How Boards Can Learn to Stop Avoiding & Start Loving Cyber Risk!
•Download as PPTX, PDF•
0 likes•201 views
This session was presented at the Association of Independent Colleges and Universities of Pennsylvania (AICUP) Member Meeting on Collaboration on June 19, 2019. The session provided tips for IT professionals to escalate issues of cybersecurity and cyber risk to the board of trustees for higher education.
More Related Content
What's hot
What's hot (20)
Similar to How Boards Can Learn to Stop Avoiding & Start Loving Cyber Risk!
Similar to How Boards Can Learn to Stop Avoiding & Start Loving Cyber Risk! (20)
More from Dottie Schindlinger
More from Dottie Schindlinger (20)
Recently uploaded
Recently uploaded (20)
How Boards Can Learn to Stop Avoiding & Start Loving Cyber Risk!
- 1. ©2019 Diligent. All rights reserved. Diligent Confidential. How Higher Ed Boards Can Learn to Stop Avoiding & Start Loving Cyber Risk Dottie Schindlinger Vice President of Thought Leadership June 19, 2019, 1:30-2:15 PM 2019 AICUP Member Meeting on Collaboration
- 2. 2 Today’s Agenda Overview of the board’s role in cyber risk oversight Review the latest trends and research related to boards and cyber risk Discuss how boards can prepare for cyber incidents Mini-Tabletop Exercise
- 3. Cyber Risk by the Numbers 447 million Number of personal records hackers stole last year 206 Days Average # days it took US companies to detect a data breach >70% by 2021 Percentage of all cryptocurrency transactions used for cybercrime $6 trillion annually by 2021 Annual cost of cybercrime, which is already greater than illicit drug trade 1 in every 50 Emails contains malicious content #10 on the Top 10 Education is #10 on the top 10 most cyber-attacked industries 3 Sources: https://www.ibm.com/security/data-breach; https://www.comparitech.com/vpn/cybersecurity- cyber-crime-statistics-facts-trends/; https://cybersecurityventures.com/cybersecurity-almanac-2019/
- 4. Cybersecurity – programs and processes in place to protect hardware, networks, and data from cyber incidents Cyber resilience – the ability to withstand a cyber incident, including: • Programs & processes in place to ensure operations can continue with minimal disruption both during & after an incident • The speed and agility of the organization’s response to cyber incidents • The ability of the organization to retain & rebuild the trust of stakeholders after a cyber incident occurs 4 Cybersecurity vs. Cyber Resilience
- 5. Are Boards of Trustees Cyber-Ready? 5
- 6. Trustee Access to sensitive docs Ability to save, share and store these docs A scenario to consider…
- 7. 7 Cyber-Readiness – Boards Lag Behind 53% North American directors use personal email for board communications (Global: 56%) 45% North American directors lost a device that contained board records in the past year (Global: 29%) 29% North American board using secured instant messaging software (Global: 47%) 37% North American boards find it challenging to share sensitive documents safely (Global: 47%) 2018 Forrester, Directors’ Digital Divide Report
- 8. 8 Cyber-Readiness – Boards Lag Behind 82% 67% 13% 51% School boards have never conducted a security audit of board communication IT/Data security teams that oversee the security of board communications School boards don’t require cybersecurity training School boards “don’t know” if there is a cyber crisis plan in place; another 39% know there isn’t one. 2018 NSBA School Board Cyber Risk Report
- 9. What Is the Board’s Role in Cyber Risk Management? 9
- 10. Board’s Fiduciary Obligations Duty of Care • Acting on an informed basis after consideration of all available information Duty of Loyalty • Putting the organization’s interests above your own & avoidance of conflicts of interest Duty of Good Faith • Exercising care & prudence in business decisions with adherence to law & policy 10
- 11. Who’s Accountable? 11 Administration carries out day-to-day business, reports to President President oversees school & staff, reports to board Board: oversees mission, represents stakeholder interests, oversees institution Stakeholders: students, families, community, local businesses, elected officials, government agencies, media, etc.
