Cybersecurity Planning – Part 2 – Needs, Compliance and Threat Analysis

In the first part of cybersecurity planning, we discussed the top-level alignment of your security strategy with “The 3 R’s”:

-          What gets you Rich?

-          What can Ruin your business?

-          What is Required by regulators or customers?

The 3 R’s are largely business drivers, not technology or security drivers. In part 2 of this series, we go into more depth and bring cybersecurity experience and expertise into the planning exercise to understand detailed requirements for cybersecurity.

Building on the 3 R’s defined in part 1, some activities you’ll perform next are:

1. A needs analysis of your revenue-facing systems and processes

Assuming your systems are performing well for the business, you will be focused on needs related to: Confidentiality, Integrity and Availability of data and systems.

When choosing what systems to investigate, look for systems that support the primary mission of the business. Likely candidates are: Point-of-Sale, e-commerce, sales, finance and communication systems. When understanding the needs of these systems and processes, ask the business owners and users “what happens if you can’t use the system?” You’ll be amazed at what you discover.


2. A compliance analysis to understand what regulations apply to your business

Think you’re not regulated? While you may not be directly regulated, your customers today and tomorrow may be. Many of your customers’ requirements flow through to you as a vendor.

Understanding compliance requirements includes both what prospective controls must be in place as well as the processes and procedures for incident response and business continuity. As you go through this analysis, understanding the complex, overlapping requirements for regulations generally requires regulatory experience and skills. If you don’t have the necessary skills and experience in-house, find a reputable vendor or consultant to help.


3. A threat analysis to understand what factors can do harm to your business

Threats can be human or non-human, malicious or non-malicious. Threats can originate from natural disasters, software, political activism, external vulnerabilities or internal mistakes.

Hackers get the press, but most incidents are self-inflicted. Understanding how your systems can be taken down and how data can be breached is an important step in creating a real strategy. Without a threat model and some investigation to test the model, you don’t know what you don’t know. I can’t stress enough how important it is to understand what threats you face BEFORE you begin your risk assessment and strategic plan.

Third-Party Analysis Leads to a Roadmap for Security

Step one can and should be performed by in-house employees. Defining the 3 R’s should be normal business practice for everyone. When it comes time to perform the objective analysis of your business, an external 3rd party can be very useful. Uncovering areas where employees may be afraid to look or unwilling to report bad news is the job of 3rd party consultants. Giving objective information back to the business allows companies to fix what’s wrong and focus on building team processes for the future.

Once an organization has documented the 3 R’s and quantified the needs, compliance requirements and threats to the business, you can move towards the risk assessment that will lead to a strategic plan and roadmap for security.

Planning for your Cyber-Safe 2019 – Part 1: Where do I begin?

As the turkey is wearing off and the end-of-year shopping season is upon us, I think about all the businesses that will suffer breaches on Cyber Monday. In 2017, 75% of workers admitted they will shop online from work today according to Robert Half Technology. With the average single-product security solution (think Anti-virus) being only 22% effective in stopping network intrusion, a higher than average number of companies will be breached on cyber Monday given the soaring numbers of fictitious and infected sites in cyberspace.

Think you’re ok because your computers still work and everything seems OK? The average time from infection until detection is 145 days. Hackers lie in wait on your network and creep laterally, stealing data slowly to avoid detection. You probably won’t know that you’ve been breached until sometime in April.  

If you haven’t planned for how to stop your network from being infected when your employee clicks on a cyber Monday offer and infects your network, it’s probably too late. However, planning now for 2019 can help you rest well next cyber Monday and know that you’re doing all you can to protect your business.  

Where do I begin planning for cybersecurity?

 Often companies purchase a security product or service, turn it over to IT and declare the job of security done. Companies who do this almost certainly do not have a comprehensive cyber-safety plan inclusive of People, Process, Technology and Data.

