This is a two-page collection of the best thinking in cyber security suitable for CEO’s, CFO’s and Board members.
The 10 Immutable Laws of Security
- If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
- If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- If you allow a bad guy to run active content in your website, it's not your website any more.
- Weak passwords trump strong security.
- A computer is only as secure as the administrator is trustworthy.
- Encrypted data is only as secure as its decryption key.
- An out-of-date antimalware scanner is only marginally better than no scanner at all.
- Absolute anonymity isn't practically achievable, online or offline.
- Technology is not a panacea.
The 5 Knows of Cyber Security
- Know the value of your data: You need to know what value it has, not just for your organisation and customers but also the value to those who may wish to steal it. All data has value to someone.
- Know who has access to your data: You need to know who has access both within an organisation and externally, like who has ‘super user’ admin rights in your organisation and within your trusted partners and vendors.
- Know where your data is: You need to know where your data is stored. Is it with a service provider? Have they provided your data to other third parties? Is it onshore, off-shore or in a cloud?
- Know who is protecting your data: You need to know who is protecting your valuable data. What operational security processes are in place? Where are they? Can you contact them if you need to?
- Know how well your data is protected: You need to know what your security professionals are doing to protect your data 24/7. Is your data being adequately protected by your employees, business partners and third-party vendors who have access to it?
NCSC Key questions for CEOs and boards
Protection of key information assets is critical
- How confident are we that our company’s most important
information is being properly managed and is safe from cyber threats?
- Are we clear that the Board are likely to be key targets?
- Do we have a full and accurate picture of:
- the impact on our company’s reputation, share price or existence if sensitive internal or customer information held by the company were to be lost or stolen?
- the impact on the business if our online services were disrupted for a short or sustained period?
Exploring who might compromise our information and why
- Do we receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting our company, their methods and their motivations?
- Do we encourage our technical staff to enter into information-sharing exchanges with other companies in our sector and/or across the economy in order to benchmark, learn from others and help identify emerging threats?
Pro-active management of the cyber risk at Board level is critical
- The cyber security risk impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology, and finance. Are we confident that:
- we have identified our key information assets and thoroughly assessed their vulnerability to attack?
- responsibility for the cyber risk has been allocated appropriately? Is it on the risk register?
- we have a written information security policy in place, which is championed by us and supported through regular staff training? Are we confident the entire workforce understands and follows it?