In this first of a two-part installment of Cofense Questions and Answers, we’ll talk again with David Mount, senior director of product marketing at Cofense, about how CISOs can explain to the board of directors why phishing defenses are so important and what the board can do to help keep their respective companies safe.
SC Media: The damage that a successful phishing attack can incur can be considerable and ultimately could require a board-level response. What responsibility does the board have to dealing with such attacks and what actions can the board reasonably take?
David Mount: To deal with an attack that could lead to a compromise, and ultimately a damaging data breach, organizations must get visibility of the attack first. Solely relying on technical controls to protect the organization is not sufficient. With over 90% of data breaches being attributed to successful phishing attacks, the board must set the tone for collective defense. That is, ensuring employees understand that defense against phishing threats is everyone’s responsibility. End users are not merely consumers of an organization’s data, they are its custodians too. The board must actively support programs that enable and empower employees to be resilient to phishing attacks, and become the human sensors that provide visibility into attacks that technology has missed. Incident Response teams must then be provided with the resources that enable them to effectively respond.
SC: What should the CISO do to train their board of directors and other senior-level executives about the dangers of phishing attacks and what should these individuals be doing to protect themselves?
DM: It is not unusual for the dangers of phishing attacks to not be fully understood. The phishing threat landscape is constantly evolving, with threat actors continually updating their tactics and techniques to ensure delivery of a malicious payload, and to achieve success on their objective. Attacks such as WannaCry and NotPetya, whilst not delivered by phishing emails, quite easily could have been, and should serve as a wake-up call to how destructive modern-day malware attacks can be. It is essential that the board understands the evolving threat landscape, and how this impacts the data, systems or business processes that they need to protect. We see threat actors quickly leveraging a new vulnerability when it is made public.
SC: The CISO knows that phishing and malware is a business imperative because they need to deal with the clean-up after an attack. What kind of education do boards need today to ensure that they are up to speed on the challenges the line officers face — the CISO, CIO, and operations managers — when it comes to funding, personnel and the occasional prioritization of security over operations?
DM: Wannacry and NotPetya attacks demonstrated the devastating impact that malware can have on business operations – the clean up after these attacks took often herculean efforts, and required significant, unbudgeted investment. In many cases, investment that had previously been requested, but rejected, might have helped mitigate some damage, and was subsequently fast-tracked. As a result, the board must understand the challenges that operational teams face in keeping the business functioning in the face of the evolving threat landscape. The board must be educated to the specific risks and attacks that are being experienced every day, and the costs of these due to business disruption and lost productivity, ensure they have a full incident response plan for a major incident and practice it with tabletop exercises that are taken seriously. These practice drills will better prepare them for the real incident as well as provide insight into the hurdles faced by the line officers.
Part 2 of this Q&A with David Mount will post July 15.