 Security products have their place in an aligned strategy. How do you create alignment? The first step in aligning security to the business is to define the 3 “R’s” for your business:


1)      What gets your company Rich?

Rich can literally mean revenue or profit for commercial entities or rich can mean meeting social, government or business goals or milestones that fund the company. Securing your revenue systems, financial systems, payroll, HR and other key functions is job #1.


2)      What can Ruin your company?

If your company is in the public eye, any reputation impact for privacy and security violations can kill your business. Any public trust violation or impact for which there is no reasonable recovery are ruinous events for many companies. Protecting against those events that could bring the business down is a key driver for security.


3)      What is Required?

If you are in Healthcare, HIPAA compliance is required. If you’re publicly traded, SOX compliance; if FDA regulated, NIST / ISO alignment is required; if you operate in Europe or have European client data, GDPR compliance is required. These are the table stakes of security and compliance work. Meeting requirements simply and effectively is a cornerstone of any security plan.


Once you know the 3 R’s about your business, you have the foundation for a plan. Every action you take should be aligned. If what you’re doing isn’t adding clear benefit, stop doing it and align back to this model. In Part 2 of this series, we’ll talk about assessing your current security posture against the 3 R’s and determining a strategic cybersecurity plan for your business. 

Op-Ed: The Orangeworm Attacks — Why You Should be Worried

In yet another cyberattack aimed at the healthcare industry, a hacker group named Orangeworm recently targeted healthcare orgs in the U.S., Asia, and Europe. The attacks were aimed at computers that control X-rays and MRI machines, in addition to other medical devices. Yikes.

The Orangeworm attacks not only highlight vulnerabilities specific to the healthcare industry, but also shed light on overarching cybersecurity deficiencies that can affect other industries. After seeing increasing numbers of these kinds of attacks, it’s apparent how many businesses aren’t prepared for a major cyberattack. There are several key points that businesses need to immediately improve upon to prevent similar cyber breaches from happening.

What Are the Orangeworm Attacks?

The attacks utilize Trojan malware to install custom backend software called “Kwampirs,” which gives the hackers the ability to execute various commands and access additional modules. Once activated, the malware can add randomly generated string to its payload in order to avoid hash-based detection.

Kwampirs then copies itself across networks with the goal of infecting other medical machines and devices. According to Symantec, which released a report on the attacks, the incidents are likely motivated by corporate espionage.

Main industries affected by the attacks include:

  • healthcare (39% of known targets)

  • drugmakers

  • IT solution providers for healthcare companies

  • equipment manufacturers servicing the healthcare industry

Secondary targets included:

  • manufacturing

  • logistics

  • agriculture

Orangeworm may also have had an interest in machines used to help patients complete consent forms. This means patient privacy and confidentiality may also be an issue.

The Orangeworm cyberattacks are likely not state-sponsored, but rather an individual or group of individuals. We don’t see indicators at the moment regarding the group’s origin.

What Types of Cybersecurity Risks Do the Orangeworm Attacks Reveal?

The recent Orangeworm attacks speak volumes about lack of cybersecurity preparedness exhibited by companies in the healthcare industry and other sectors. In short, we feel many companies are not prepared for a cyberattack for the following reasons:

Companies Lack Cybersecurity Guidance

Word started getting out regarding Orangeworm threats as early as 2015. That’s 3 years, which in the cyber realm, represents ages in terms of new technologies and hacking techniques. Three years later, many healthcare organizations are still not prepared to defend against threats such as Kwampirs.

Part of the problem lies in a lack of education and leadership. There is an overall shortage of qualified cybersecurity experts and leaders who can train employees and IT teams on how to keep systems secure and updated. Without proper cybersecurity guidance, healthcare organizations often don’t know what risks they’re facing.

We’re excited to learn about new educational programs and curriculums that encourage students to pursue careers in cybersecurity and other related fields. In fact, one program in New York is making cybersecurity master’s degrees more affordable for the public. 

