Industry Perspectives

Cybersecurity Corporate Governance -- Is the OPM Hack Our "Fight Song?"

In the days following the reported data breach at the Federal Government’s Office of Personnel Management (“OPM”), exposing the personal information of up to 21 million or more government workers (and maybe more), military personnel and even potentially Congress men and women, there has been a lot of tongue wagging and finger pointing about why such a large scale breach happened, and could it have been prevented. The Director of the OPM, Katherine Archuleta, has now just resigned, and many questions remain unanswered. Leaving such a quest for answers to others, we think it’s important to focus on what the OPM hack potentially means for corporate America and what corporate America should do to continue to fight cybercrime.

We think the OPM hack should be our "Fight Song."  The massive exposure of personal information of business people and American's alike in 2015 has created the potential for further and even more dangerous cyber-attacks like Dridex and others  Why?  Given that spear phishing is the primary threat vector today to unload malware, the personal information now existing in cyberspace could make those attacks even more accurate. Our healthcare information is now known. Our credit information is now known. Even to some threat actors, the most intimate details of our personal history may now be known, allowing attackers to sharpen their emails to make them even more enticing to open them and then to "click on the link."

We need refocus our efforts, among other things, on good cyber corporate governance. When all seems wrong with securing our digital assets, it sometimes is necessary to go back to square one: the basic “blocking and tackling” of cybersecurity. The more basic of these questions are well known:

1. What are your company’s most important digital/IP assets?
2. Have you classified them or ranked them in accordance with their value to the organization?
3. Where are these assets being currently stored?
4. How are they being protected today by various hardware and software solutions?
5. Do you know all of your company “endpoints” (or access points to your network), and how are you protecting your endpoints?
6. Are you training your employees in good cyber hygiene?  and
7. Finally, do you have a functional and tested incident response and business continuity plan?

If your organization (and board of directors) can answer these basic questions (many of them being part and parcel of the National Institute of Standards and Technology Cybersecurity Framework), then you are off to a good start. But more mature companies from an IT perspective should try and move past the basics, and reach the harder questions that many companies are asking themselves today. The most basic and harder question is whether I am spending my IT dollars appropriately, i.e. does my cybersecurity spend match my IT/IP valuations and the risks that I face if my cybersecurity fails and I suffer a data breach?  Am I properly protecting against the known threats like spear phishing (using non-signature based technology)?  Are you using some threat-based analytic technology? Are you sharing threat information with your peers?  Are you encrypting your data? Though many of these technologies are not “mandatory” (i.e., either federally mandated or required) in most industry sectors, it does not mean that we should not be asking the tough questions and implementing the solutions necessary to protect our customers, investors and corporate reputation.

A good roadmap to start you down this path is with the Council on Cybersecurity’s Top Twenty Security Controls, which is available here. It can help you put together your structure for covering more than just the basics to ensure good cyber hygiene. It’s also important to remember that no plan is perfect and that we need the right expertise, technology and threat intelligence to thwart today’s targeted attacks. Breaches are inevitable and building a good plan, with experienced cyber professionals, and the right technology to detect advanced threats can help us minimize the impact of a compromised system.

This post was co-authored by Tony Cole and Paul Ferrillo, counsel at Weil, focusing on cybersecurity corporate governance issues.