A new whitepaper released by the World Economic Forum Future of Digital Economy and Society System Initiative intends to help boards understand the cyber risks they are facing in 2017.
The report claimed that “organizations do not feel equipped with the tools to manage cyber risks with the same level of confidence that they manage other risks, and the emerging leading practices have not yet become part of the standards set of board competencies.”
The guide claims that moving forward two things are required: a significant increase in organizations adopting, sharing, and iterating leading security practices, and cross-sectoral collaboration in order to develop new practices that require dealing with unique attributes of managing cyber risks of physical assets.
The whitepaper proposes Ten Board Principles for Cyber Resilience:
- Responsibility for Cyber Resilience- the entire board takes ultimate responsibility for oversight of cyber risk and resilience
- Command of the Subject- board members receive cyber resilience orientation upon onboarding and are regularly updated on the latest threats and trends
- Accountable Officer- the board must have certain there is one corporate officer accountable for reporting the organization’s capability to manager cyber resilience and progress in implementing cyber resilience goals
- Integration of Cyber Resilience- board ensures that management integrated cyber resilience and cyber risk assessments into the overall business strategy and into enterprise wise risk management
- Risk Appetite- board annually defines and quantifies business risk tolerance relative to cyber resilience, and ensures that this is consistent with corporate strategy and risk appetite
- Risk Assessment and Reporting- board holds management accountable for reporting a quantified and understandable assessment of cyber risks, threats and events as a standing agenda item during board meetings
- Resilience Plans- support for the officer accountable for cyber resilience by the creation, implementation, testing and ongoing improvement of cyber resilience plans
- Community- encourages management to collaborate with other stakeholders in order to ensure systemic cyber resilience
- Review- conduct a formal, independent cyber resilience review of the organization annually
- Effectiveness- review performance in the implementation of these principles
The purpose of this whitepaper is to “provide boards with a framework and set of tools to smoothly integrate cyber risk and resilience into business strategies, and so that their companies can innovate and grow securely and sustainably.”
Richard Samans with the World Economic Forum claims, “I’ve been saying for a number of years that information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cyber security: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies.”
Implementing File Integrity Monitoring to Your Layered Security Approach
In order to detect potentially significant changes to system files and protect systems from malware, it is essential to not just simply run a comparison of the file system once per day as has traditionally been the approach, but to provide an alert within seconds of a significant file change occurring.
The best File Integrity Monitoring technology will also now identify who made the change, detailing the account name and process used to make changes, crucial for forensically investigating security breaches. It is good to know that a potential breach has occurred but even better if you can establish who and how the change was made.