On the other hand, until the next strong generation of cybersecurity experts emerges, cybersecurity remains a global responsibility, Businesses must keep top of mind in order to protect their assets. In the meantime, businesses need to take proactive steps now to ensure cybersecurity is a top priority.

We also feel there needs to be greater coordination between boards, executives and directors, and cybersecurity leaders. They should be mindful of previous incidents in related industires and understand that some threats may disappear only to later re-emerge in a more advanced form, as was the case with the Orangeworm hacks. 

Cyberattacks Are Not Random

At first blush, cyberattacks may seem like they happen randomly. But according to reports, Orangeworm chose its targets very deliberately and conducted an impressive amount of planning before launching attacks. Specifically, Orangeworm’s list of secondary targets are of particular interest. These are industries which, upon closer inspection, support the healthcare industry in direct ways.

For instance, manufacturing targets composed 15% of Orangeworm’s victims. This includes large manufacturers that directly support the healthcare industry through the production and sale of equipment, including the medical imaging devices targeted by the malware.

This supports the notion that industry suppliers can be a major weak link in the cybersecurity chain. Thus, when assessing cyber risks and threats, companies should take a good look at:

  • how the supply chain is arranged for a particular business

  • which ancillary industries might affect the company

  • which supporting businesses might create additional cyber risks

While these questions might appear basic, they can shed light on the vulnerabilities that exist in a specific industry. The more you understand your place in the supply chain, the better protected you can be. Self-knowledge informs what type of target you are, why hackers might be interested in you as a target, and what types of targets your partners and suppliers might be.

Cyberattacks Exploit Gaps and Outdated Platforms

The Kwampirs malware exploited outdated platforms that many organizations in the healthcare industry still use. Older systems, such as Windows XP, created gaps in the overall security measures for healthcare organizations, thus increasing the risk of a data breach or cyberattack.

Generally speaking, cybersecurity tools may still be fragmented, and often don’t cover threats that can enter through vulnerabilities in antiquated operating systems. Complete, updated coverage is necessary, especially in the healthcare, legal, and financial sectors, which often use outdated software platforms.

The Future Depends on Strong Cybersecurity

Cyberattacks in the healthcare industry are particularly disconcerting not only because of the potential lost revenue, but also because people’s health and lives are at stake. It’s one of the reasons we’re so passionate about keeping industries safe and sharing knownledge transparently. The Orangeworm attacks should serve as a stark reminder for business and companies to make cybersecurity a priority, not an afterthought. 

Attacks will continue to spread across supply chains and may affect various other critical infrastructure industries. Now is the time to bolster security efforts and devote the time and resources necessary for cyber preparedness.

Aeonian Endpoint Is A Comprehensive SaaS Security Tool For Your Business

Introducing a Simple, Integrated, SaaS Security Tool Focused on the Social Good

At a time when ransomware attacks occur every 40 seconds, and annual damages are forecasted to hit $11.5 billion, cybercrime poses a greater threat to businesses than ever before. Addressing this issue, San Diego-based ICE Cybersecurity developed Aeonian — a new type of endpoint security protecting people and devices all on one platform.

“We built the tool we all wanted, but didn’t have,” says Ford Winslow, co-founder and CEO of ICE Cybersecurity. “This is what we wish was installed when our response team arrives at a business that’s having a bad day. Aeonian gives us a fighting chance.”

Officially unveiled at 2-1-1’s Community Information Exchange Summit on April 17th, Aeonian offers an innovative, risk-based approach to endpoint monitoring and reporting that gives users a centralized dashboard comprising all security efforts. Aeonian is designed to be useful and contribute to the larger solution. 

“Aeonian isn’t about selling endpoints,” says Winslow. “It’s about helping people. We know better than anyone that cyber attacks can be painful and expensive. Aeonian makes it less painful and less expensive for everyone involved.” 

