Wed | Dec 7, 2016

COMMENTARY: Cyber security - The role of the Board of Directors

Published:Wednesday | January 14, 2015 | 12:00 AM
Tricia-Ann Smith DaSilva
1
2

During 2014, there were a number of high-profile system hacks with victims such as JPMorgan, Target, Home Depot and eBay.

According to the Software Engineering Institute's 2014 US State of Cybercrime Survey, more than 37 per cent of surveyed participants faced an insider cyberattack in the last year. While the effect of these threats is measurable, entities find it challenging to respond.

According to Symantec's 2014 Internet Security Threat Report, there were 253 breaches in 2013 that resulted in a 62 per cent growth in breaches over 2012 and over 500 million identities being compromised. Then there was recently the colossal breach at Sony, which resulted in over 100 terabytes of internal files and films being stolen.

Furthermore in Jamaica at the end of 2014, the Government of Jamaica received assistance from the Organization of American States to provide support with cybersecurity incident management and the establishment of a National Computer Incident Response Team in response to a number of security compromises of websites for government agencies.

A common cause of loss occurs when personnel leave an employer and take data or assets with them to their next place of employment.

According to Symantec, 59 per cent of employees in the United States tech industry consider that software developers should have the right to reuse source code when changing jobs. Even though the risk of the security breaches is obvious, it may remain one of the areas of least focus in an entity's strategic plan.

Of course, the former publicised events are only a segment of the global disclosure to losses stemming from cyber incidents. Organisations should seek to increase their cybersecurity budgets for 2015.

There are a number of actions that one can take to reduce insider cyber threats. The information technology team should seek to identify key business stakeholders in the various departments. Responsibilities for prevention and detection of insider threats may be shared among the human resource, accounting, legal and IT departments within an entity. Key management personnel should define the mission critical assets that must be protected and implement technology to monitor those assets.

Actively monitoring internal network traffic can also detect the probe and execution stages of an insider attack. A signal that a security threat may exist occurs when a user is aggregating massive amounts of data. This may be detected if there is noted decline in the network's speed due to activities with numerous files by few users. Furthermore, management should seek to maintain sufficient audit trail in the event that forensic analysis may be required.

Data management policies

Digital security breaches serve as a caveat for executives to remain attentive. A company's board of directors should consider reviewing the entity's data management policy.

Management should be required to present their policies on cybersecurity and the mechanisms to monitor compliance on a periodic basis for review and approval. This will allow the board to identify the responsible party and the entity's policy towards responding to an intrusion.

The board and key management should obtain training on cybersecurity issues to allow for increased oversight of technical and complex matters.

The board should consider whether a committee should be established to assist directors with oversight of cybersecurity.

In the event of a cyber-breach, IT personnel should provide a comprehensive report on the root cause of the breach, the affected systems, the financial impact and the action taken to rectify the breach. The company should also seek to disclose any data breach to relevant regulators if the breach was material.

And, given the risk exposure involved, the board of directors should work with the general counsel to determine the extent to which existing directors and officers' insurance coverage provides protection.

Company executives and directors should be keener about the cybersecurity sector and the imminent threats that exist.

Enterprises require cutting-edge solutions to contest these adversaries. Corporations must work assiduously to manage cybersecurity and create comprehensive policies to proactively address tangible risk for 2015 and beyond.

n Tricia-Ann Smith DaSilva is a senior manager at PricewaterhouseCoopers Jamaica and a board member of the American Board of Forensic Accounting. tricia-ann.n.smith@jm.pwc.com.