Cybersecurity guidance for board members: how to tell if your organisation is a breach target
Long gone is the belief that cybersecurity is just an IT issue and that senior leadership doesn't have to play a role in risk management. To meet the evolving security challenge requires an enterprise-wide approach, and leadership from the board has never been higher or a more pressing priority. This is especially important with Scams Awareness Week 2018 currently taking place, urging all Australians to take a more proactive approach to protecting against threats from phishing to identity theft to false billing.
As a board member, it's important to consider why an organisation may be targeted and it's important to embrace the maxim that states “the ‘what' is less important than the ‘who' and the ‘why.'” The intent behind this statement is that malware and other methods used in an attack offer little from a strategic perspective. Though they represent critical details about what happened and how to remediate that individual incident, what's more important - strategically - is to identify the actors and motives behind an attack.
Motivations in a cyber world
Cybersecurity threats should be evaluated based on the following motivations; espionage, criminal and hacktivist. Within each of these categories, it's possible to outline a set of likely adversary types who execute cyberattacks with those motives in mind.
These attacks can be financially motivated, destructive or focused on stealing intellectual property to gain a geopolitical advantage. Being aware of the various types of attacks adversaries will use is important to help board members understand modern threats that are constantly evolving and trying new techniques.
The Australian Competition and Consumer Commission (ACCC) recently released their annual report which explains the key scam activity and highlights the impact of scams on communities in Australia. The report found that a total of $340 million was lost, a $40 million increase compared to 2016 – and these are only the scams that have been reported.
Knowledge of who is likely to attack an organisation and why helps to arm board members with some of the information they need to issue guidance on their organisation's defensive posture. It also prepares them to be as effective as possible in the event of a cybersecurity incident. In addition to understanding the attacker's motives, board members must have similar discussions about the perceived value of an organisation's systems and data, along with a view into valuable information from strategic intelligence sources.
With the introductions of the Notifiable Data Breaches scheme and the General Data Protection Regulation (GDPR) in the European Union, now more than ever board members need to have an understanding of the risks of a cyber breach and the legal requirements when it comes to the organisation's response.
High-Value Asset vs. High-Value Target
Cybersecurity is all about risk management. Understanding risk through the cybersecurity lens requires a conversation around assets and targets. Organisations often use the term “high-value asset” to define those systems, applications, data sets, etc., that it views as worth more to the organisation than other assets. It's the organisation's own view of what the “crown jewels” are. Conversely, high-value targets are those the adversaries are looking to compromise.
Understanding this difference is important when considering how best to prepare for the inevitable cyberattacks of today. You certainly should solidify your defences to protect your high-value assets, but don't be so short-sighted as to ignore the perceived value that others may place on different areas of your business.
Similarly, the antiquated idea that “they don't care about little ol' me” should be removed from consideration by every organisation with an Internet connection. Low-hanging fruit still has plenty of juice in it for the wide range of online adversaries that exist today.
Additionally, supply chain partners were the initial attack vector in 12 percent of incident response cases CrowdStrike investigated over the past 12 months. This means that adversaries leveraged companies that were often smaller and less secure to gain access to their end target through a trusted partner relationship. This means, your organisation may not be the ultimate target, but you could become collateral damage as the attacker compromises your environment to reach their desired goal.
The role of the board in a discussion over what constitutes “high-value” is to help the organisation see the forest in spite of the trees. Because board members are not living the mission of the organisation daily, in most cases board members are in a perfect position to provide an assessment of value from a more objective vantage point.
Additionally, many board members are selected for their vast experience across multiple organisations and industries. This provides members with an opportunity to speak from a perspective that is different from those within the organisation.
One last note about high-value targets: as a member of the board, you probably are one. Threat actors often focus their efforts on an organisation's senior leaders because of the influence they wield and the information they have access to. Make sure you have taken the appropriate steps to secure your own business and personal accounts and ask your security staff for guidance on how to best protect yourself and the companies you oversee.
Strategic threat intelligence can help
Understanding adversary motives and placing a value on your organisation's assets is often made easier when you're able to leverage threat intelligence. Cyber threat intelligence (CTI) takes on two primary forms. Tactical intelligence is information that can immediately improve your defences against known vulnerabilities and attacks. Examples include IPs or URLs, malware signatures and suspicious patterns, or other indicators that can be added to your preventative tools.
Alternatively, strategic intelligence informs high-level activities that an organisation can take to properly calibrate its security posture. Examples include information about new attack methods, shifts in targeting behaviour by threat actors, or political or economic events that are likely to inspire a shift in threat actor activity. This intelligence is not as simple to apply to the organisation as tactical intelligence but may ultimately prove to be more valuable because it can inform both security and business decisions.
As a board member, you may not have access to either tactical or strategic CTI by default, but your decisions should be informed by at least the strategic patterns and threats in these reports. Ask your IT leaders how they're incorporating threat intelligence into the day-to-day decision-making process, how it informs their understanding of the threat the organisation faces, and how that threat is evolving.