Aeonian software was developed with outcome in mind — a distinguishing feature from other security offerings, allowing ICE to provide your business protection and continuity.

“In most businesses, security tools are fragmented and don’t cover everything completely,” says Winslow. “Attacks come in through the gaps, but not with Aeonian as the center of your system. It encompasses everything, so you get complete coverage.”
“Everybody is scared of cyber right now,” says Winslow. “What we’re doing is building that platform of hope so we can make a difference by offering protection from the bad guys attacking you, your family, and your company.”

A complex and perilous cybersecurity landscape calls for comprehensive cybersecurity that manages loss and prepares for data recovery. Start protecting your people, your devices, and your data all in one platform. Aeonian can transform your fragmented landscape of tools into a single cybersecurity strategy that’s aligned, practical, and effective.


About ICE Cybersecurity

ICE Cybersecurity is changing the face of technology by bringing safety and risk reduction to the business as a whole. We believe that businesses are better when cybersecurity measures are aligned, practical and effective. Our unique platform and approach yield spectacular results for companies of all sizes.



2018 Winter Olympic Games Cyber Attack is No Laughing Matter

It didn’t take long for the 2018 Winter Olympics to be hacked.

News of the first hack broke shortly after the Opening Ceremonies were majestically unveiled for U.S. viewers the evening of Feb. 9.

What’s worth contemplating for cyber experts who track such threats was that the Winter Olympic Games cyber attack had its origins well before the Pyeongchang Games began.

Even with the Games’ $20 million cybersecurity apparatus— based on its gargantuan $13 billion total operating budget — seeds of the planned attack went undetected for at least several months — as far back as December 2017 and likely before.

The situation is similar to the Equifax cybersecurity meltdown, which also involved months of preparation prior to the actual cyber attack against a seemingly well-prepared and funded company.

The suspected culprit, in this case, a destructive wiper malware dubbed “Olympic Destroyer,” wreaked havoc in a number of ways, led by the crash of the Winter Olympics website, slowing ticket sales as the Games got underway.

The crisis was averted and went largely un-noticed.

Potential to Destroy Data

Luckily, the impact was relatively minor. Left uncontained, the Olympic Games cyber attack reportedly had the potential to destroy mass quantities of data and cause massive computer failures that conceivably could’ve brought the Games to a halt.

Following the opening ceremonies, Atos, the Paris-based IT provider hosting the Olympics’ cloud infrastructure, announced that the hack had been minimal and sufficiently contained.

But according to Cyberscoop, samples of the “Olympic Destroyer” malware indicated the hackers also gained access to large swaths of personal information for Atos’ thousands of on-site employees.

How could that happen?

Common Tactic Used by Criminal Hackers

Most likely the cyberthieves targeted one of Atos’ supply-chain vendors and penetrated systems, a common tactic used by both nation-state and criminal hackers.

As for the hack’s geographic origins, early indications pointed to France (home of Atos) and Romania, where many of Atos’ security team are headquartered. The usual culprits — Russia, China, and North Korea — are also suspected, though, as with virtually all cyber attacks, finding such sites is often impossible to pin down.

For its part, the Russian foreign ministry issued a statement that denied any involvement, claiming in part:

“We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea. Of course, no evidence will be reported to the world.”

Meanwhile, cyber-researchers are keeping in mind that:

  • The 2018 Winter Games are being staged only 50 miles from the border with North Korea, one of the world’s most belligerent nation-states.

  • Technically, North Korea remains at war with South Korea since their 1950-1953 war ended in a truce rather than a peace treaty.

  • In the Opening Ceremonies, the teams marched together at an Olympics opening ceremony for the first time since 2006.

Which is among the many reasons the International Olympic Committee (IOC) took out insurance protection estimated at around $800 million to cover a range of calamitous events – ranging from cyber attacks to declaration of war, actual war or acts of war.

Is hacking the next Olympic sport?



How Bad was the Equifax Data Breach?

