Cybersecurity for Busy Executives - Increasing Boardroom Awareness

Ask your business, IT, and security managers the following questions to see where your enterprise stands:

  • Do we know what is connected to our systems and networks?
  • Do we know what’s running (or trying to run) on our systems and networks?
  • Are we limiting and managing the number of people who have the administrative privileges to change, bypass, or override the security settings on our systems and networks?
  • Do we have in place continuous processes backed by security technologies that would allow us to prevent most breaches, rapidly detect all that do succeed and minimise damage to our business and our customers?
  • Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?

If they can’t say yes to all these questions, you may still be compliant with regulations, but your company’s data and customers are not safe. If you don’t ask these questions, your customers and shareholders will – or will ask soon!

Jane Holl Lute (Board of Directors of the Center for Internet Security)

We are currently seeing a lot of disconnect between the Executive Board (of companies) and Cybersecurity professionals who work for them.  Although there has been a significant increase in Board Cybersecurity awareness, we believe they are still not sufficiently knowledgeable about Cybersecurity issues. 

There is a further issue in that Cybersecurity professionals are struggling to articulate the problems in a language that the Board understand.  Our view is supported by a recent survey by Harvey Nash, the recruitment firm, who found that of C-Level execs, 30% or less CEOs and COOs are well informed on Cybersecurity issues, and 20% or less CFOs and CMOs are well informed.

In a series of blogs, we will aim to address these issues, starting with the first part of the problem -  raising Board level awareness on Cybersecurity which will

  • provide Executive Level awareness on what the Boards of companies need to be thinking about around Cybersecurity. 
  • speak the language of the board
  • be a short and easily digestible paper, which will allow Executives to build up their Cybersecurity knowledge bit by bit. 
  • educate Executives the key things they need to know so they can ask the right questions of their Information Security Teams. 
  • drawing on real life examples and case studies.

The four areas we will cover are:

1.     Cybersecurity 101.  What are the key things, as an Executive, you need to know.  We will cover Risk Management basics; what are the different threats to your organisation – and how to mitigate them; what are the most common attacks; what does the attack surface of your organisation look like, and what are the most common vulnerabilities.  We will also provide a go-to glossary of common cybersecurity terms and jargon.

2.     Making your organisation more robust.  What are the main areas you should be asking your Information Security or IT team about.  Here we will break down the different areas of best practice Cybersecurity defence, which will allow you to ask the right questions of your IS team, and also allow you to dig below the surface to ensure you are satisfied that you are on top of what is going on.  We will cover the following topics (amongst others):

  • Patching
  • Home and Mobile Working
  • User Education and Awareness
  • Incident Management
  • Information Risk Management Regime
  • Managing User Privileges
  • Removable Media Controls
  • Monitoring
  • Secure Configuration
  • Malware Protection and Anti-Virus
  • Network Security
  • Third Party Supplier Management

3.     Cybersecurity Macro Trends.  Once you understand the basics and have ensured your Information Security team have a robust plan, you then need to think about the future.  There is a lot of change currently happening within the Cybersecurity industry and it is important that you (a) have a strategy; and (b) this strategy is aligned with your overall business strategy.  You therefore need to be aware of some of the trends that are underway, to ensure your cyber strategy is incorporating these macro trends, and it is relevant.  As part of this section, we will look at the following trends:

  • Shortage of talent
  • The possibility of a future Cyber fatality
  • Increased regulation (GDPR) and compliance overload
  • Industrialisation of the most common attacks     
  • Expansion of the attack surface
  • The Internet of Things
  • Breaches - Not if, but when
  • Possible cybersecurity scenarios

4.     The future.  Linked to the previous section, we will look even further into the future and discuss what the future holds for the cybersecurity industry.  We will look at some of the technology advancements underway, including Artificial Intelligence, and what impact they will have on Cybersecurity defences and attackers.  We will discuss the potential cyber arms race between governments and corporations, and the hacking community, and how you can take advantage of the advances in technology to improve your Cybersecurity defences and to save money.

We hope you have enjoyed reading this and look forward to our next blog in the Cybersecurity for Busy Executives series.

Download this article in PDF

Supply chain Cyber Security Risk Management

The global WannaCry ransomware attack in May 2017 pointed out some weak points when it comes to patching out of data systems, and the insidious nature of phishing emails.   But the speed and sheer global reach of the attack - the way it spread over 150 countries in just a matter of hours - really bought home the cyber-risk to organisations from their extended supply chains.

The question is, how do you manage the cyber security risks that come from your supply chain? You may have painstakingly achieved and maintained 27001, NIST or PCI, but, if you are sharing data, networks, and devices with hundreds, perhaps thousands of third parties, how does that factor in to your cyber security and business risk management process?

The answer is to weave together your information security and supply chain, vendor management and purchasing processes.  Vendors and suppliers must be quickly,  appropriately and continuously assessed if your organisation is not going to import additional risk with each new organisation you do business with.

Joining up vendor & supplier management with information security is easier said than done.   In the heat of commerce and getting things done, asking new & existing vendors or suppliers to wade through cyber security questionnaires, make declarations and provide evidence, can very easily get overlooked.  There is also the delicate issue of getting different cyber teams to "play nicely" and agree any common frameworks that are needed.

However challenging it is, it has to be done.  Crossword's approach is to make it as easy as possible.  We use our Cyber Security Risk Assessment tool, Rizikon, to collect supplier data and analyse it using algorithms developed by City University.   This gives an immediate Supplier Scoring which can be aggregated and viewed over the entire supply chain. Assessments are completed in just minutes or hours rather than days and weeks. Each supplier is given a list of prioritised recommendations which can be reviewed jointly with Supplier Management, the Information Security team and the supplier - all online and securely encrypted.

