Tag Archives: Boards

Security News for the Week Ending November 19, 2021

Old Scams Never Die, They Just Get a Fresh Coat of Paint

Scammers have been posing, according to a warning by DHS, as Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) agents in San Antonio. The scammers call the mark, pretending to be HSI and tell them there is a problem with their passport and if they just pay the scammer/HSI agent some money, the problem will go away. They threaten that they will be arrested if they don’t pay. The victim’s passport, they say, was involved in a crime and police will be dispatched to their house to arrest them. Marks can call the ICE tip line at 866-347-2423 if they are able to “mark the mark”, so to speak. This type of scam is decades old; the only things that change are the targets and the agency who the scammers claim to represent, although DHS is a popular one. Credit: Infosecurity

Hackers Use Real FBI Email Account to Send Spam Cyberattack Spam

I don’t think this qualifies as a hack. Instead it is really poor software design. The FBI runs a portal for law enforcement, but until Saturday anyone could sign up for an account. The prankster sent out at least 100,000 emails and the FBI was flooded with calls. For admins, it was hard to disregard the alert since it came from the real FBI email server and was signed with DMARC. A bit of a black eye for the FBI and they only said that they were working on fixing the hole. Their temporary fix was to shut the system down. Probably a good idea. The hacker talked to Brian Krebs and explained what he did and why. To point out crappy security. Credit: Brian Krebs

Election Conspiracy Theory Lives On

For those of us in Colorado, there is a full blown election conspiracy fight still going on. Tina Peters, the election official in Mesa county, the reddest part of the state, is in the middle of a fight for her political life. A Republican, she was booted out of her role as election chief by Jena Griswold, a Democrat and the state’s chief election official. Griswold appointed another Republican to oversee Mesa County’s elections. So far, the courts have sided with the state. Peters did things like turn off the cameras in the secure counting area and made covert copies of the disk drives from the counting machines Somehow, copies of all of her voting system passwords and a copy of the rogue disk drive image were posted on the Internet for anyone to download. She says that she doesn’t know how that happened. Her legal expenses are being paid for by the MyPillowMan. Check out the story here.

CISA About to Name Members of New Advisory and Investigation Panels

DHS’ CISA officially created the Cybersecurity Advisory Committee this month. It was authorized in the 2021 NDAA. The committee is limited to 35 people and must include one each from 12 key industries including finance, tech, communications and healthcare. The remaining slots will be appointed by CISA’s director. The Cyber Safety Board was created by executive order this year and will operate similar to the way the NTSB examines transportation accidents. It will include both Govies and private sector people and will convene when needed. Credit: The Record

Boards Still Not On Board With Cyber Security

Price Waterhouse surveyed 500 business executives, law enforcement services and government agencies and here are some of the results:

  • 28 percent say that their security leaders make NO presentations to the board ever
  • 26 percent say that their boards receive a single security presentation per year.

Neither of these answers warms my heart, but they don’t surprise either.

That means that only a third of the boards receive regular (typically quarterly) updates on cyber risk.

One third of the respondents from small companies and 18% of the security leaders at large companies say they never present to their boards (this is the opposite view of the numbers above – what the CISOs say vs. what the boards say).

  • Only 42% of the respondents view cyber security as a corporate governance issue.  I guess when the rest of their companies are breached and they have to spend millions of dollars to deal with it, that won’t be a corporate governance issue either.  I guess.
  • 30 percent say that no board members or committees are involved in cyber security.  That means that 70% have some form of involvement.

What all this tells me is that Information risk folks still have some room to go to explain to boards why they should care.

Recently, we had 3 CEOs or similar roles that have lost their jobs over breaches (Sony, Target and Ashley Madison).  That certainly is a board issue.

Costs of dealing with breaches run from a million dollars on the very low end to several hundred million dollars on the high end.  Either expense should be one that boards are concerned about.

And then there is reputation.  Whether you are in retail (Target), government (OPM) or healthcare (Anthem) to name a few, when people are asked about these companies, what they remember is that they were breached.

That is great brand recognition, but for the wrong reason.

This does not mean that we should hang up our security cleats and go out and get drunk.

Rather it means that we need to continue to educate boards so that they understand that it is a governance issue and that if they ignore it, so will their CEOs.

The education needs to be in business terms because – IT RISK IS BUSINESS RISK.  If you present it in any other context, you are highly unlikely to be listened to.  What is the impact of a breach on sales, fines, litigation, brand reputation and distraction of key executives?  These are things that board members can understand.  Do not tell them about the number of malware laced emails that you stopped – they don’t really care.

Just my two cents.

 

 

Information for this post came from CSO Online.

The Gap Between The Board and IT Security

The Ponemon Institute released a study that compares the views of about 7,000 Board members and 11,000 IT security people and the results show some interesting data.

The first question is ” Our board of directors understands the security risks to the organization”.  While 70% of the board members agree or strongly agree with that statement, only 43% of the IT people agree or strongly agree with it.  That is a pretty big gap.

Given that board members make important cyber security decisions, their knowledge in that domain is important.  Here are a few select answers from the survey:

  • 9% of the board members said they were very knowledgeable about cyber security.  26% said that they had minimal or no knowledge.
  • 59% of the board members said that the company’s cyber security governance practices are very effective.  18% of the IT security people agreed with that statement.
  • 18% of the board members said they were unsure if the company had a breach that resulted in lost or stolen records.
  • 21% of the board members were unsure if the company had a cyber attack that disrupted business operations.
  • 79% of the board members said that cyber security governance is not on the board’s agenda because it is best handled by company management.  51% said it was due to concerns about director liability.  So half of the directors said that they did not want to deal with cyber security because they thought they might get sued.  Given that a cyber breach could cost the company millions of dollars or even have the company go out of business, that seems like a breach of fiduciary responsibility.
  • 69% of the board members are concerned about their potential liability if the company has a serious breach.  That would seem to indicate that they should do their best to make sure that the company does not suffer a breach.
  • Currently, the SEC has  issued voluntary guidelines regarding disclosing cyber breaches.  83% of the board members of companies that have suffered a breach think the SEC will issue mandatory regulations.  Only 17% of those who have not had a breach think the SEC will do that.
  • 81% of the board members think that if the SEC issues those regulations, board involvement will increase.

So, while this indicates boards are concerned, absent regulations requiring disclosure and due to concerns of getting sued, the majority of board members  prefer to avoid the issue.

The study is available here.