Subscribe

Cybersecurity: What Directors Need To Know

/ 2nd November 2017 /
Ed McKenna

Cybersecurity has become a pressing issue for companies. Getting it right is no longer a question just for IT directors but for the entire board of directors, says Sarah O’Donnell of McKeever Solicitors

 

Cybersecurity presents a significant risk for companies, but it is not just a problem for the IT department. It demands attention and direction from the boardroom on an ongoing basis, as acknowledged by 93% of directors in a report on cybersecurity by the Institute of Directors.

The risks for companies that get it wrong are too high and too serious to be ignored. The same research found that a third of Irish companies have suffered a cybersecurity breach in the last two years, and that percentage rises to 44% for companies with an online presence. Planning is required and is achievable, saving a lot of trouble in the long run.

Damaging Repercussions 

Cyber breaches and/or failure of a company’s IT structure can have a damaging effect on critical business operations. Not only this, but it could have a catastrophic effect on a company in terms of potential financial loss, legal suits, and reputational damage. Recently, we saw the €4.8 billion sale of Yahoo! delayed because of two data breaches affecting 1.5 billion Yahoo! users. It also reported a fall in its search revenue as a result. And for CEO Marissa Mayer and some of her colleagues, it has been disastrous for their earnings and, perhaps, for their careers.

Prevalent Methods of Cybercrime

Some cybercriminals are no longer satisfied with the smaller pickings available through financial fraud or identity theft with the likes of phishing or card skimming. Nowadays criminals, often international gangs, attack institutions instead, such as banks or government departments. They gain access usually through an employee’s computer, install their malware and then control the institution’s IT from the outside, allowing them to dispense cash, transfer funds or steal information for re-sale. The result is: huge rewards for the criminals with a very low risk of being caught.

In Association with

Ransomware – Companies in Ireland of all sizes have fallen victim to Ransomware, where cybercriminals hack into a company’s network, encrypt the files and then demand payment in Bitcoin to return control to the company. If data has not been properly backed up, there follows much nail-biting and apprehension. Even if a ransom is paid, who is to say that the data has not been copied anyway or the system compromised in some way?

DDoS – A Distributed Denial of Service (DDoS) attack is where an online service is overwhelmed with a flood of spam traffic from botnet sources thereby putting them out of service. (A botnet is a ‘network’ of internet computers infected with malicious software and controlled as a group without the owners’ knowledge, to forward spam or viruses to other computers.) Extortion appears to be the main purpose and it is becoming the weapon of choice for cybercriminals. Alarmingly, there can also be a secondary motive and that is exfiltration (unauthorised transfer) of company data, while the company’s attention is diverted towards the DDoS problem.

Outsourcing service providers – Another access route for cybercriminals is through third party service providers to large institutions, such as banks. The Central Bank of Ireland expects companies to carry out proper due diligence and ongoing monitoring of Outsourcing Service Providers to ensure they have robust cybersecurity controls in place, at least as strong as the company itself.

Existing Legal Landscape

Criminal law – There is a duty to report cybercrime under s.19 of the Criminal Justice Act, 2011 and doing so may help fight such crimes, but in reality, it is difficult for legislation and our under-resourced Computer Crime Investigation Unit to outpace the hackers. As a result much cybercrime goes unpunished.

Cybercrime is dealt with under the Criminal Damage Act, 1991 and supporting legislation. The enactment of the Criminal Justice (Offences relating to Information Systems) Bill, 2016 will update the legislation in this area and make it more fit for purpose.

Personal data protection – Under the Data Protection Acts, 1988 and 2003, a company is obliged to ensure that it has appropriate security measures to prevent unauthorised access to personal data, or its alteration, disclosure, destruction, including accidental loss/destruction.

Directors’ duties under company law – Under Irish Company Law, responsibility for cybersecurity falls under directors’ fiduciary duties as set out in the Companies Act, 2014. A strategy to address cybercrime should form part of the overall business strategy of the company.

Impending Regulatory Requirements

We are heading towards the EU Single Digital Economy. New legislation due to come into effect in the near future will support the changing technological environment.

The Payment Services Directive II will become law on 13 January 2018, requiring Payment Service Providers to put in place “strong customer authentication” procedures and requires reporting of security incidents.

Hefty fines may be levied by the Data Protection Commissioner as a result of a failure to safeguard personal data when the General Data Protection Regulation (GDPR) comes into force on 25 May 2018.

The GDPR also opens the way for civil legal suits brought by individual data subjects against companies who fail to safeguard their personal data in respect of material and non-material damage.

How does a company board begin to address cybersecurity?

As for all categories of crime, prevention is surely the best approach to cybercrime. The need for vigilance, verification and investment in user training is probably as important as costly technological acquisitions.

Tackle any information deficit in the boardroom – If there is not enough IT knowledge in the boardroom, invite the IT department to submit regular IT reports to the board. Co-opt someone with IT expertise onto the board.

Directors should keep themselves informed – Keep abreast of global reports on cyber threat intelligence on the internet and join industry knowledge-sharing bodies. Talk to people in similar roles in other companies and share information and solutions.

Maintain management controls – Make sure that management stays in control of the company’s IT systems, for example by knowing the passwords. Review access to the network and promptly revise or revoke access when staff are reassigned or leave.

When an online College of Education in the USA found itself and its students locked out of its own internet account, having dismissed the systems administrator, the college could not operate for a period and became embroiled in a costly lawsuit.

Cybersecurity Analysis 

Before drafting protocols for cybersecurity and incident response plans, management must know what it has that needs protection and identify the particular risks faced by the company, not forgetting insider threats.

Analyse existing IT systems and the data held – Carry out an analysis of what IT systems are in place and how they relate to each other, including cloud computing. Carry out an analysis on the company data. For example, does it process or hold personal data or sensitive data, i.e. bank account numbers or employee records? The answers will determine the kind of security measures the company needs.

Review existing IT security – Seek a report on existing IT security. Penetration testing should be done independently. Investigate how end users, remote users and third party service providers are connecting to your mainframe. Be advised that security measures may not be as robust or may be non-existent on some Web applications and the Internet of Things, such as CCTV cameras, lighting or air conditioning controls connected to the company’s network.

Audit third parties – It may make sense to use the services of third parties but remember it remains the company’s responsibility to ensure that the data is secure. The company needs to carry out due diligence on these providers and insist on the ongoing right to audit.

Tackle The Soft Skills

User awareness training – Many attempted frauds are not that sophisticated, but rely on social engineering. Train staff about the most recent scams and the need to report suspicions to management.

Bring back old-style checks and balances – Automated payment systems may be quicker and cheaper, but a company cannot do without verification. Verification should involve a number of staff members.

Reporting Requirements

The Data Commissioner recommends that, where large amounts of personal data have been put at risk through a data breach, her office should be notified. From 25 May 2018, a serious breach relating to personal data must be reported to the Data Commissioner under the GDPR. A report should also be filed with An Garda Siochána, and if there is insurance in place, notify your insurers.

 

Sarah O’Donnell (pictured) advises in commercial litigation matters. Working with McKeever’ Solicitors' commercial and employment law teams, she also advises on data privacy and data protection in the workplace, as well as cybersecurity issues and the ‘right to be forgotten’

 

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram