NACD New England Chapter Event Highlights
Breakfast Event – March 10, 2015
Not If, But When: Cyber Security for Companies in an
Age of Inevitable Hacks, Attacks & Breaches
Event Overview
If you think your business is protected from cyber threats, try a simple experiment. Randomly drop a half dozen unlabeled memory sticks in the company parking lot some morning. Make sure they’re not infected with malware, though, because at least one of them probably will be plugged into your network by day’s end. The lesson for cyber-risk oversight? Ingraining a cyber-security mindset in your company’s culture is no less important than your email encryption software or firewall platform.
At the NACD New England Chapter’s March 2015 Breakfast Event, a panel of three nationally recognized cyber security experts shared this insight and many more. In a lively panel discussion followed by a provocative Q&A session, the panelists discussed today’s rapidly changing cyber-threat landscape, telling war stories about recent attacks, breaches and hacks, and highlighting steps that directors should be taking to protect their companies from the next generation of cyber risks.
About the Panelists
Brigadier General (retired) Gregory J. Touhill is the Deputy Assistant Secretary for Cybersecurity Operations and Programs in the Office of Cybersecurity and Communications (CS&C) within the Department of Homeland Security (DHS), where he focuses on the development and implementation of operational programs designed to protect our government networks and critical infrastructure systems.General Touhill retired from the U.S. Air Force in 2013 after a distinguished career culminating as the Chief Information Officer and Director of Command, Control, Communications, and Cyber Systems at U.S. Transportation Command—one of the nation’s 10 combatant commands.
Cynthia Larose is Chair of Mintz Levin’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP). She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO,and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.
Edward F. Davis is President and CEO of Edward Davis, LLC, a full-service security and consulting firm. The firm advises major corporations on the latest technology in the police and security fields, specializing in telecommunication, cyber security, risk management, continuity of business planning, crisis management for corporations, as well as large scale events and best practice consulting in community policing. Davis has been in law enforcement for 35 years and served as the 40th Police Commissioner of the City of Boston from December 2006 until October 2013.
Panel Discussion Highlights
In their opening remarks, all three panelists emphasized that cyber security is an enterprise-wide risk management issue – not simply an operational issue handled by the IT department. “Cyber security is everyone’s business – not just for geeks in the server room,” General Touhill said. Cynthia Larose stressed the importance of boards taking ownership of cyber risk management as part of their broad oversight of enterprise-wide risks. Edward Davis highlighted the all-encompassing aspect of cyber vulnerability, saying, “Even after being a police officer for 35 years, I have never seen an issue that is so enormous a threat to the normal working person as well as the business community – cyber security is a risk that touches everyone.”
1
There was consensus among the panelists that three types of actors are responsible for the majority of cyber breaches and attacks:
- Nation-states, which are engaged in global cyber warfare ranging from economic intelligence gathering, to intellectual property theft, to attacks on business continuity as recently occurred at Sony Corporation.
- Criminals, who are responsible for theft amounting to billions of dollars annually by penetrating credit-card systems, corporate networks and other types of digital infrastructure.
- “Hacktivists,” who score publicity points by assaulting the business and government sectors with embarrassing and disruptive breaches of websites and enterprise networks.
The panelists pointed out that nation-states, criminals and hacktivists all take advantage of perhaps the most important actors of all – the insiders whose carelessness can make it easy to compromise even the most well-protected corporate and government assets.
How should directors think about the challenge of cyber-risk oversight? The panelists’ remarks focused on opposite ends of a spectrum – that is, focusing on protecting only the most critical digital assets, while at the same time, being as comprehensive as possible in identifying potential vulnerabilities. “He who defends everything defends nothing,” said General Touhill, quoting a Chinese philosopher. Echoing this sentiment, Cynthia Larose stressed the importance of identifying the company’s “crown jewels” – its most critical digital assets – and considering their defense as the board’s top cyber-risk management priority. Ask “where are these assets, how are they accessed, and who has permission to access them?” she said.
Along with greater connectivity comes higher risk. Therefore, on the other end of the spectrum, the panelists argued that boards should think about cyber threat protection in as holistic a manner as possible. They underscored the importance of employee training and awareness, given that email spearfishing attacks – which target specific individuals – are a major cause of corporate network breaches.