Rizikon can support frameworks mandated by Governments and Defence Procurement such as NIST (recently updated to include more supply chain assessment), Cyber Essentials, & DCPP.

Rizikon is available in the cloud as SAAS, or installed on suitable infrastructure as an Enterprise or Programme solution.  Find out more about Rizikon Supply Chain, or by contacting Crossword Cybersecurity.






GDPR Consulting tool from Crossword

Rizikon started life as a Cyber Security Risk assessment tool, which has been adopted as a standard by a number of Consultancies and Professional Advisers.  In February 2017, we chose to add a substantial GDPR readiness assessment and planning section - so that it now also works as a strong GDPR consulting tool.

With everyone declaring themselves a GDPR expert, well ahead of comprehensive guidance from the ICO, Rizikon now actually allows Consulting organisations to offer a comprehensive GDPR readiness audit and planning tool - for as little as £50 per client (at volume.)

Consultants and Advisers who want to offer up-to-date guidance on GDPR should take a look at Rizikon and how it deliver GDPR assessments at low cost.

The advisory reports are kept up-to-date with the latest from the ICO, with updates every 4 to 6 weeks.  

To find out more about our GDPR Consulting tool Rizikon, just contact us or request more informatino about becoming a Rizikon Partner.

2017 will be the year of GDPR preparation

What is the GDPR?

  • The General Data Protection Regulation (GDPR) will, from May 2018, significantly extend the provisions of the Data Protection Act
  • It defines the data covered to include anything about an individual EU citizen that could identify them e.g. an IP address captured at login
  • It requires that clear and affirmative consent to collect, store and process data is obtained (and sustained) from the individual.  e.g. Not just pre-filled tickboxes.
  • It requires you to tell them, free of charge and in a timely manner, what data you hold about them.  And in a portable electronic format if they so request.
  • It requires you to respond if they withdraw their consent for you to process it, or request that you rectify it (if wrong), or to request full erasure of the data. There are some circumstances in which you can keep data but the onus of proving the need is on you.
  • If you have passed on their data to third parties, then you have an obligation to inform those third parties of any changes in consent, in the data and to advise of erasure.
  • It has provisions to fine you up to the higher of €20M or 4% of Global annual revenue  for some categories of personal data breech.  So you had better have really good cyber security! A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 
  • In case you're now wondering, it also has provisions to fine you up to €10M or 2% of Global annual revenue if you fail to report a notifiable personal data breech to the relevant authorities within 72 hours.  In the UK that will very likely be the Information Commissioners Office
  • If you sign up to a GDPR related certification scheme, and fail to adhere to the rules, there are also provisions to fine you up to €10M/2%.

More accurately it is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).  

GDPR and Brexit

Some news for those in the UK.  The GDPR is probably not going away because of Brexit.  The UK is already committed to implement it by 25th May 2018 when the country will still be in the EU.  Even if the UK Government subsequently waters it down or implements it's own version, it will still apply to any data held about EU citizens.

Governance & Accountability

The main two drivers of the legislation are to increase citizen's rights concerning the data held about them, and to increase the accountability of the organisations and their management in taking those responsibilities seriously.  This will require you to have better governance of data, privacy issues and cyber security.

In many cases you will need new policies & procedures and it is likely that new roles & responsibilities will need to be created.  More than anything a new mind-set is needed amongst non-technical leadership to both demand the right things from their IT providers, and to pay for them.  Not that it's exclusively an "IT problem".  The whole organisation will need to readjust how it looks upon data about individuals.

You need to start your GDPR preparations in 2017

Thinking prudently, once the regulation is active you should assume that;

  • Individuals will start exercising their rights (to know what data you have about them, to request erasure, etc.)  Potentially some will exercise these rights quite aggressively.  You will want self-service for most of this by then.
  • You will be fined if you have serious breeches - and that you will have to report breeches within 72 hours, or be fined.  You'll need better defences, better monitoring and slick breech-reporting.
  • You will have to show that you have serious governance in place managing these regulatory requirements.  Covering everything from doing data impact assessments, having good cyber security, breech reporting, data requests and so on.

 All of this means that, even though some of the details are yet to be decided, you need to start work now.  This is because these are not trivial changes.  This is of the order of magnitude of a Y2K.  It means looking at all of your systems that hold affected data and working out how the regulation impacts it - and then implement the changes and get them live. It means putting someone in charge of the programme and giving them a budget. It means understanding where you are now and where you need to get to in good time for May 25th 2018.  

Three GDPR suggestions to do right now

  1. Read about the GDPR (here is a good starter for ten on the ICO web site) but also discuss it with your legal advisors.  Review your existing DPA processes and understand how much more you will need to do.
  2. Because it's a long process (and getting harder), start improving your cyber security by taking a cyber security risk assessment - you must reduce the risk of personal data breeches well before 25/5/2018!
  3. Discuss the possible impact of GDPR at management meeting(s) and assign someone the responsibility of pulling together a cross-functional action plan covering IT, HR, Marketing and "the business".  Get some expert help in if you need support.

Bridging the Valley of Death

If you're involved in a startup company or tech-transfer then you have probably already heard of the ‘Valley of Death’. For those of us who have never heard the term, the Valley of Death is the gap the exists between an idea and the reality of a commercialised product. There are many great research ideas that look promising on paper, yet for some reason never realise their potential.

Read More