The RE: View for June 1-June 15

Jun 16, 2014 9:18am

June 15, 2014

Target CEO Fired - Can You Be Fired If Your Company Is Hacked?, Forbes

Cybersecurity incidents, including data breaches, are putting every company and executive at risk.  As noted in a recent Forbes post, every senior executive must have “the requisite knowledge to make informed decisions about cybersecurity — not just an understanding of the basic concepts.”  An informed CEO should understand the difference between compliance and security, how introductions of new technology affect the company’s cybersecurity, the implications of a serious data breach to the company, and the company’s incident response plan, including the executive’s role in communicating with outside stakeholders. 

 June 13, 2014

Calling All Boards of Directors: Four Recommendations from the SEC (Securities and Exchange Commission), National Law Review

In a recent speech at a New York Stock Exchange Conference, SEC Commissioner Luis Aguilar noted that the board’s general role in corporate governance and overseeing risk management provides the foundation for a board’s role in addressing cybersecurity issues.  A National Law Review article broke Commissioner Aguilar’s speech into four recommendations for boards to ensure that they are properly overseeing cyber risk.  Boards should:

(1)    Work with management to assess the company’s cybersecurity policies against the NIST Cybersecurity Framework to determine whether those policies are adequate.

(2)    Create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management.

(3)    Ensure the company has appropriate personnel to manage cyber risk.

(4)    Making sure management has a well-constructed incident response plan that is consistent with best practices for a company in the same industry.

See Board Oversight for more tips on how Boards should properly oversee cybersecurity.

 June 12, 2014

Cybersecurity: ‘Best of Breed’ May Not Be Best for Small Businesses, Business News Daily

Just because a cybersecurity solution is ranked as "the best" does not mean it is right for your business. Especially for a small company, a solution can be so complex that a company does not have the resources to manage it.  Small companies should focus on performing a risk assessment and prioritizing protection of the company’s most critical assets. Also, a culture of cybersecurity awareness and training can go a long with preventing and responding to cyber incidents.  See Cyber Risk Assessment and Management and Creating a Culture of Awareness for more information.

June 9, 2014 

If You Think Cybersecurity Is “Just an IT Problem,” Prepare to Get Owned, NextGov

At a recent cybersecurity conference covered by NextGov, Steve Chabinsky, General Counsel and Chief Risk Officer for the cybersecurity technology firm CrowdStrike, noted that if an organization believes cyber is just an “IT problem,” it might as well just prepare to get owned.  Cybersecurity must be included in enterprise risk management.  In addition to senior executives understanding their company’s cyber risk and how the company is managing that risk, employees must be continuously educated on their roles and responsibilities in safeguarding sensitive data and protecting company resources.  Click here for more information on creating a culture of cybersecurity awareness.


REFILE – Upsurge in hacking makes customer data a corporate time bomb, Reuters

With hackers stealing massive amounts of customer data in recent months, corporations are trying to figure out how to shore up cyber defenses.  The reality is that no matter how much companies spend, there is no certainty that their systems will not be breached.  Thus, a recent Reuters’ article suggests that a company’s best defense may be “either to reduce the data they hold or encrypt it so well that if stolen it will remain useless.”

June 6, 2014

HIPAA, Cybersecurity and Medical Device Manufacturers, MEDIcept

Health Insurance Portability and Accountability Act (HIPPA) privacy rules may not just apply to hospitals and other health organizations. Today, more medical devices are becoming wireless smart devices and wearable technology, thus HIPPA compliance and cybersecurity is now a concern for companies manufacturing these devices.  The Food and Drug Administration (FDA) recently released a draft guidance document to ensure medical device functionality and patient electronic records cannot be compromised by hackers. Read the FDA’s draft guidance here.

June 5, 2014

SMB Cyber Security Basics and Breach Response, Huffington Post Blog

Cyber criminals are targeting under-resourced small businesses that hold much of the same valuable information that larger businesses hold.  A recent Huffington Post article suggest the following practices to protect your small business:

  • Educate your employees on what data needs to be protected and basic cyber best practices.
  • Determine what data is most important and allocate resources to protect this data.
  • Explore which technologies may help you manage and mitigate cyber risk, such as identity and data monitoring services.

June 2

The NIST Framework: Cybersecurity's best line of defense, Fierce CIO

 Noting that “good information security is a process” and is not primarily “about technology, but rather about risk management,” a recent Fierce CIO article explores why the NIST Cybersecurity Framework is a good foundation upon which to build a company’s cybersecurity risk management program.  The article suggests that a company should implement the NIST Cybersecurity Framework because it (1) provides an effective methodology to implement a cybersecurity risk management process, (2) is comprehensive and applicable to companies in all sectors, (3) is flexible and has useful references to guidelines and standards, and (4) is voluntary.