New Information Shows the Breach Worse than First Reported

How worried should you be about last year’s Equifax data breach?


That’s the warning for the more than 145 million Americans — nearly half the nation’s total consumers — whose personal data was compromised in what ranks among the largest and most significant cyber scourges in history.

In first responding to the highly publicized September 2017 breach, Equifax reported that the hacked information included (only) the following:

  • Names

  • Social Security numbers

  • Dates of birth

  • Addresses

  • Driver’s license numbers

Now, according to The Wall Street Journal and other outlets, Equifax disclosed in a sealed document submitted to the Senate Banking Committee that the following data also was accessed:

  • Credit card numbers

  • Tax ID numbers

  • Email addresses

  • Driver’s license issue dates

  • Driver’s license states


A Series of Investigations by Federal and State Officials

What’s extremely disturbing about the latest revelations is this: It took a series of investigations by federal and state officials – led by Congress – to bring the hack’s full impact to the light of day.

Three things to consider:

  • The Equifax hack was far more invasive than previously reported

  • Companies like Equifax keep records of far more personal information than most consumers realize

  • If you’re among Equifax’s 145.5 million scammed consumers, cyber criminals now have far more access to your finances

A nearly $900 million company based in Atlanta and one of the national credit bureaus, Equifax is now scrambling on several fronts. Not only because its initial report glossed over the full extent of those adversely affected, but because of its slow response to users and lawmakers.

First, the company failed to adequately inform its users -- many of whom had no idea the company was keeping such personalized data on them in the first place -- that they were, indeed, very vulnerable.

Then, in the hack’s immediate aftermath, the company’s CEO, Richard Smith, resigned under pressure. A few months later, he was rebuked by Senate committee members for evasive non-responses to their questions.

Plus, in a side development fraught with political intrigue, the Consumer Financial Protection Bureau (CFPB), the federal agency created by the Dodd-Frank Act as a banking and credit watchdog, immediately halted its inquiry into the Equifax data breach following the change in leadership.

Maybe they hoped it would go away.

Heading the Office of Management and Budget

Equifax now offers its clients free credit “freezes” through June 30. Freezing your credit helps prevent new accounts from being opened in “your” name. But remember, if you actually do need a home loan, new credit card, or want to open a bank account, that temporary freeze will need to be lifted.

Not quite enough to erase the psychic and fiscal pain of millions of consumers like you and probably everybody you know.

Negligence by Equifax? Certainly.

Negligence on the part of the federal agency that’s supposed to protect millions of U.S. consumers from the dizzyingly inadequate cyber security of companies like Equifax?

Most definitely.

If you would like to get started on a comprehensive cybersecurity plan to protect against hacks like the Equifax breach, ICE can be of value to your organization.

Contact us today and let our cybersecurity experts elevate your company’s security measures and put your risk on ICE.



Chinese Tech Companies Were the First to Know About the Intel Chip Flaw

A member of Google’s Project Zero Security Team discovered a flaw that affects computer processors built by Intel and other chipmakers. The initial discovery came a week before Intel planned to release information about the flaw, but not before Intel informed Chinese tech companies like Lenovo and Alibaba.

Google’s Project Zero team has concerns about the flaw allowing passwords and other sensitive data being gathered from system memory. Both Intel and Google were planning on releasing information about the flaw after fixes were made available. Intel was forced to disclose early when British technology site ‘The Register’ reported it.

Intel’s decision to disclose to Chinese tech companies before the U.S. Government raises concerns from cybersecurity experts. It could have allowed information about the chip flaws, dubbed Spectre and Meltdown, to be obtained by the Chinese government before public release.

Spectre and Meltdown Affect Billions of Devices

These bugs potentially subject individuals and businesses to hackers. There’s been no report yet of the bugs causing a breach, but hackers are scrambling to create and release exploits while companies are in a mad dash to update their software and devices.

Fixing the problems will slow computer performance, especially on devices older than five years. So this problem could be a potentially massive undertaking for companies without the budget for new hardware. These bugs also affect companies that deal with more network traffic and processing power, like cloud providers, retailers and healthcare systems.

Big players (Microsoft, Amazon, Apple and Google) are rolling out fixes quickly, but there have already been snags. Some Microsoft Azure customers reported their machines failed come back online after installing updates.

Some patches aren’t automatic because they can cause programs to crash, so businesses will be on the hook to make sure anti-virus and other security tools are compatible with the update, said Dmitri Alperovitch, co-founder and CTO of Crowdstrike.

How Should Companies Protect Themselves?

The biggest concern with Spectre and Meltdown is that breaches will happen quietly. Problems may not be immediately apparent the way they are with ransomware. If systems are performing, companies might not bother updating their hardware and software.

Updating computer systems is already time-consuming and expensive for businesses, but it is essential. It’s only a matter of time before hackers start exploiting these bugs on vulnerable systems.

If you find the concern is overwhelming your business, consult an expert.

Cybersecurity Landscape for 2018

NotPetya. WannaCry. Spora. Sound all too familiar?

This year’s onslaught of global cybercrimes rightly struck fear into anyone who uses a laptop, a hand-held device or owns a business. With each attack, the anxiety factor grows into a sense of vulnerability, dread, even helplessness.

Looking ahead to 2018, what’s your best defense? How can you protect your family, your company, your employees and business reputation from the potentially dire effects of identity theft and the scourge of ransomware?

Meet industry experts to hear their 2018 cyber forecast at our “Cybersecurity Landscape for 2018,” a 45-minute thought leadership panel discussion set for Thursday, November 16. The event will run from 6:00 pm to 8 pm, at ICE Cybersecurity, located in the NEST building in Bankers Hill.

 Moderated by ICE Founder/CEO Ford Winslow, the event will introduce you to key industry players who will share their assessment of the next level of cybersecurity threat.

Scheduled panelists include:

  • Ted Harrington, Independent Security Evaluators

  • Paul Groom, National Strategic Account Manager, SonicWALL, Inc.

  • Paul Leet, Solutions Architect, SonicWALL, Inc.

  • Roy Bettle, Vice President, Sales & Strategy, ICE Cybersecurity

Light food and drinks will be available at the complimentary event, sponsored by Seceon and SonicWALL.

Who Should Attend: C-level officers interested in assessing cyber threats for 2018.

Can't make it? Contact Roy Bettle, VP Client Solutions at 442-273-0910 to share our post-event write-up.

3 Ways Ransomware Affects Healthcare Cybersecurity

Ransomware encrypts files and effectively locks users out of their computers and data. Those behind this type of cybersecurity attack then ask for money - ransom - in exchange for your data. It is estimated that 7.4 million new malware programs will be released in 2017. That’s about 850 per hour.

Most ransomware is delivered in an email. In healthcare systems, ransomware can make its way in through common programs like electronic health record and billing systems. Most ransom is paid in bitcoin, making it difficult to track criminals once the ransom has been paid.


   1. Ransomware Halts Patient Care


Hospitals across England and Scotland were forced to cancel routine procedures and divert emergency cases after a May 12, 2017 Ransomware attack that affected 99 countries. X-rays were halted. Chemotherapy treatments were put on pause. Records necessary to perform surgery were inaccessible. Critical test results were inaccessible. Affected healthcare workers stated that they were not aware of the issues with dated hardware, software and cybersecurity measures until the attack had already compromised patient care.


    2. Ransomware Compromises Patient Records

Records for over 200,000 patients were leaked in a ransomware attack on Atlanta-based Emory Healthcare on Jan. 3, 2017.  Files included names, addresses, emails, birth dates, medical record numbers and cellphone numbers. Medical record breaches have also caused leaked mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports. Weather or not the records were used by criminals, the Emory Healthcare’s patients suffered breach notifications, loss of trust and ultimately more barriers to healthcare.

