It may be fair to wonder, especially if a Board member does not have a professional information technology (IT) background, whether asking management about specific security measures might invite jargon-ridden replies that leave the director no wiser than before. However, a basic awareness of key elements to look for can help in understanding the risk management implications of an answer, even if you are unfamiliar with some of the technical terminology.
It’s not just who gets in; it’s what gets out
At many companies, cybers security practices are heavily weighted in favour of measures such as firewalls and passwords, aimed at limiting access to the company’s network. But while these precautions are essential, they are not enough. Cyber criminals are becoming increasingly adept at infiltrating corporate and other networks without triggering an intruder alert. Once inside, they can easily siphon information from your network unnoticed, unless you are actively looking for signs of suspicious activity.
To help defeat cyber criminals who make it past the access controls, a mature cyber threat risk management capability will include safeguards against unauthorised information distribution, as well as against unauthorised information access.
Effective performance in this regard requires technologies and processes that monitor outbound information traffic for both content – ‘is the information appropriate to share?’ – and destination – ‘where is it being sent?’
Destination, in particular, can be a red flag. If information is being sent to a country where your company has no operational presence or interactions, it is probably wise to look into who is sending it there and why. A mature capability will also be able to restrict the transmission of suspicious communications until their legitimacy is verified. This involves technologies that electronically ‘quarantine’ the communication while appropriate checks take place.
When James from Cable Beach logs in from Uzbekistan, worry!
Because cyber criminals are getting better at impersonating ‘bona fide’ corporate personnel, a company should not assume that everyone who logs in with legitimate credentials is actually an authentic user. A mature cyber threat risk management capability will use at least two methods (sometimes called ‘two-factor authentication’), and possibly more, depending on the value of the assets being protected.
Logins from countries where your company has no operations should be immediately flagged and investigated to determine whether the users in question are genuine or fraudulent. Yes, it is possible that James from Cable Beach really is legitimately logging in from Uzbekistan while on vacation, but it does not hurt to check.
• NB: The information in this series is based on the Deloitte white paper, ‘Risk intelligent governance in the age of cyberthreats’. For more information on Deloitte Bahamas Risk Advisory Services’ Cybersecurity offering, contact Lawrence Lewis, risk advisory services partner, at 1(242)302-4898 or email@example.com, or Shavonne Smith, senior risk advisory services consultant, at 1(242)302-4880 or firstname.lastname@example.org.
Ms Smith holds a Master of Science (MSc) degree from Capitol College in Baltimore, Maryland, and specialises in information assurance and network security. She also holds the CISA designation (Certified Information Systems Auditor), and several Microsoft certifications.