6 Data Security Questions Every Board NEEDS to Ask

Data security has become an increasingly important concern for businesses of all sizes over the last couple of decades. Each year, it seems like more attacks are being reported, and there is little sign of that trend abating any time soon. In fact, according to statistics cited by Tech Republic, “Cyber incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017, driven by ransomware and new attack methods.”

One of the first steps in mitigating your cybersecurity risks is to take an objective look at your company’s cybersecurity posture as a whole. Part of getting an objective view of your security posture involves knowing what questions to ask. With this in mind, here are a few data security questions that every board needs to ask and get answers to.

1) What is Our Level of Risk and What Motivates the Threats/Attackers?

Risk assessments are a crucial part of any business venture, and cybersecurity is no exception. Knowing your level of risk helps you to better prepare for any potential risks—which is one reason why you should run a cybersecurity risk assessment.

Aside from establishing your level of risk, it may also be helpful to know what motivates attackers. Most cybersecurity attacks are motivated by one of the following:

• Monetary Gain. One of the most common motives behind cyberattacks is monetary gain. This is the primary motive behind ransomware attacks, wherein a business’ data is encrypted and the decryption key is withheld until a ransom is paid.
• Making a Political Statement. Some attacks are politically-motivated. Here, the attacker is looking to draw attention to a cause or to punish some perceived injustice. Common objectives for these attacks are to keep the victim from being able to do business or to cause monetary loss. Many of the attacks carried out by groups like Anonymous have motivations that would fall into this category.
• Acting on Behalf of a State. Another flavor of “political” attack, these attacks are carried out on the behalf of a foreign nation or power. These attacks often seek to steal important or sensitive data and relay that information to a client. These attacks are often focused on government organizations and companies doing contract work for the government.

2) How Do We Reduce Risk and What Are We Doing About It Now?

After determining what your biggest risks are and what kind of attacks are likely to be thrown your way, it’s important to identify some basic strategies for mitigating your cybersecurity risks.

This may involve a review of your current cybersecurity measures so you can identify which measures you have in place and what you need to add to close any gaps in your security.

3) How Are We Dealing with What is Not Under Our Direct Control?

Many businesses have a security vulnerability that they often forget about: IT assets that are owned by their vendors, third-party partners, and other data processors covered by the EU’s General Data Protection Regulation (GDPR) who aren’t in their organization.

These vendors and third-party partners could provide an avenue of attack for malicious actors. If their cybersecurity protections are weak, they could be hacked, and their access to your own systems could be abused to steal or destroy your sensitive data—similar to what happened to Target back in 2013 when, as reported by ZDNet, “The attackers backed their way into Target's corporate network by compromising a third-party vendor.”

This is why it’s important to find ways to manage risks that aren’t under your direct control, such as by:

• Setting security requirements for your third-party partners,
• Limiting their access to your systems as much as possible, and
• Enacting strict rules for accessing and using your systems.

4) What is the Impact of a Breach?

Knowing what the potential consequences of a security breach may be can help to provide a sense of urgency your efforts need to keep your business cyber secure. The impacts of a security breach can be divided into two categories:

1. Direct Monetary Impacts. These include the direct costs of a breach, such as money spent on rectifying the breach and restoring systems/operations to normal. These are usually the easiest costs to quantify, since there is a set dollar amount that is clear-cut.
2. Indirect Business Impacts. These costs are a bit more difficult to accurately quantify, but they can have a severe effect on your business. Indirect costs include things like lost business opportunities caused by a lack of confidence in your security and downtime for critical systems that are needed to do business.

According to data from a Ponemon Institute study sponsored by IBM, the average cost of a data breach is $3.62 million. Keep in mind that this is an average, and that the actual total cost a data breach may be much higher for your organization should such a breach occur.

Basically, you should ask yourself: “if a breach occurs, are we prepared to handle the impact?” Before answering this question, consider whether or not your organization has an incident response plan (IRP) in place and if said plan has all of the resources needed to make it work.

5) How Do We Protect Our Investment in Cybersecurity?

Investments in cybersecurity protection measures are much like any other business investment, and it’s natural to want to protect that investment and see an ROI for it.

One of the best things you can do to protect your cybersecurity investments is to regularly update your cybersecurity software programs (and all of your other business software) to their latest versions to eliminate old security exploits that may exist in those systems. Security software developers are constantly finding and fixing programming errors that malicious actors could exploit to bypass your security—downloading these patches helps to protect your business from attack.

Another measure you should take is to audit your security measures to see whether there are any other cybersecurity tools that you could add to address particular risks or vulnerabilities that you’ve identified recently.

6) Who’s in Charge of Cybersecurity Responsibilities?

It’s one thing to establish strong cybersecurity rules and get all of the right tools—it’s another matter entirely to make sure that there’s someone in charge of managing your business’ cybersecurity so that those policies and tools don’t go to waste.

It is always a good idea to establish clear roles and responsibilities within your organization that lets everyone know who is in charge of what when it comes to cybersecurity in your business. For example, if Bob from accounting notices odd activity on some accounts that indicates theft by a third party, what should he do? Who should he report the situation to? Setting clear roles and responsibilities makes it easy for Bob to forward his report to the people who are best equipped to stop the illicit activity and enable him to take preventative measures that can limit the severity of the breach.

Some organizations may even want to set up a specialized IT team dedicated to cybersecurity operations just to be the go-to resource for any security incidents that occur. Of course, this can be quite expensive, so many companies choose to hire a third-party manage security services provider (MSSP) instead. Hiring an MSSP provides businesses with a full team of security experts for a fraction of the cost of hiring them internally while also helping to quickly resolve the need for a dedicated security staff.

If you need help resolving your company’s cybersecurity issues, please contact the Compuquip Cybersecurity team today! We have years of experience in helping companies of all sizes tackle their biggest cybersecurity concerns by using an approach to security that emphasizes identifying and fulfilling your biggest needs and selecting the appropriate solution for your unique situation.