As a business executive or board member, do you know what questions to ask your security professionals? How familiar are you with the current cyber threat landscape? Are you prepared to deal with a ransomware attack? Have you taken the time to understand your organization’s risk profile to determine how a cyberattack might impact your operations?
These were some of the core themes presented at a roundtable discussion in Boston on June 14, hosted by Deutsche Bank’s Cash Management business. The session was designed to prepare and arm treasury and financial professionals with the right questions to ask at their organizations and dig deeper into today’s complex issues related to cybersecurity.
The roundtable is part of an ongoing program designed for Corporate clients that focuses on strategic and market issues, including business development and growth, as well as economic, industrial, political, technological and other market trends.
Greg Day, VP and CSO EMEA for Palo Alto Networks, was the featured speaker at the event and he stressed the importance of executives being more cyber-aware as part of their core mission. Key themes included:
- The evolving cybersecurity threat environment
- The human element in preventing and reacting to attacks
- Asking the right questions of security leaders
- Dealing with issues around trust, ransomware and other topics that were top of mind for executives in attendance
- Best practices when responding to a cyber incident
Cybersecurity at an Inflection Point
When it comes to cybersecurity, we are at an inflection point, Day said.
The world is becoming more digital and just about every business operation is, in some way, reliant upon connected digital technologies. This means each business operation is potentially vulnerable to a cybersecurity attack.
“Ask yourself what’s digital today and, more importantly, what will be digital tomorrow and in a few years,” Day said. “Then go back to your teams and ask what types of attacks can occur, and what would the impact be? Would we lose service? And then ask: What is the likelihood of that happening?”
As the world changes, business leaders and board members need to be cognizant of where threats are coming from and the role of people, processes and technology in causing, preventing and responding to attacks. Technology can help to reduce risks, but the human element is huge, Day cautioned.
Cyberattacks are often about getting credentials. As security technology becomes more difficult to break, criminals are simply taking the easier route and asking for credentials. Unfortunately, people still share them, inadvertently through email, web-based email, web browsing and even over the telephone.
“It used to be they’d have to break into your business to get into your network. Now they can break in without ever getting in,” Day said. The rise of cloud computing is adding complexity to security. When you move to the cloud, for example, the provider will secure the infrastructure, but you are responsible for securing the applications, data, and credentials. “You can’t outsource the problem,” Day said.
Becoming More Cyber-Aware
The answer is for everyone to be more cyber-aware, not just security professionals, but also employees and individuals at the highest levels of their organizations, such as those attending the Deutsche Bank roundtable. What are some steps business leaders and their organizations can take?
Be careful who you trust. A cybercriminal can send 100 million phishing emails out without anyone even noticing, and can send them from people in your personal contacts. More often today, attackers will either use stolen, trusted credentials or do their best to mimic trusted sources. Ask yourself a few things: Who sent this? How do I know I can trust them? What are they asking me to do? Is this unusual? Are they using emotional triggers to provoke a mindless action?
Plan your next steps. Who will you go to when you receive a phishing email? Will you go to the IT people and ask about phishing attacks? How about picking up the phone and asking: “Did you send this to me?”
Ask the right questions. What is your overall security posture? What’s an acceptable plan to be resilient? What are the key metrics to measure success and where do we stand in relation to these metrics? What are our core business functions, and who and what are involved? Ask open-ended questions of your security leaders, to ensure that you get thoughtful and detailed answers. The answers you look for should focus on how to prevent incidents that will impact the business as well as how to respond during such incidents to reduce their impact.
Prepare. Preparation was one of the over-riding themes that kept coming up at the roundtable. Ransomware was another hot topic and Day had specific suggestions to prepare for such an attack. He noted that ransomware works best when you lose access to information you can’t live without. To be better prepared, the questions to ask are:
- Do we have a second set of data in a different place so we can function?
- Can our redundant systems run with original processes?
- How long will it take to recover—and is that acceptable for the business?
- What can we do so they don’t come back again and again?
Day said one thought should be applied to every level of the business: “What is our resiliency, and what is our appetite for risk?”
Create a Cybersecurity Culture
Security people always fear that the CISO will get fired. “You need to empower and enable a culture that makes it okay to make mistakes,” Day said. Organizations should set up drills, go through scenarios, practice dealing with regulators and the press. These steps will help break through the perceived “language barrier” so often felt between executives and security experts.
Teams should discuss what information needs to be shared and when. They also need to know how and when to inform the board. One thing that came through crystal clear at the roundtable: The more you prepare, the more equipped you will be to both prevent an attack and deal with one.
Events such as the roundtable hosted by Deutsche Bank show that there is a growing interest among business leaders to be educated about the cybersecurity landscape and what organizations can do to be better prepared. By taking that growing interest and transforming it into positive action, you will make your organization less vulnerable to attack, while offering guidance and leadership in an area that is increasingly vital to the future of your organization.