Imagine that criminals broke into headquarters and bugged your executive offices for insider information--and then made millions trading on that information. That's what can happen if you jump into a Board Communication Systems too quickly. It has already happened: They silently monitor your Board of Directors communications until they hear insider information that they can use to strike it rich on the stock market.
A Board Communication System, often called a Board Portal, is supposed to be a secure cloud system that your CEO, CFO and board of directors use to communicate with one another to make sure any highly sensitive information about the company is protected--from insiders, the IT department, and bad guys. Information that is shared between board members can range from company strategy, to M&A plans, to non-public financial performance details. Imagine the havoc that could ensue if anyone was able to access sensitive knowledge and then use it to their advantage.
As I have been speaking with other CSOs the subject of a Board Portal is coming up more and more frequently, especially within publicly traded companies. The Securities and Exchange Commission (SEC) has now issued guidance mandating that public companies disclose privacy and data breaches because they can be material events. A material event is an incident that can impact your company in a financially meaningful way.
When faced with the problem of protecting board member communications from threats, your immediate reaction might be to implement a Board Portal. Well, here's the problem: Most Board Communications Systems are set up by Legal and Investor Relations teams--without the CSO's knowledge and approval. This is a recipe for disaster.
Why BCSs Need Proper Security Measures
We've all read the surveys and reports on the high cost of data breaches and the associated remediation, lawsuits, and penalties. The cost could also increase as a result of the precedent set by Krottner v. Starbucks. As I understand it, in order to get a class action suit to trial, plaintiffs don't need to show actual harm from a breach. They just have to show an increased risk of harm. If a Board Portal is breached, this could mean every one of your shareholders is a potential plaintiff (arguing that their investment has been placed at increased risk of harm due to insider trading or other stock price manipulation).
And this doesn't just affect public companies. Private companies that do business with public companies may need to start disclosing breaches to keep corporate customers as clients.
I examined some of the Board Portal companies--many of which are startups offering cloud-based services. The barriers to entry are low and new ones keep popping up. That raises a warning flag to me; I am a bit concerned with the ability of these companies to safeguard sensitive data. Many aren't making security the top priority--even though it's mission-critical. The Board Portals are a gold mine for organized crime looking to make a large quick profit. This is not speculation; it has already happened.
In fact, I talked to a few of the top Board Communication Portals in the market today to ask them a few questions about their security. The answers were frightening to say the least. None of them could provide a good answer to more than two of the ten questions I asked.
One leading company provided two alarming examples:
1) My question: Do you log when an admin accounts gets created and do you alert on it?
Their answer: We do not have an active directory system, we just have five Admin accounts created on each workstation and server.
My thoughts: They have no Active Directory--nor any Identity and Access Management system whatsoever!
2) My question: The most common way a bad guy is going to try and break into your network and get their hands on your customers' information would be leveraging advanced malware. Walk me through how you protect against this threat model.
Their answer: We have never had a malware problem to date, and we use a top anti-virus/endpoint security product to stop malware.
My thoughts: Ok, anyone that knows anything about malware knows that everyone has, or has had, a malware problem at some point. If you think you have never had one, that means you do not have any good malware detection technology. Second, AV is insufficient protection against malware; in fact Websense Labs finds 640 to 1,000 new malware per day that AV doesn't stop.
10 Questions for BCS Providers
Here are 10 questions to ask BCS providers to ensure that they are taking the proper steps to keep you safe. Speak to their IT security contact directly--don't waste time with the sales staff. If you are the CSO of a public company, ask your legal and investor relations team what BCS platform they are using, why they chose that one, and ask for a meeting to assess the risk.
Do you have a SIEM and logging system in place?
(You need to understand how they are keeping an eye on your data.)
Do you have a managed security system in place 24/7?
(Again, this goes to the vigilance of their team.)
What sort of intelligence do you have that correlates actions beyond a firewall and AV?
(It's commonly accepted that these are insufficient protections for material of this type. What more do they have?)
What sort of web security do you have in place internally?
(The web is the most common vector for malware. You need to know how they are protecting their computers and servers from malware infection.)
What about externally facing web--what have you done to secure the application or harden the interface? Do you have regular application penetration tests to assess the real-world security of your internet-facing applications? Can I see the report?
(This speaks to their maturity of Web Application Security. Ask if you can see a copy of the report.)
How do you protect the data and know where it is going? Are you using DLP technology? What kind of encryption scheme do you use to protect my data? How is my data segregated from other customers?
(You want to make sure data is only going to approved users. Make sure the data is encrypted at every stage in the transaction, not just via SSL while in transit.)
What systems do you have in place to prevent spear phishing?
(Any breach is an invitation to phish your executives, Board, and others. Bad guys take advantage of user trust and will make an email look like it is coming from the BCS platform)
Where are the servers physically located? What type of physical security is in place to protect these servers?
(If you wouldn't put your intellectual property there, you don't want your Board communications there either. You will be surprised in some of the answers you get to this question.)
Does the contract state that customers must be informed of any data breach, regardless of whether there are local laws require it?
(Some states and countries don't have data-breach disclosure laws. You need to make sure that you are notified immediately if your data is exposed.)
Have you ever had a problem with malware before?
(This is a bit of a trick question. Everyone has dealt with a malware issue at some point. If the service says they have never had a problem, there are two possibilities, and both are bad signs. One, you know they aren't being candid, or two, they have no idea that they have a malware issue. This calls into question their other responses.)
Note: All the BCS solutions seemed to have a decent level of application controls within the communication app itself. The main concerns I found were around the infrastructure that the application (and your company's data) sits on.
We all know the importance of securing intellectual property (IP). Securing Board of Directors communications is absolutely essential. You have to take the time to do it right.
Remember, many organizations have put these systems in place without speaking to IT, and many of the companies that provide these services are just getting off the ground. While some of these portal providers may be built with the highest security in mind, many will not. You can't afford to be with one that has not built upon a strong security foundation.
Jason Clark is CSO of Websense.