JP Morgan, Target, Home Depot, Anthem, Sony.  The list of companies victimized by spectacular data breaches continues to grow.  Directors and Officers (D&O) are waking up to the fact that even non-obvious companies are cyber targets.  It is the fiduciary responsibility of D&O to protect these assets with exemplary information security and risk mitigation measures. 

It’s time for D&O to start asking some hard questions to make sure that the companies they manage and direct are taking adequate steps to both prevent internal cyber incidents and mitigate any damage that does occur.

Disgruntled insiders pose the biggest risk because they intimately know the internal operations of a company, and can easily find and misuse its most valuable intellectual property—especially on networks where data is often unprotected and easy to download.  Alongside this ‘legitimate’ insider is the advanced hacker who bypasses network safeguards and can freely roam around the system looking for things of value.  Once they are inside, these outsiders become insiders too. 

Because much defensive spending has been at the network perimeter, with firewalls anti-virus software and the like, the inside remains largely exposed as the soft underbelly of any corporation.

As part of your oversight role, ask whether your company still needs to:

 
• Hire independent security experts to review threats and risks, especially from insiders.  In this way, you will be able to build appropriate defenses against the most likely threats.
 
• Establish a governance structure for an Insider Threat or Insider Risk Program.  The company’s working group’s first objective will be to break this issue out of the Security Department stovepipe.  Getting all stakeholders on board and aligned may well be the company’s biggest challenge.  But it must be done. Protecting corporate intellectual property is not just Security’s job.  It also involves other areas of the business like Legal, Risk & Compliance, IT, and even HR.  Without a bird’s eye view of threats, the company cannot possibly put adequate protective measures in place.
 
• Ensure that the company cyber plan covers your particular needs.  A recent cybersecurity framework from the National Institute of Standards and Technology (NIST) is a good starting point for companies that lack a plan.  The framework covers the broad areas of prevention, detection and remediation.  It can be a useful benchmark for companies whose plans may be inadequate.
 
• Establish a response plan.  If a malicious intruder begins to operate, the company needs to be prepared on how to act in those circumstances.  Will law enforcement be involved?  Are there forensic capabilities to remediate breaches?  Is there a public-relations response strategy in place?  Above all, the company needs to conduct at minimum tabletop exercises to dry run these plans to ensure they will work in practice.
 
• Improve the security culture.  Within many companies, simple ignorance of good cyber practices is the biggest failing.  Employees must be motivated to do their part to protect corporate assets.  Managers must be trained to understand warning signs that an employee has become a rogue insider.
 
• Continuously monitor the inner workings of your network.  Disgruntled insiders may appear to be doing their jobs normally but are in fact carrying out malicious activities.  Advanced hackers may be totally invisible to the company because they are not physically on site while they purloin data, often from far away.

The good news is that improving a company’s internal cyber defenses does not have to mean adding another layer of complexity.  In many cases, better use of existing tools, improving internal processes, and creating an information sharing environment throughout the company will strengthen the company’s defenses measurably.