Author: IbukunOluwa

With Operational Resilience scoring high on the agenda of global regulators, boards need to consider regulatory expectations requiring the engagement of Chief Information Security Officers and CIOs in the the board room. Why are CIOs/CISOs still struggling to get a seat at the table? Not because board CIOs/CISOs aren’t speaking ‘strategy’ language – as is often suggested; rather because many boards aren’t aware of the CIO/CISO’s capability to help board directors fulfil their fiduciary duty to “protect corporate assets from both internal and external loss and fraud”. In most instances, obtaining or destroying valuable ‘information assets‘ is the goal of the internal or external cybercriminal, with the proceeds of money laundering, fraud, theft of intellectual property, blackmail, and ransomware emboldening global cyber criminals who continue to seek wealth at all costs. Negligence that results in the theft or loss of information assets – including intellectual property, personal customer data, patents etc. – is an act that could render the Board in breach of their ‘fiduciary duty of care’. With the GDPR and the Data Protection Act 2018 having come into force May 2018, the case for having a CIO/CISO on the board (who not only understands the fiduciary responsibilities of the Board s/he has been appointed to join, but who speaks both technical and business language), has never been stronger. The risk of cyber and information security breaches needs to be recorded as ‘high’ on the corporate risk register – rather than just on the IT or Cyber department’s risk register – with the Board having visibility into these risks, approving the controls needed to mitigate these, and retaining an ongoing oversight of these risks. Quantifiable cybercrime attacks against organisations are becoming more prevalent, e.g. ‘CEO email fraud’ or whaling attacks, with the biggest reported victim, i.e. ‘Crelan Bank’ having lost $76 million to the fraud in 2016. Another victim, FACC, lost €52.8m to a similar fraud. Last week, it was reported that the CEO of Barclays, Jes Staley, fell victim to a spoofed email sent from a disgruntled customer, which thankfully didn’t result in monetary loss to the bank. By now, Board executives should be asking “is simply ‘sacking the CEO, CIO, CFO or CISO after a Cyber breach a prudent response to Cyber and Information Security breaches?”. Instead of sacking the perceived ‘culprit’ after a breach has occurred – including cyber security breaches as a high risk on the corporate risk register, discussing these at board meetings, and gaining assurance from the CIO or CISO that adequate controls are in place to mitigate against the risk of such breaches actually taking place may be a better approach. Sacking executives after a breach, rather than seeking to prevent a breach in the first instance, is merely reactive; whereas the latter approach of prudent risk management is proactive and seeks to empower the board to fulfil its obligation to protect corporate information assets. Many controls are available that could help to mitigate information and Cyber security risks and empower the Board to protect corporate information assets, including people, technology and operational controls. Operational Culture Encourage staff to speak up without fear. Many ‘process, technical and human risks’ tend to be spotted by front-line employees who deal with customers each day (or who use information systems regularly), long before the risk materialises into an issue. A seemingly ‘disgruntled’ junior Fintech employee who ‘grumbles’ among their peers about a manager ‘posting large remittances through the finance system to a Cleaning firm’ may be alerting their peers to ‘procurement fraud’ or ‘money laundering’. If there’s a culture of fear over raising concerns to leadership, the employee will continue to complain to peers who don’t have the power to protect the firm’s assets from fraud or loss; whereas the Board has both the power to do so – in addition to a legal obligation to do so. Since the Board is responsible for setting the corporate culture it truly wants to see –  employees must be encouraged to speak out in the interest of the firm and shareholders, without fear of victimisation or harassment for doing so; in particular as an employee speaking out against potential fraud is empowering board members to fulfil their fiduciary responsibility of care and protection of the firm’s assets – including non-financial assets. Processes A Board must ensure the separation of duties and conflict of interest rules are followed to the letter. If the CEO is only allowed to sign off on $50m transactions, then adequate workflow controls could be implemented to cap this limit, and to flag an alert each time the limit is reached (whether this limit is reached in one transaction – or over a series of transactions to a single firm in a short space of time). In addition, the CFO shouldn’t be fearful of asking questions of the CEO if asked to make financial remittances that seem amiss. The CFO could be saving both his and the CEO’s job, as well as helping the Board to protect the firm’s assets from cybercriminals. Board Development CIOs/CISOs are well-placed to run cyber security awareness training for the Board and Senior Management team, including training in the risk of Phishing, Whaling, and Ransomware. The landscape for information security threats has changed drastically, with ‘Crime-as-a-Service’ raking in billions of dollars a year for Cybercriminals. When Boards become as desperate to protect a firm’s information assets, as cybercriminals are to defraud companies of the same assets, the balance will cease to be tipped in the cybercriminals’ favor. Technology Countless technology tools exist to help protect against cybercriminals – including auditing, alerts, and network security tools; and a basic act of providing internal and external board members – i.e. including the Chair – with an internal email address and then configuring the email server to change all internal emails sent from each board member and each C-level exec. to each other to – say – ‘Brown font’ could help. If  a spoofed email were to arrive with a different colour font, purportedly from the Chair to the CEO, the different colour font could flag a warning in the mind of the CEO to ring the Chair to double-check on the origin of the email. Conclusion For board members to successfully fulfil their fiduciary duties, discussions at Board meetings should include Cyber and information security risks, including the risk of C-level execs. falling prey to cybercriminals. Failing to do so could cause significant loss of financial assets, plus market value or share in a corporation, in some instances resulting in insolvency. Essentially, any strategic risk that can cause a loss of assets, reputation or shareholder value to the firm must be discussed at the table by the board, and those discussions should be held with CIOs and CISOs present – many of whom are able and ready to contribute as a strategic board member, thereby empowering the board to fulfil its fiduciary duties to the company, its employees, and regulators. Ibukun Emmanuel-Adebayo