In addition, the panelists said, the migration to the cloud and greater integration of corporate networks with those of customers, contractors and vendors means that boards must expand their oversight horizons to include their business partners’ cyber security preparedness. They also pointed to the explosion in Internet-connected devices as a source of greater digital connectivity and, therefore, higher cyber risk. “With the Internet of Things, the physical security of corporate facilities has now merged with cyber security,” said Edward Davis.
The panel discussion also explored the elements of cyber security planning. Potential vulnerabilities must be systematically identified to ensure that investments in software and technology platforms are targeted to the probable threats, the panelists said. Security infrastructure must be updated and fully operational at all times. There needs to be a practical response plan in place before breaches are detected – a plan that is well understood by the team responsible for its implementation. The response plan must be backed up by an equally practical recovery plan --- one that, again, is well understood by those accountable for implementing it.
Cynthia Larose urged boards to be as granular as possible in identifying and prioritizing potential cyber risks. She emphasized the importance of tapping into third-party expertise, including government resources. The FBI and Secret Service are available to assist boards with cyber security planning, she said. She also pointed to the National Institute of Standards and Technology (NIST) as a source of valuable, practical insight. The “Framework for Improving Critical Infrastructure Cybersecurity,” created through industry-government collaboration and released by the NIST last year, consists of useful standards, guidelines and practices for managing corporate cyber security risk, she said.
The panelists discussed the legal implications of cyber security in the context of corporate governance, highlighting the importance of access to third-party legal expertise. Given that breaches leading to data theft can result in derivative lawsuits, the panelists also recommended that directors carefully evaluate the cyber security coverage provided by their D&O insurance policies. In addition, they discussed the crisis management aspects of cyber security planning, advocating for the routine and rigorous use of tabletop exercises to ensure that the company’s plans are not just gathering dust in a file drawer, but are implementable in the real world.
Q&A Session Highlights
The meeting closed with a series of general questions from the floor, among them:
Q: What are the best strategies for securing mobile devices?
A: Acknowledging the prevalence of smartphone theft, General Touhill and Edward Davis both cited the use and protection of passwords as the key to securing mobile devices. They also pointed to the advantages of using two factor authentication and encryption to secure mobile email traffic. Cynthia Larose commented on the role played by corporate culture in enterprise mobile security, citing examples of CEOs who set the wrong tone by refusing to use smartphone passwords themselves.
Q: What are the most critical corporate cyber security blind spots?
A: General Touhill and Edward Davis both pointed to unprotected physical facilities and untested network security infrastructure as key corporate vulnerabilities. In discussing physical facilities, they described sloppy business practices as the most prevalent blind spot – for example a lack of attention to security at entrances, or visitors being allowed unescorted access to offices and meeting rooms with network connectivity. In commenting on security infrastructure, they cited inconsistent threat testing and logging of network traffic as signaling inadequate cyber security.
Q: With so many Internet-connected devices being manufactured offshore, is there an equivalent of an Underwriters Laboratories for products like these?
A: The panelists were in agreement that no such certification benchmark exists. Cynthia Larose urged boards to address this risk by being vigilant in evaluating the security of supply chain partner networks. General Touhill pointed out that many products that are manufactured overseas are designed in the United States with security in mind, so the key is to ensure that “What you designed is what you are getting” from the vendor. Prefacing his answer by observing that “We are still in the Wild West,” Edward Davis went on to discuss the progress made recently through collaboration between government and the utility industry in securing the nation’s energy infrastructure.
Meeting Wrap-Up
NACD New England Chapter Chairman R. Robert Popeo closed the March 10th session by thanking Ellen Richstone and her committee for arranging the session and extending his appreciation to everyone for their participation. He offered a reminder about the NACD New England Chapter’s next breakfast event: “Shareholder Activism: What You Need to Know.” “Given that 344 public companies were targets for activist shareholders in 2014, and activists were 74% effective in their initiatives, activism may be the most critical issue in the boardroom today,” he said. The meeting is scheduled for Tuesday, April 14, 2015 at the Newton Marriott Hotel.
1