Company Boards Need To Get A Grip.

Uploaded on 2017-01-06 in NEWS-Cybersecurity News, FREE TO VIEW

Major cyberattacks against organisations of all sizes seem to happen almost weekly. Despite the scale and potential harm from such attacks, there's wide recognition that corporate leaders, especially boards of directors, aren't taking the necessary actions to defend their companies against such attacks.

It's not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards.

"Our country and its businesses and government agencies of all sizes are under attack from a variety of aggressive adversaries and we are generally unprepared to manage and fend off these threats," said Gartner analyst Avivah Litan, a longtime cybersecurity consultant to many organisations.

"Some organisations do a better job than others, but those efforts are almost always led by CIOs, CISOs or business line managers and not by corporate boards, CEOs and executive management throughout government and the private sector," Litan added.

“Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win.” Avivah Litan, Gartner cybersecurity analyst

Litan said what's needed is a national response and cyber protection plan, but said she fears that the federal government is "way too fragmented and politicised to make any real progress toward this goal."

Threats against nationwide infrastructure, including the electricity grid, are "enormously serious," she added. "Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win. I'm not sure how many more wake-up calls we need in this country."

Litan's worries seem to have reached some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That's an improvement from 11% in a similar poll conducted a year earlier.

The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.

Litan said such education is important, but she also supports state and federal laws to require organisations to report cyber-attacks so that customers and partners will know to change passwords and make other adjustments to protect sensitive data.

"Having a requirement to disclose is a great motivator to increase security to prevent future attacks," Litan said. "No one wants their names in the news. That's what corporate directors are most worried about, in fact."

A majority of states have data security breach notification laws, but so far there's no nationwide provision. California first enacted its notification law in 2003, and other states followed suit.

At the federal level, a number of US senators have backed breach notification laws, but no bills have passed congressional muster. President Barack Obama proposed such legislation in 2015. With the January inauguration of Donald Trump as the next US president, it remains to be seen whether a federal breach notification law will take effect in the next four years, or longer.

When Yahoo disclosed in September 2015 a separate hack dating back to 2014, US Sen. Mark Warner, D-Va., renewed calls for bipartisan legislation to create a uniform data breach notification standard and co-founded the bipartisan Senate Cybersecurity Caucus. "Action from Congress to create a uniform data breach notification standard ... is long overdue," Warner said at the time.

One analyst, Jack Gold of J. Gold Associates, questioned whether a national breach notification law would be effective. "There are disclosure laws in many states and there are some government regulations that require disclosure, but I'm not sure it has any effect if companies lie about a hack or don't disclose it," he said.

Techworld:                      Cyber Security is Now Business Critical (£):
 

« Digital Forensics, Incident Response & Attribution
Virtual Reality Is Getting Real In 2017 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Paessler

Paessler

Paessler is a leading worldwide provider of network monitoring software.

Axiomatics

Axiomatics

Axiomatics provides dynamic authorization and access control solutions to protect critical data assets.

Global Digital Forensics (GDF)

Global Digital Forensics (GDF)

GDF specialise in Digital Forensics and e-Discovery. Other services include Data Breach Response and Cyber Security.

Centripetal Networks

Centripetal Networks

Centripetal Networks was founded with one vision - to protect networks from advanced threats by simplifying intelligence-driven security.

Cryptomathic

Cryptomathic

Cryptomathic is an expert on commercial crypto - we develop, deliver and support the most secure and efficient off-the-shelf and customised solutions.

VerSprite

VerSprite

VerSprite is a specialist information security consulting firm. We provide organizations with detection across all their attack surfaces and deliver critical insight into all possible attack methods.

Ioetec

Ioetec

Ioetec's mission is to connect users to their IoT devices securely, ensuring these devices remain safe to use in our increasingly connected world.

Build38

Build38

Build38 provides the highest levels of security for mobile applications.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Upfort

Upfort

Upfort (formerly Paladin Cyber) unifies award-winning security and robust cyber insurance to deliver comprehensive cyber risk solutions.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

Nine23

Nine23

Nine23 are a highly focused cyber security solutions company that defines, builds and manages innovative services, enabling end-users to use technology securely in today’s workplace.

Strike Security

Strike Security

Strike Security offers a continuous penetration testing platform that combines automation with ethical hackers.

CybersCool Defcon

CybersCool Defcon

CybersCool is committed to educate and train, re-skill and up-skill the current workforce of various industries and businesses in the knowledge and know-how of cybersecurity.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

National Information and Cybersecurity Council (NICC) - India

National Information and Cybersecurity Council (NICC) - India

National Information and Cybersecurity Council is a leading collaborative effort between Government of India and Industry to raise Cybersecurity awareness nationally.