So you’ve been handed a brand ‘new’ USB (Memory) stick at a conference, or you’ve found a misplaced USB stick on the floor inside or outside the office, and you want to find out what’s on it – so you can return it to its rightful owner; what’s the first thing you do with the stick? Most PC users assume the innocence of the tiny and yet durable USB stick; and therefore plug any USB stick they lay their hands upon into their work or home PC, with the belief the stick is malware and virus-free; an assumption that can cause a huge cyber-security breach on your network or PC. One of the first notable viruses to hit the news in the late 1990’s was the  Melissa virus followed promptly by the Nimda and I Love You Worms, which spread rapidly across global networks. Some of these names may sound alien to new professionals whereas – for those of us involved with IT as a user or professional – since the year 2000 – these outbreaks probably remain ingrained in our memories. The Melissa malware was a virus – rather than a worm – as it didn’t self-propagate (spread) through network shares, having been developed to run in macros in standalone Microsoft Word documents – and therefore largely affected Word users only. On the other hand, similar to more recent threats, Nimda was one of the first worms developed, that used multiple methods – including social engineering i.e. the exploitation of ‘human’ weaknesses to spread – inviting users to click on links to infected websites, or to open infected email attachments. The ‘I love You’ worm also exploited human curiosity – dispatched in an email attachment titled ‘Love letter for you’. Surprisingly, even though this wasn’t sent on Valentine’s day, tens of millions of users were curious enough to click on an attachment from a stranger professing ‘love’; causing a global infection of their PCs. USBs and Social Engineering Have you ever viewed PDF’s titled ‘the top 20 secrets to wealth’, or ‘Please help’, or ‘Strictly private and Confidential’, and decided to take a brief look inside the document? Cybercriminals often use clickbait titles to lure curious users into infecting their PCs with malware from such documents, including on USBs – which are sometimes deliberately dropped on the floor for curious users to pick up and start a viral infection of PCs. USBs aren’t immune to viruses or malware, and yet they’re doled out at conferences like candy; picked up off office floors – or streets – by unsuspecting or curious users as a matter of course, and subsequently plugged into personal devices without a thought for the security of the device or for other network users. So what should Boards, IT, and PC users do, in a bid to mitigate the risk of malware and viruses from being introduced onto the network viz. USBs? “Boards” Continuing along the theme of the Board’s fiduciary responsibility to protect a corporation’s information assets from theft or loss – including the Board Executive’s accountability for the Corporate Cyber and Information Security Policies; it goes without saying that the small USB can cause a massive loss of information assets to a business – in the form of viruses, ransomware and other malware outbreaks. Information leakage, i.e. wherein authorised and unauthorised network users depart unsecured businesses each day, with ‘tiny’ USBs on their person, containing intellectual property – or private customer information – is also a ‘big’ risk that needs to be owned and mitigated by the Board. What happens when an authorised employee misplaces a USB stick containing personal customer data – or leaves it on a train, and fails to report this? “IT/Infosec Leaders” At this level, we should be overseeing our teams’ cyber risk management initiatives such as DLP solutions, patch management, plus anti-malware and anti-virus solutions – ensuring our firm only purchases encrypted USBs that can also be remotely wiped in the event of theft or loss; plus we also need to oversee the blocking of all unencrypted USB sticks from the network, using GPO or other third party solutions. Has your team been provided with adequate testing facilities, including a ‘safe’ standalone machine to test potentially suspect USBs and software on? How about the asset inventory system containing details of each IT asset, including USBs, on the network? Is this updated (and reconciled) periodically? We should also be iteratively raising user awareness through policies, workshops, training, bulletins, competitions etc., i.e. every effort has to be thrown towards reducing the threat of information asset theft and cybersecurity henceforth, not only due to the impending GDPR, but also if we’re intent on thwarting the Cybercrime industry from morphing into a $2Trillion dollar industry by 2019, at our personal workplaces’ expense. “Users” Again, as I wrote on LinkedIn previously, Information Security is the responsibility of all staff, and it’s thus vital we individually take up the mantle of protecting our workplace and personal PCs from harm. Before you plug that USB or memory stick into your personal computer, pause and think – ‘what if?’; i.e. ‘what if this stick contains a virus or a worm on it?’; ‘what if this were to delete all my information on my PC – along with my entire work data?’; ‘what if this were to affect the office network for a day or two – could we continue as a business?’; ‘ what if this stick contains malware that could transmit all my stored personal information, or keystrokes I type on my PC, to a remote device – including financial information?’ (such software has existed for years). If you’re given a USB stick by a friend, colleague or at a conference – ensure it’s scanned through an antivirus and anti malware software before you use it! If you notice a USB stick lying on the streets – just keep walking – let the owner return to find it where they dropped it – accidentally or maliciously! “Conclusion” Whilst memories or knowledge of the old viruses and malware may have diminished, the modern day cybercriminal has become more emboldened, using various methods, including the USB stick, to distribute their potent payload – exploiting not just software vulnerabilities – but largely human vulnerabilities, including unawareness and curiosity. Even if you don’t remember Melissa, Nimda, or I love you; the more recent malware outbreaks are enough to let people know that those pesky Cybercriminals aren’t playing a game – it’s big business for them. Don’t inadvertently contribute to the thriving Cybercriminal industry, including as a victim – even if you have to forfeit some love from Melissa. Comments welcome!