By David Eisenstadt
The growing cyber siege on corporate Canada is causing management leadership to spend more time, money and concerted efforts to defend against cyber-attacks and data breaches. While no sector of the economy is immune, the real estate industry might become an appealing target.
At tcgpr in Canada, we work closely with our IPREX Global Communication partner, SDI, based in Washington, where Tom Davis and Frank Platsis lead their cybersecurity, privacy and data security practice.
Based on our collective experience, it is important to diagnose your company’s risk of becoming the next victim of a crippling cybersecurity threat, so you’ll need to have answers to these questions.
Does your organization have a CISO?
Is there someone who is directly and visibly responsible for your organization’s information security program? If so, you are addressing the primary issue. But having someone on board with the formal title of chief information security officer (CISO) is the gold standard. The CISO should be a member of the executive management team and have the authority, accountability and tools to get the job done. Not having a CISO is seen as a significant vulnerability, and will be a major problem if your company does suffer a breach.
Have your company’s data ‘crown jewels’ been identified and are they protected properly?
Among the data proprietary to every company, there is some high value data – the “crown jewels” – that must be given the highest level of protection. Whether intellectual property, business plans, privileged information on potential mergers and acquisitions or board proceedings, it is critical that those assets are identified and management fully understands where they reside, who can access them and how they are protected. To paraphrase Sun Tzu, prior to understanding the intentions and capabilities of your enemies, you must first “know yourself.”
Is there a comprehensive plan for managing a cyber-attack that poses the threat of crisis?
Businesses need to have their policies and procedures for managing responses to a crisis documented in an integrated plan. The intent of the plan is to set forth the process that will be used to mitigate the damage from a data breach and minimize recovery time. The plan should cover notification and activation of the response management team and include clear escalation procedures in terms of who needs to be informed and when. It is important that all key business functions – operations, legal, IT, security, regulatory, HR, compliance and PR be represented on the team. The roles and responsibilities of each function should be clearly detailed in advance.
Full appreciation of cyber risk includes understanding how cybersecurity and physical security may intersect. A company’s chief information security officer and chief security officer should work together with other corporate leaders, to assess risk holistically. The integration of cyber and physical security will become even more significant with the rapid growth of the Internet of Things – devices that communicate with each other and the Internet via wireless connections – and reliance on legacy technology to thwart cyber offensives.
Is your board of directors conversant with your approach to managing cyber risk?
Even if your board is not demanding such information, management should regularly explain to the board its ongoing assessment of cybersecurity risks and articulate its plan to address them. To fulfill their fiduciary oversight responsibilities, it is important that boards identify governance responsibilities for cybersecurity. Will these responsibilities reside at the full board or a subcommittee such as the audit or risk committees? It is important that companies set the appropriate tone at the highest levels.
Are you evaluating your plan through exercises?
Exercises are designed to support the development of a robust response capability, train team members in their roles and responsibilities, and evaluate the policies and procedures in the response plan. Using a range of cyber scenarios you can enhance capabilities by stress-testing response and recovery plans and build a more cyber-resilient enterprise. Exercises ought to be conducted regularly to include testing from a technical perspective and tabletops to address decision-making. Lessons learned from these exercises should be incorporated back into the comprehensive plan, which by necessity will be a “living document” to stay apace with new and emerging threats.
Does your response plan detail how communications will be handled in the event of a cyber-attack?
One critical asset sure to be imperiled by a cyber-attack is your corporate reputation. How effectively you communicate will either raise or lower the cost to your reputation and consumer and shareholder confidence. Your response plan should identify what stakeholders would be affected, what concerns each stakeholder group will have, and how those concerns will addressed. It should make clear who will communicate on behalf of the company, and what communications tools will be used. It must also define how internal communications will be handled, for your employees will not only have concerns, but will be seen as “voices” of the company. Consider conducting a dress rehearsal of a data breach notification that includes the CEO and CISO. CEOs must master the ability to strategically communicate the technical complexities of cyber risk in plain English, whereas CISOs must be savvy in communicating their know-how from a management and business perspective. Translation is key.
What’s your exposure to third party suppliers?
Third-party suppliers present unique risks to any organization. They often provide portals into a company’s technology platforms that attackers may exploit. Your response planning should include assessing cyber risks presented by third-party vendors and subcontractors to ensure they meet appropriate cybersecurity standards.
Are you creating an internal culture of cybersecurity?
Educating your employees about best practices in cybersecurity is one of the most effective ways to reduce your company’s risk profile. Every organization should have a training program that helps employees understand how to avoid falling victim to schemes that attempt to use them to create unauthorized access to your data. Employees should clearly understand their obligations to protect data, as well as best practices in using email, web browsing, using social networks and employing their mobile devices.
It’s 2022. Isn’t it time to get with the program?
David Eisenstadt is Founding Partner of tcgpr.com, the Toronto-based Canadian Partner of IPREX Global Communication – iprex.com.