their cyber risks. If they don’t know which questions to ask, IT isn’t going to give them the information they need. Boards and executives need outside resources with the skill set and experience to provide transparency of the activities of their IT department. Boards and executives need these resources to ask their IT department the questions necessary to gather the information they need to effectively manage their cyber risks. This process is not as simple as asking IT to complete a questionnaire. Often the critical challenge is asking the right follow up questions to an initial response from IT. Their answer to the second or third question is often where the true risks are discovered.
Independent resources curb biases
Research conducted by the United States Computer Emergency Readiness Team (CERT) found that the most likely architects of cyberattacks are system administrators or other IT staff with privileged system access. Stories of white-collar crime, employee fraud and insider threats permeate our newsfeeds.
“California man pleads guilty to using a database of stolen trade secrets to generate more than $300,000 in gross sales and $60,000 net profit for himself.”
“Software programmer found guilty of planting malware in the network of the investment bank where he worked, resulting in damages costing over $3 million.”
Boards and executives need to understand that the people they entrust to manage their IT systems, in many cases, have the ability to do almost anything to the data residing on those systems. Company and customer data, including financial, health and proprietary data, can be viewed, modified or erased by those responsible for developing and administering systems. To further complicate matters, those same individuals have the ability to remove all evidence or audit trail of their activities.
Organizations can become entirely reliant upon a person, group or vendor who can (through either mistakes or malicious intent) make everything appear to be OK. Mistakes and fraud are more common than most think. Boards and executive management need an independent resource to peel back the layers of obscurity and provide an unbiased view into their organization’s IT.
To fulfill their responsibilities, people with ultimate accountability for the security of an organization’s data need to be clear about the complex processes conducted by their IT personnel, as well as independent evaluations of their organization’s cybersecurity activities, initiatives and culture.
Investors and business owners do not blindly accept management’s reports and evaluations of their financial statements. Instead, they rely on accountants to verify an organization’s financial health. Likewise, boards and executives should not be content with information provided by their own IT professionals but should validate the information with an independent assessment.