5 Cybersecurity Questions To Ask Your CISO
By McGuireWoods LLP
Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business.
Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data and systems security will create costly, significant, and unnecessary risk.
The good news is that you need not be an IT expert to oversee your company’s cybersecurity risk. You do not need to be able to write code, or to know exactly what software is needed to keep the company’s data secure. The first step is to open a healthy dialogue with your IT professionals – a dialogue that will allow you to assess more capably your company’s readiness to counter a broad range of exploitation techniques.
Try calling your CISO or CIO and asking these questions:
How do we ensure that our software is updated to the maximum extent possible?
It is not good enough if the response is that we apply the patches when we receive them, or that we have a regular schedule of applying the patches weekly. Threat actors study patches and create exploits, soon after a patch is released. In other words, threat actors operate inside your company’s patch cycle. You need to automate the update process, and ideally use an update service provided directly from the vendor. This will ensure that the content of the patch is authentic.
Do we assign privileges to users based on their risk exposure?
There should be tiered administrative access that limits the number of personnel who have access to each tier of data. The higher the level of sensitivity of the data, the fewer the people who should have access to it. Threat actors will target administrator credentials to access the high value data and system assets.
Does our operating system enforce signed software execution policies for scripts, executables, device drivers and system firmware?
There should be a list of trusted certificates to prevent and detect the use of illegitimate executables. Maintain an application whitelist and signed software execution policies to provide greater control of your systems. Unsigned software enables threat actors to embed malicious code, which can provide persistent access to your system.
Can you explain our Disaster Recovery Plan (DRP) and what we have done to exercise it in the last year?
It is essential that you have created, reviewed and exercised the recovery plan to ensure that you can restore your data subsequent to a breach. The exercise should have revealed whether all critical data, configurations, and logs were recoverable to ensure continuity of operations, consistent with the company’s Business Continuity Plan. The backups that were used to restore the system should be encrypted, and stored both offsite and offline. This will provide protection from both natural disasters and malicious threats like ransomware.
Do we have an accurate inventory of all network devices and software?
If the inventory is not recent, it is not accurate. But an accurate inventory will provide a baseline from which you can reduce your attack exposure. Unwanted, unneeded and unexpected hardware and software should be removed from your operational environment on a regular basis. Failure to engage in this active enterprise management will weaken your ability to adapt to a dynamic threat environment.
No issue today creates more concern in C-suites and boardrooms than cybersecurity risk, and the burgeoning number of laws that govern data protection. The increased scrutiny resulting from a preventable, or a poorly handled, data or systems breach could have a devastating impact on your business’s operations, financial position and reputation. You can significantly reduce the risks, if meaningful conversation with the IT and security team leads to investment in reliable mechanisms for identifying potential threats and preparing an effective response.