Page 25 - CCCA 259155 Magazine_Winter 2016
P. 25
{ FEATURE }
3 BEWARE THE LOWEST COMMON DENOMINATOR plan, and make sure you can access it during an attack. Know
Steve Rampado, a partner in the Enterprise Risk who you need in the room and who to call in from outside, and
Services at Deloitte, says cyber thieves go after make sure your resources can respond at a moment’s notice.
the “lowest common denominator.” That includes Most importantly, though, experts say you need to test the plan.
employees who are lapse in controlling their pass- Run some live fre drills to work out kinks and see how the plan
words or who fall prey to “phishing” expeditions transfers from paper to real life.
and wrongfully open emails with malware or 8 BOARDS NEED TO KNOW
give up details under false pretences. “It’s a very
patient game and a very long game these under- The reputational risk is enormous when it comes to a cyber
ground organizations are playing,” he warns and it breach. It’s important to involve the board early in the game
starts with the “weakest link.” and provide regular reporting about controls that are in place
and incidents. Tobok says too many boards suffer cyber denial.
4 TAKE THE LEAD “They say it will never happen to us and if it does, we will just
handle it.” By then it’s too late, he warns.
Security expert Tobok says that “IT should never be in charge
of security,” nor should the chief fnancial offcer. While CFOs 9 EDUCATE, TRAIN, EDUCATE, TRAIN
are good with money, they “[may not] have a clue about secu-
rity,” he says. On the other hand, the IT department has built Experts say that one of the simplest ways to deter cyber breaches
the system and might be blind to its weaknesses. The best place is through a mandatory employee education program. People
for security responsibility to reside, he feels, is the legal or com- need to understand why they have to change passwords regu-
pliance department. larly and follow security protocols. Test them by exposing them
to phony emails so they learn what a phishing threat looks like,
5 ANALYZE THE GAPS says Stacey.
“Part of managing [cyber] risk is education—not just em-
Burke says undertaking cyber security and gap analyses is a crit- ployees, but your board—on what your risks are and how to
ical frst step in moving a company forward. That means hiring mitigate them,” she advises.
an outside frm to review you internal operations. A good cyber Mackenzie adds, “You can have the best system in the world,
security frm can help you quickly spot the weaknesses and sug- but it is only as good as the employees following it.” ❚
gest ways to plug the holes, he adds.
6 BEWARE OF YOUR SUPPLY CHAIN Jim Middlemiss is a writer based in London, Ontario.
One of the weakest links is an organization’s supply chain. The
hackers who broke into Target’s system came through an HVAC
vendor. Deloitte’s Rampado warns that even law frms can be a
weak link: “Many are small and may not have the same level of
security,” yet they often have sensitive client data. It’s imperative
that companies get assurances from their third parties suppli-
ers—supplemented with independent audits—that their infor-
mation security systems are robust and meet the governance "It is likely that much of the
standards set by your company. heavy lifting in terms of devel-
oping better breach response
7 PREPARE INCIDENT RESPONSE PLANS plans and preparing policies
Breaches are inevitable and when they happen you need a road- and procedures to combat cy-
map to guide you, experts say. So similar to a disaster recov- bercrime will fall on the shoul-
ery plan, companies need to develop a cyber incident response ders of the legal department."
CANADIAN CORPORATE COUNSEL ASSOCIATION | CCCA-ACCJE.ORG 25
