​What every Board Member needs to know about Advanced Persistent Threats?

You have been asked to present next month to the board about the enterprise readiness for Advanced Persistent Threats. From what you understand it appears that, either the Chief Risk Officer, External Auditor or a ex colleague of the Board has made this suggestion.

Unfortunately you really don’t know what level of awareness the board members have about Advanced Persistent Threats. With trepidation you start to prepare for this, and the first question is how honest should you be?

Then you wonder about opening pandora’s box and making this a moment that you will regret.

Honesty is the only policy

While you don’t want to incite any panic, it is all about getting the balance right around being confident in the approach that is being adopted, but also realistic to not provide any suggestion that your approach is bulletproof.

Yes, be honest. The worst situation would be to leave the board with the perception that everything is under total control. In the same vein you also never want them to think it is out of control.

For most of us, we aren’t good at lying and this will show in our expression. I’d hate to be in that situation. Honestly is the only policy.

Start at the Beginning

It is critical that the board gets it that an Advanced Persistent Threat is not a virus that can be simply addressed. Instead it can take many forms and the best ones morph to use different attack vectors.

This could be started with a simple virus infection, or malware that comes from an email or even code coming from a USB thumb drive. The board themselves are perhaps also part of the targeted group that hackers look to exploit.

That email from a board member’s personal pc at home to the CFO, could indeed be the mechanism to penetrate to the senior executive. Once this is understood that the scope is as wide, any reference to the need for education is a really great angle to ensure is shared.

The APT Lifecycle

What is going to help is use as much as possible ‘plain english’ and explain that these APT threats while using various approaches to get into an organisation, have an objective to remain undetected as long as possible.

Thus admitting to the fact that it is possible that these may indeed be already in the enterprise, collecting sensitive information and assessing when to take action. In your defence you can explain the measures that are in place to address this:

  • We have a ‘state of the art’ firewall to restrict access to your corporate network.
  • Endpoint software is deployed on all devices to prevent and detect malware
  • Strong passwords with two factor authentication is in place
  • The enterprise has strong Privacy and or PCI measures in place to protect sensitive information
  • Acceptable Use Policy is in place for all staff and they understand that Cyber Security starts with them no clicking on the wrong links

Wearing the Black Hat

Moreover it will be critical to demonstrate that we have internal staff and partners that we ask to wear the black hat. That means we are doing our own monitoring for vulnerabilities – reconnaissance if you like.

The resource will use all the dirty tactics of phishing, social media engineering attacks and perhaps even dumpster diving. We could also use a tactic to try mock attacks. This could involve a mock spear phishing attack and seeing what happens when random staff are sent a false message with an attachment etc.

Understanding the network and the perimeter and which ports are vulnerable. To this end I’ve met with Security companies that are pitching to work with me that have conducted such an exercise and they can highlight potential risk areas, even without breaking the law.

A random audit of SIEM logs can also provide some interesting insight. If your team is not closely monitoring these, then it is likely that any clues are being missed. Taking that sample and checking that any items that should be deemed suspicious was noted would be a great exercise. This is all about ‘trust but verify’.

Be confident but not smug

The board will appreciate your humility and that you are taking all measures to stay on top of any threat from Advanced Persistent Threats.

Being confident about the approach and having the board now fully informed, they are now in a position to re-evaluate the Enterprise Risk Appetite.

(Phew) you can keep your job – for now at least.

Join the CSO newsletter!

Error: Please check your email address.

Tags Board Memberadvanced persistent threatsDavid GeeChief Risk Officer

More about AdvancedAPTindeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts