×

Recent cyber attacks have caused boards of directors and top corporate leaders to ask pointed questions about their companies’ cyber security practices and incident response plans.

Many companies are re-evaluating their cyber security strategies in light of an increase in reported cyber attacks on businesses. The rising sophistication of these attacks has led companies to scrutinize their preventive security protocols and response plans, and for good reason.

Mary Galligan, a director with the Cyber Risk Services practice of Deloitte & Touche LLP, advises companies to prepare for the likelihood of an attack by implementing risk-based security measures and an incident response plan that details the steps and communication protocols required for reacting to and recovering from an attack. In this Q&A, Galligan, a retired FBI agent who was in charge of cyber and special operations for the New York office, discusses a wide range of topics, including questions corporate boards should ask about cyber security, the effectiveness of cyber war-gaming activities, and misconceptions about cyber security.

How should an organization respond to a cyber attack?

Galligan: The response should start long before an attack occurs, with preparation and a focus on resilience. Companies need a cyber incident response plan with detailed processes for coordinating efforts among different front-line functions, such as the general counsel’s office, public relations, and the office of the CIO. As with other business continuity plans, the cyber response plan should be designed at the board level, or at least by the executive in charge of risk management. It should have a far-reaching scope, and it should include follow-on scenarios that could result from an attack. For example, when developing the plan, management should think about how much risk the company can accept if systems or services have to shut down, and the technology that must remain operational so that the business can run once it recovers. Similarly, boards and executives should consider how long the company can sustain operations using limited technology resources, and how promptly the business can become fully operational after an attack. An effective plan emphasizes preventive controls, prompt detection of potential problems, and rapid response.

When an attack takes place, the first course of action should be to alert the general counsel’s office. Some executives don’t think to do this, but I suggest it because numerous legal issues can arise from a cyber breach, ranging from the need to issue data breach notifications (required by more than 47 states), to following the SEC’s cyber security disclosure guidelines for publicly traded companies, and dealing with law enforcement investigations of the breach.

What questions can CIOs and other executives expect from the board of directors about cyber security?

Board members should ask management two overarching questions: “How is the organization securing its systems,” and “Has the organization conducted a risk assessment of its crown jewels, the assets requiring the most protection?”

The board can follow up with questions aimed at discerning whether systems are secure, employees remain vigilant, and the business stays resilient. For example, boards may want to ask about the organization’s processes for securing its information assets and determining what information leaves the company. Management often spends time identifying the information coming into the company, but perhaps not as much time on what’s leaving it. Insider threats account for about 15 percent of cyber security incidents, and spearphishing is still the primary way breaches occur. If a large packet of data is leaving the system, questions should be asked. From a vigilance perspective, boards should consider asking if management is establishing risk and threat awareness across the enterprise, and how the company detects policy violations and anomalies. Questions about resilience can focus on whether the organization has the ability to handle a critical cyber incident and quickly return to normal operations.

The financial industry has used cyber war-gaming to help improve its responses to cyber attacks. What lessons can other industries learn from this technique?

Cyber war-gaming can help companies test the effectiveness of an existing incident response plan and identify gaps in areas such as communication and coordination. As such, it allows companies to more proactively prepare for cyber threats. This past July, the Wall Street community and numerous federal government agencies participated in a full-day cyber attack simulation known as Quantum Dawn 2. Participants recognized a need for more effective communication and information-sharing between institutions and federal agencies, and among companies in the same industry and select third parties, such as law enforcement. The resulting report noted that the response protocol executed during the simulation allowed participants to reach consensus in a timely manner about their decision to shut down certain financial markets. Meanwhile, individual companies had to decide when the simulated attack was over and when to resume normal business operations.

How are cyber security strategies evolving to address new threats posed by mobile devices and cloud computing?

Every person with a mobile device, laptop, or even a desktop is now an organizational vulnerability. Consequently, implementing cyber security strategies comes down to business decisions. For example, organizations have to make a business decision about whether allowing employees to use thumb drives is worth the risk of malware or a rogue employee downloading unauthorized information. That doesn’t mean employees should be forbidden from using thumb drives, but rather, that employees be required to follow certain procedures: maybe they can only use company-issued thumb drives that they have to sign out, and maybe the company needs to implement a process for tracking those devices.

What misconceptions do some corporate leaders have about cyber security?

There are two common misconceptions. The first pertains to how breaches are discovered and how the government obtains and shares related information. At least 40 percent of all cyber security breaches are identified by a third party, such as a law enforcement agency, a financial institution, or a telecom carrier. This finding surprises company leadership because they generally believe breaches are discovered in-house. When law enforcement gets involved in a breach, some executives become frustrated when they feel the government may not be sharing information in its entirety. In fact, in many cases, the government only sees one piece of the puzzle. The company may need to work with the government agency to put together third-party information and their own information to adequately investigate and mitigate a breach.

The second area that sometimes surprises corporate leaders is how swiftly a breach from a cyber attack can move from being a technology issue to a business issue. On short notice, organizations are likely to face requests from law enforcement for access to networks and, at times, these requests could involve legal processes and inquiries from regulators and customers. While dealing with those inquiries, organizations simultaneously have to comply with varying state data breach laws, communicate with shareholders and the public and, of course, continue operating the business.