By: Matias Fefer and Peter Purcell
Boards are being pressured to ensure companies have developed and deployed robust cybersecurity strategies. Government oversight is increasing with the recent passage of HR 1770 by the Energy and Commerce Committee, which encourages companies to share details of all computer breaches with the U.S. government and affected parties. Many feel that HR 1770 is a precursor to supplementing Sarbanes-Oxley Sections 404 and 409 to hold board members and senior executives accountable for cybersecurity lapses.
Companies addressing cybersecurity threats face two immutable facts:
Fact #1: The IT environment will be hacked no matter how much money or effort is put into preventing cyberattacks.
Fact #2: The only way to prevent hacking is to disconnect computers from the network, disable all external ports, and prevent access by end users.
A company cannot perform business effectively on a day-to-day basis if computers are not networked. Emails need to be sent to clients, electronic orders need to be processed, and critical operational and financial information needs to be shared in a timely and accurate manner.
Companies who have successfully addressed cybersecurity concerns leverage a balanced, four-pronged strategy.
Prevention: Companies need to proactively identify and prioritize critical data or real-time control systems that need protection against unauthorized access. Penetration testing of priority areas will help determine gaps to be addressed with a combination of training, software and hardware upgrades, and security solutions.
Realistic prioritization of vulnerabilities is critical to ensure cost effective solutions are implemented. A recent study by an Ivy League college shows the most successful way to address breaches revolves around training and awareness. Cybersecurity experts say that more than 90% of breaches are a result of employees clicking links in phishing emails, infected emails from friends or cloned web sites. The remainder of breaches come through vulnerabilities in computing environments that have not been updated.
Detection: No amount of prevention will change the fact that networked computer systems will be hacked. Employees make mistakes. Companies need the right tools and resources to identify when a system has been hacked. Software tools and internal resources can be used to monitor networks and user accounts on a day-to-day basis.
Developing a relationship with a third-party cybersecurity firm is critical. Leverage the firm on a regular basis to test the computing environment and address hidden infections. Update training and end user communication based on results.
Mitigation: A realistic cybersecurity strategy includes contingency plans to quickly address inevitable breaches. It is not cost effective for IT departments to acquire all the tools and resources needed to recover from specific cyberattacks. Hackers continually change their methods, making it nearly impossible for an internal IT department to keep up.
Work with a third-party cybersecurity firm to develop and deploy clear protocols and service level agreements for addressing cybersecurity threats. Develop and deploy a clear communication strategy with end users. End users need to know what to do and expect in the event of a cyberattack.
Transfer: A cyberattack creates significant risk given the sophistication and aggressiveness of hackers combined with the increasing reliance on computer systems. Procure insurance or migrate to a hosted environment to transfer risk. Cybersecurity insurance helps pay for the cost of mitigation and impact on all affected parties.
Using external hosting for key systems places the responsibility of mitigation on the service provider, as long as a company employee did not cause the cyberattack. The hosting provider is responsible for ensuring the core computing environment is properly updated and protected.
There are a significant number of technological solutions to address cybersecurity concerns. Many are very expensive and can limit employees’ ability to perform their day-to-day activities efficiently and effectively. However, the most effective software solution lies between employees’ ears. Strong leadership, change management, and training are critical to helping companies teach employees how to prevent cybersecurity lapses.
Matias Fefer is the Director of Information Technology for Atwood Oceanics and a leading cybersecurity strategist in oilfield services. Matias heads an offshore services consortium tackling cybersecurity issues with critical computing and equipment suppliers. He can be reached at email@example.com.