Recent cyberattacks, particularly in large organizations and critical infrastructure, have heightened the visibility of cyberrisk and attracted the attention of local, federal, and international government agencies, resulting in expanded regulations and enforcement. The FTC has imposed fines and compelled remediation, and the SEC has issued rules as well as requests for breach reporting on behalf of investors. Congress has even considered authorizing the SEC to require that companies disclose whether there is a cybersecurity expert on their corporate board and, if not, why not. In addition, recently enacted legislation — such as the New York State Department of Financial Services Cybersecurity Regulation and the European Union General Data Protection Regulation (GDPR) — can be far-reaching in scope and carry stiff penalties for noncompliance.
Outside of regulatory penalties, what’s at stake for a technology product or service company if it hasn’t fully addressed cybersecurity? It risks damage to and loss of valuable assets, including:
- Existing and potential customers
- Intellectual property
- Shareholder value
- R&D data, including product designs and roadmaps
- Brand name and reputation
- Competitive position
- Market share
- Productivity due to downtime, investigation and damage control
- Potential threat of lawsuits and class action
When it comes to security risks, the question isn’t whether your organization will experience a cybersecurity event; it’s when. As a leader in your technology organization, you have a role to play in understanding your cyberrisks, how to minimize them and what to do when a risk turns into an event. Unfortunately, many organizations don’t know immediately they’ve been hacked, and some not until notified by an external entity such as law enforcement or a credit card processor.
Gain a collective awareness
One of the many challenges to maintaining security is that engagement with and adoption of protection mechanisms are usually inconsistent throughout an organization. While the CIO and chief information security office (CISO) are the watchdogs over organizational security, business management tends to embrace technology as a driver of business growth and operational efficiency, and the board is concerned with the overall viability.
Everyone in the organization needs to become aware of the risks and issues. But Grant Thornton’s National Managing Director of the Technology Industry Practice Steve Perkins said, “The person in the center of all this — the CISO — has a role that is challenging in any company, given the digital presence in every industry, but especially in a technology company. The role has grown well beyond traditional corporate protection to one that includes product development — how do we architect security into our products and services? — and business development. It’s a very complex role.”
Today just one in seven CISOs reports directly to the CEO, a missed opportunity for those six other organizations. Not much has changed in the past 10 years, according to Greg Garcia, executive vice president of Signal Group and former assistant secretary for cybersecurity in the Department of Homeland Security: “CISOs are still concerned that executive management doesn’t quite get what cybersecurity means and what their
responsibilities are, the costs associated with a cyberbreach, and how they ought to organize across their enterprise to manage this in a structured and proactive way.”
Your organization’s cybersecurity depends on its leaders to prepare for a cybersecurity event, and to participate when one occurs. Each leader has an important role to take in personal action and reporting.
- CEO: Get information; answer to the board
CFO: Fix financial damage; answer to the CEO
CMO: Fix reputational damage; answer to customers and the CEO
CIO: Identify loss of data and critical assets; answer to the CEO
CISO and operations: Get systems back online; answer to the CEO
General counsel: Defend from lawsuits and liability; answer to the CEO
Investor relations: Calm investors; answer to the SEC and the market
Communications: Answer to the public and customers
Pinpoint your organization’s vulnerabilities
To stay relevant in a constantly changing market, technology companies are generally focused on rapid development of software and products, sometimes placing security on the back burner. Too often, code is quickly produced with features taking priority over careful vetting. The fast pace of development ushers in numerous issues, such as minimal or no security functionality. In addition, technological advances such as the internet of things blur the lines in the traditional concept of the internal and external networks, and make security updates and patching much more important — and challenging.
Other challenges include increased sophistication of cybercriminals and increased reliance on third parties to perform outsourced IT services. Cybercriminals keep growing smarter and more innovative, selling ransomware on sophisticated e-commerce platforms in an underground version of the internet called the darknet.
Further risks are introduced by third-party vendors. It’s difficult enough for companies to manage their own networks and controls without the additional responsibility of managing those of their vendors, which continue to be a significant source of data breaches. As digitization increases the connection of companies with the internet, customers and suppliers, it also raises the complexity of assuring end-to-end security.
Address the vulnerabilities
Where does an organization begin to address its vulnerabilities? Start with education, said Grant Thornton Senior Manager of Cyberrisk Kyle Robinson: “Security awareness training is absolutely critical. Everyone in the organization needs to go through it — be it the C-suite, accounting, finance, sales, IT — because it’s that person you missed who’s going to be the source of a breach.” Robinson suggested that organizations undergo cyberrisk health checks, including social engineering assessments in which independent third parties pose as insiders to attempt to get employees to disclose sensitive information that they otherwise shouldn’t. The outcome of these tests will provide management with results and recommendations to minimize the chances of a cyberattack occurring in a real-world scenario.
Before implementing a cybersecurity program, organizations should consider these areas:
- Provide security awareness training to all employees upon hire and annually.
- Enforce secure coding standards, and perform training for developers.
- Balance preventive controls — firewalls and passwords — with detection and response controls.
- Configure and tune detection tools to produce actionable data and minimize false-positives.
- Utilize tools to perform cyberdata analytics and reporting for management.
- Implement and periodically test an incident response plan.
In addition, when working with third parties, organizations should consider the following:
Cybersecurity responsibilities are shared with the board
- Before reviewing contracts, perform an inventory and risk ranking of data, and identify the location of highest-value digital assets.
- Apply risk management practices at all points of the vendor relationship, from initial due diligence and contract negotiation through data removal at termination of the relationship.
- Vary monitoring activities based on the value of the digital assets shared with the third party; one size does not fit all.
Within the board, members’ fiduciary duty calls for a basic understanding of cybersecurity and protections. At a high level, the board should expect to do the following :
For further guidance in protecting your organization’s cybersecurity, including recommendations for risk management and cybersecurity framework models, replay Grant Thornton’s webcast Risk and Governance Trends in the Technology Industry
National Managing Director, Technology Industry Practice
Grant Thornton LLP
T +1 703 637 2830
Senior Manager, Cyberrisk
Grant Thornton LLP
T +1 206 398 2490
Executive Vice President
Former Assistant Secretary for Cybersecurity
Department of Homeland Security