“It’s important for companies to have an emergency plan in place before a breach occurs,” said Soutchay Phomsakha, an FBI special agent who focuses on counterterrorism and cybersecurity. “You need to retain your server logs and have accurate network maps. When we visit a victim’s site, and the IT personnel have up-to-date information on their network infrastructure, it makes our investigation easier.”
A strong response plan should address steps the organization would take to prevent the loss of further data and to preserve information that could be used as evidence. Another important component is communicating with key employees, service providers and, potentially, law enforcement agencies.
And while it’s tempting to rely on IT tools to address information security, effective cybersecurity involves a blend of people and processes as well as technology, according to Kevin Morgan, principal, business advisory services, Grant Thorton, and co-leader of the firm’s cybersecurity practice.
“People think security is a technology issue, but the CFO role is instrumental in helping an organization get an understanding of what’s happening in their data supply chain and data ecosystems,” Morgan said.
This need to understand the flow of data through an organization, and interactions with its customers and suppliers, is prompting more corporate boards to include information security risks in their discussions, said Melissa J. Krasnow, a partner with legal firm Dorsey & Whitney in Minneapolis.
Some organizations are assigning cyber-related risks to already-taxed audit committees, while some are adding information security to a risk committee’s chater, and some organization have formed boards committees specifically to address cyber risks.
“Boards have a general oversight function, and cybersecurity is one of many risks over which boards have responsibility,” Krasnow said. “There’s a general risk management requeriment that’s governed by state law. The board has to oversee risk, and members can be sued is shareholders believe the board is not managing these risks.”
Krasnow said more board members are attending cybersecurity training and bringing in outside experts to help boards get a better understanding of issues such as appropriate frameworks to gauge information security measures, and the severity of breach needed to trigger board member notification.
Contracts in the Cloud
The growing use of cloud services and applications can complicate a company’s security risk management efforts, the panelists said. As a company considers hosting applications or data with an outside provider, Krasnow said it’s critical to examine provider contracts carefully to understand steps the provider plans to take to safeguard your data.
In most instances, she said, standard contracts will likely be vague about security issues, or may disclaim responsibility for data if a breach occurs.
“If you move to the cloud, you are still responsible for your own organization’s information,” Morgan added. :You have to understand your own data supply chain, and know where your information is stored in how it is used. Even if data is outsourced, most contractor say that you, as the data’s originator, are still responsible for protecting that information.”