Is Your Board’s Cybersecurity Training up to Code?

Jasper Zabala, CISA

Cybersecurity has been a hot topic within the past few years. It is especially important now due to the huge shift in people working remotely as a result of the current pandemic, which makes having strong cybersecurity measures invaluable. With the growing number of security breaches, companies are finding the best ways to secure their network through various types of administrative and technical controls. Yet, some organizations tend to overlook the importance of proper security awareness training being provided to their employees, especially specific training provided to the Board of Directors (“Board”).

Far too often, the Board and senior leaders are considered as prime targets for hackers since they have access to highly sensitive data with very little IT oversight. Not only does cybersecurity training ensure that the Board remains knowledgeable on the topic of cybersecurity, but the Board will also be aware and confident of important business decisions in the event of a cybersecurity incident, should it occur.
 
What should be presented to the Board?
 
There is a plethora of topics that could be included when the Board is being trained on cybersecurity. However, it’s quite possible that a tremendous level of technical details on an organization’s cybersecurity program could be left out. To avoid this, a designated Chief Information Security Officer (“CISO”) should present the training to the Board in an understandable manner. The topics that should be emphasized and considered include the following:

1. Cybersecurity is like any other risk situation: The Board must understand that cyber risk should be treated like any other kind of organizational risk (financial, operational, etc.). Although the Board may be more likely to focus on the financial risk of the organization, cybersecurity should require the same level of emphasis.
2. Cybersecurity is about risk mitigation - NOT risk removal: The Board must understand that cybersecurity risk is not one that is capable of being eliminated. In today’s interconnected and highly-sophisticated network environment, the risk of a cybersecurity attack on any particular organization continues to increase each day. Because of this, the Board should clearly understand the risk mitigation strategies that the organization has prepared in order to properly mitigate these risks.
3. The organization’s risk mitigation strategy: The Board should be aware of what the organization has prepared in order to mitigate cybersecurity risks. Examples may include:

• What policies and procedures are in place in the event of a security breach?
• More specifically, is there an adequate Incident Response Plan and is it tested on a regular basis?
• What insurance policy is in place for the organization?
• What remediation techniques are in place post-incident?
• What are some technical and administrative controls that the organization utilizes (e.g., use of firewalls, Intrusion Detection/Prevention systems, anti-virus software, software used for patch management updates, back-ups of critical information, etc.)?

Examples of cybersecurity organizations that support cybersecurity                  awareness:

 In recent years, more and more organizations have joined the Financial Services Information Sharing and Analysis Center (“FS-ISAC”). This industry is dedicated to reducing cybersecurity risk in the global financial system, which allows other financial institutions to share their ideas on anticipating, mitigating, and responding to cyber threats. US-Cert, DHS Automated Information Sharing Program, Center for Internet Security (“CIS”), and Infragard are among others that are being used as well.  

Are there other topics that should be presented?
 
Other than cybersecurity strategies that an organization has or is preparing to implement, there are other important factors that should also be considered when the Board is being trained. These topics should include the following:

Different types of cyber-attacks: The Board should be educated on the different types of cyber-attacks. The top 8 most popular cyber-attacks are listed below:

• Malware (short for malicious software) – Any kind of software that is designed to cause damage to a single computer, server, or computer network.
• Phishing – A technique by which cybercriminals craft e-mails to fool a target into taking some harmful action.
• Ransomware – Form of malware that encrypts a victim’s files and then demands a ransom from the victim to restore access to the data upon payment.
• Denial of Service – A brute force method attempting to stop online services from working properly.
• Man-in-the-Middle – A method by which attackers manage to interpose themselves secretly between the user and a web service they’re trying to reach.
• Cryptojacking – A specialized attack that involves getting someone else’s computer to do the work of generating cryptocurrency.
• SQL Injection – An injection by which an attacker can exploit a vulnerability to take control of a victim’s database.
• Zero-day exploits – Attackers exploit vulnerabilities within an organization’s software that have yet to be fixed and/or updated.
  

New cybersecurity threats and risks: It is inevitable that hackers are continuing to develop new ways to either penetrate or interfere with organizations’ network security, especially financial institutions. The Board should be properly informed of the emerging cyber threats and risks, especially to those organizations that have recently suffered from a security breach. Some examples of recent attacks include the following:

• Capitol One Breach – Occurred in July 2019, when hundreds of thousands of credit card applications, which included personal identifiable information (“PII”) such as birthdates and Social Security Numbers were exposed.
• The Weather Channel Ransomware – Occurred in April 2019, when the Weather Channel had fallen victim to a ransomware attack via phishing, which lured one of the employees to provide critical information.
• Yahoo – Occurred in October 2017, when all three billion Yahoo e-mail addresses were affected. The stolen information included passwords and backup e-mail addresses that were encrypted using outdated and easy-to-crack techniques.
• Equifax – Occurred in July 2017, when access was gained to personal information of nearly 150 million people. The eye opener on this breach was that the organization had already been told what needed to be fixed in order to avoid the incident well before it occurred, and yet, failed to implement this fully in a timely manner.

 
Best practices to reduce risk: The Board should be informed of the proper ways and best practices of reducing the risk and threats the organization faces on a day-to-day basis. Some obvious examples of this include:

• Protecting the data with safeguards
  
• Avoiding e-mails from unknown sources
  
• Using strong password protection and authentication
  
• Secure connection when using Wi-Fi
  
• Firewall protection, while either working at home or work
• Regularly installing security patches and backing up critical data

 
Changes in regulatory issues and impacts: Due to the high scrutiny of cybersecurity, regulatory examiners have updated new laws and regulations that financial institutions must abide by as of specific dates. It is vital that the Board is informed of these new and upcoming laws in order to be aware of what’s to come and what its organization has done in order to meet these requirements.

 
Just as it is essential for the Board of Directors to be provided with adequate cybersecurity training, it is also imperative to keep in mind that employees should be receiving training on, at least, an annual basis. Attackers are and will continue to find more and more ways to lure organizations’ employees in providing information in order to gain access to networks or critical information. With the proper security awareness training in place, an organization’s executives as well as its employees will be equipped with the knowledge needed to protect the organization from all forms of cyber-attacks and defend it from the disaster of a security breach.

Jasper Zabala, CISA

Manager, Information Technology & Cybersecurity Audit Team

Jasper Zabala manages and conducts complex and thorough reviews of information technology and cybersecurity controls, disaster recovery and business continuity procedures, server room and physical security controls, internet/mobile banking processes, and core and network access controls. He also performs internal and external vulnerability assessments, penetration testing, social engineering testing and other IT/Cybersecurity risk management services for the Firm’s clients. Additionally, he has developed new processes for testing IT and Operational internal controls to align with SOX/FDICIA and the COSO framework. Mr. Zabala is a Certified Information Systems Auditor (CISA) with a B.A. in Information Technology and Informatics from Rutgers University. He has been with the firm since 2015 and previously served as an IT consultant.