CEOs are in a complex quandary on information security. On the one hand this is a topic requiring deep technical expertise which is (usually) outside the wheelhouse of CEOs, unless they head up a security tech company. On the other hand, it has become abundantly clear that in the court of public perception (and for that matter, the court of law), it is considered a CEO’s personal responsibility to ensure that appropriate protections are in place to protect the information of a company’s customers – particularly consumers. No CEO wants to end up on the front page of the newspaper or sued for negligence over a breach. Recent incidents should serve as sufficient motivation:
- Yahoo – 3.5 billion account details were hacked in two different breaches. Every single account on a system serving nearly half of the world’s population in 2013-14 (not fully disclosed until 2017)
- Sony Motion Pictures – hacked by a group working with North Korea and used sensitive stolen data to force Sony to cancel the release of a movie about Kim Jong Un in 2014
- Anthem Health – 80 million customers’ identity and health insurance records were breached in 2015
- Equifax – 146 million customers’ detailed credit records and social security numbers were breached in 2017
- UK National Health System – 16 hospitals’ systems were completely shut down by the WannaCry virus, tallying a cost of 100M in 2017
- Atlanta – the city government was crippled by ransomware, disabling the city’s ability to operate or fund services in 2018
- Marriott/Starwood – 500 million customer records breached in 2018, including birthdates and passport details
- Capital One – 100 million customers credit card details and histories were breached in July 2019
Like many CEO responsibilities, the key is to put the right team in place – whether permanent employees or outside partners providing IT guidance for the executive team. But how can a CEO without technical security expertise know whether their security team and program protect them in every way they should? How can a modern-day CEO sleep at night when considering information security?
Our team of expert C-level consultants has consolidated this list of main components which should be included in an effective information security program. A summary list of this kind is, of course, no replacement for deep research nor any insurance that protections put in place will function as intended. But for CEOs wanting to get some sleep at night, it does at least provide fodder for a good conversation with your head of IT, and possibly a reason to engage an outside expert for C-suite IT advice…
Perimeter Security
- Physical security in Data center(s), Business location(s)
- Perimeter Firewall(s) (+ geography filter if possible – at minimum, “impossible travel” blocks) *
- Wireless network security, access control. Separate the “guest” network (if any at all) *
- Intrusion Detection/Prevention (at minimum, access/VPN audit log reviews* or SIEM log alerting)
- Regular port-scans/penetration testing *
- Secure website and web services architecture (no SQL injections, etc.) *
Email Security
- Email virus, spam blacklist filtering
- Email domain spoofing/phishing protection *
Device Security
- Endpoint PC virus/malware protection *
- Server virus/malware protection *
- Server & Endpoint patching, configuration management *
- Mobile device security, mobile wipe on loss/theft
Access Controls
- Multi-factor authentication (i.e. requiring app/text PIN + password, at minimum for remote system access)
- Cloud Security monitoring (+ geography filter if possible – at minimum, “impossible travel” blocks)
- Complex password requirements (more important than reset frequency)
- Application access level controls, “toxic combination” audit *
- Privileged Administrator/Service account password process/tool *
- Regular Network account audit, contractor timed expirations *
Data Security
- Complete server/cloud backups daily (PLUS near real-time replication even better. PC backups for key personnel even better) *
- Secure disposal/recycling of used equipment
- Encryption of all data at rest for SSNs/CCs/Banking/identity data
Staff Training
- Business staff security training/reminder program *
- Administrative account holders cybersecurity training
* several of these suggested controls are part of the Center for Internet Security (CIS) controls
If your IT leaders have good solutions in place covering these “threat vectors”, and have a way to know that protections are functioning correctly, they are covering the basics, and you should at least be able to sleep at night. On the other hand, the absence/failure of any one of the line items listed above can open your organization to risk. If any of these protections need to be installed or upgraded, or if you’d like an outside perspective on any unique risks to which your organization may be exposed, please contact us to explore how our experts can offer a deeper analysis.