    3. Cybersecurity Attacks Cause Financial Loss

Remember those leaked patient records? A recent study conducted by the Ponemon Institute for IBM estimated that breaches cost U.S. companies on average over $7 million per breach. That’s an average of $215 per breached record. Additionally, companies like Merck had their supply chains for distribution of medical products disrupted by ransomware in June 2017.

Prevent Ransomware Attacks with Cybersecurity Assessments

It is the current recommendation of the FBI that public and private health entities have their networks checked for vulnerabilities by a professional and then work with internal or 3rd party teams to resolve issues and maintain a secure posture.

6 Cybersecurity Action Steps for Corporate Directors

Equifax Cybersecurity Incident Response Under Investigation

Equifax, one of the major credit reporting agencies in the U.S., reported a data breach Sept. 7 that affected 143 million consumers. The hack is one of the largest ever recorded and may have released personal details of an estimated 44% of the U.S. population.

According to The Apache Foundation, makers of an open-source software used by Equifax to create Java web applications, cybersecurity professionals offered Equifax security updates that would have resolved the vulnerability two months prior to the hack.

The U.S. Federal Trade Commission, the congressional House Oversight Committee, the Consumer Financial Protection Bureau, multiple state-level attorney generals and departments of financial services have all begun an investigation of the breach and Equifax’s cybersecurity incident response.

Board of Directors at Risk Over Cybersecurity

This week Equifax announced that their Chairman, Richard Smith, has stepped down as CEO following the cybersecurity breach. The week before, Equifax’s chief security officer and chief information officer stepped down as well. Despite the distance that exists between the senior executives of large organizations and their IT professionals, executives are largely held accountable for oversights, especially when they have a negative impact on consumers.

Corporate directors need to pay attention to the wide range of cybersecurity risks uncovered by this attack, and should implement measures to address any vulnerabilities their companies face. In times like this, any board will come under extreme scrutiny. They will be asked how they handled several executive issues, including board management, data privacy oversight, and executive compensation policies.

In particular, all boards should be concerned about cybersecurity policies and examine their capacity to defend against today’s rapidly expanding data theft. Henry Stoever, Chief Marketing Officer at National Association of Corporate Directors (NACD), says, “There are two kinds of companies: those that know they’ve been hacked, and those that don’t know they’ve been hacked.” Accordingly, Stoever states that there are six action steps for corporate directors to take to improve cyber security measures:

Are you at risk? Get started with a robust cybersecurity plan.

Six Cybersecurity Action Steps for Boards

  1. Approach cyber security as an enterprise-wide risk management issue, not an IT issue

  2. Understand the legal implications of cyber risk as they relate to their company’s specific circumstances

  3. Ensure boards have adequate access to cybersecurity expertise

  4. Facilitate discussions about cyber risk management on a regular basis and allow adequate time on board meeting agendas for robust discussions with the management team and external cyber experts

  5. Require the management team to establish an enterprise-wide cyber risk management framework with adequate staffing and budget

  6. Strategize discussions with management to include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach

Cybersecurity Incident Response and Accountability

In a statement released to the public, Equifax CEO Richard F. Smith stated “This is the most humbling moment in our 118-year history.”

Equifax has the opportunity now to refine their accountability practices. Public opinion and stock value for Equifax have suffered as a result of the incident, the late release of information to the public and the subsequent discovery of issues with the company’s phone system and website. Taking steps to ensure regular assessment of their compliance and performance would go a long way in earning back the public’s trust.

The lesson here for every board member is that cybersecurity is an increasingly important enterprise issue that affects all levels of an organization’s operation. It requires comprehensive strategy and risk assessment. Cybersecurity is complex and must evolve quickly to combat cyber threats of increasing severity. These threats can cause significant financial, competitive and reputational damage.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.