- 12. Questions for the board to consider 12 • Is the institution’s approach to cybersecurity risks and associated privacy issues able to meet new legal requirements? (e.g. GDPR, US state laws) • How frequently is the maturity of the institution’s cybersecurity risk management framework being assessed and evaluated? • How is the institution monitoring for new and potential cybersecurity regulatory changes and complying with new legal requirements?
- 13. 13 5 Cyber “Discussion Starters” for the Board 1 What’s our plan include? (BC/DR, crisis comm’s, cyber risk coverage) 2 How are we protecting consumer data? 3 How do we know our security/privacy program works? 4 What are the biggest vulnerabilities & how are we preparing? 5 Have we received adequate training & have we practiced the plan?
- 14. • Divide into teams • Each team – select a VIP to take notes, someone to be time-keeper, and a team rep. • Read through the case scenario & discuss: • What would your board do first, second? • What unanswered questions need to be resolved? • Who on the board should be involved and what roles should each person play? • What reports & data will the board need? • How should the board’s efforts be coordinated? 14 Exercise: Cyber Crisis
- 15. Q&A – What’s On Your Mind?
- 17. 17 (866) 672-2666 info@boardeffect.com boardeffect.com 1111 19th Street NW, 9th Floor, Washington, DC 20036 Contact Us
- 18. Thank you!
Editor's Notes
- 159,700 Number of cyberattacks reported by organizations in 2017 – estimated to actually be closer to 300,000 including those that were unreported $6.5 million Average total cost of a cyber breach, including the cost of scrubbing systems, damages, etc. But it does not include ongoing litigation, increases in cyber risk insurance coverage, new fines imposed by regulators. 3.5 million Number of unfilled cybersecurity jobs by 2021 $6 trillion Annual cost of cyber crime damages by 2021 1 in every 131 Emails is malicious – most common are phishing, malware including skimmers & ransomware 93% Cyber attacks that could be prevented by updating software & training – for example, still using Internet Explorer which is no longer being fully patched/supported by Microsoft, not being vigilant about using strong passwords, using the same password on multiple sites
- Dottie to provide a brief introduction to the data from the survey: “Before we dive into the survey data, I want to provide some context on cyber risk. Imagine a scenario where you have a group of part-time employees who are only on-site a handful of days each year. These employees mostly operate outside your firewall, but their job entails receiving, reviewing and responding to some of the most sensitive information your company has. These individuals also may have the ability to take this incredibly sensitive information and save it to local drives, print copies, and potentially email others using personal email accounts on service providers that might be completely unsecured. Even if the systems they use have security, since they are not managed by your company’s data security team, you have no access to of control over the systems these folks are using. Unfortunately, this scenario is a fairly accurate picture of how boards of directors communicate and operate at many companies.”
- These are based on Delaware corporate law, which influences the largest number of corporations in the US and has therefore become the standard. Duty of Care: Coming prepared to meetings, ready to deliberate, actively visiting the board portal Taking the time to research & reflect Adhering to professional standards – even when you’re off duty Staying informed on risks, opportunities, finances, activities, successes & challenges Anticipating consequences of decisions Duty of Loyalty: Advocating for the org’s mission & its stakeholders interests above your own Networking, opening doors, leveraging social media NOTE: Private opinions tend not to stay private for long Providing support & care for the CEO Disclosing & avoiding potential conflicts of interest Maintaining confidentiality & helping others do the same Supporting board decisions in public, regardless of personal feelings Duty of Obedience: Being a “good student” of the bylaws, policies, laws governing the org. and board Ensuring others adhere to the rules Knowing the org’s core documents, ensuring they are current & accurate Being a “good citizen” – keep the health and welfare of your org.’s stakeholders top of mind
- What’s at stake? Into effect 11/1/2018. Among the new rules are a requirement that companies must keep accurate data about cybersecurity safeguards for two years following, in case breaches are revealed down the line. The law also calls for "appropriate" digital safeguards at all parts of the business, including dealings with third party contractors. The rules call for stiff penalties, too — up to $100,000 per violation — a sum that should be enough to frighten many businesses into updating their IT infrastructure. But many will have problems complying with the new rules, partly because of a lack of awareness.