Dark web monitoring and burner phones are among the ways members are minimizing risk in the modern world.
In a world increasingly plagued by ransomware, and now the threat of AI-driven mischief fueled by the rise of large language models like ChatGPT, it’s time for cybersecurity policies to adapt with the times, according to members of NeuGroup for Enterprise Risk Management.
- At the group’s first-half meeting, one member shared their experience leading a company-wide initiative to create a comprehensive cyber risk policy. A guest in attendance who works at a management consulting firm that supports cybersecurity initiatives at multinationals and government agencies offered additional insight.
- In addition to “derisking,” the guest said that he’s seen the company’s work on cybersecurity help clients save money on insurance. “If you have the right programs in place, you actually have a counterweight and can negotiate.”
Clear guidance on existing tools. The first step is to take a look at every tool the company uses, the presenting member said. Multiple members in the session discussed the importance of addressing risks associated with cloud-based ERP systems, which are commonly used but can also be vulnerable to cyberattacks.
- “It’s important to consider the details on the arrangement with your cloud service provider,” the member said. “You really have to have a lot of monitoring and protecting when you have those systems—we are pretty segregated in our systems.
- “We have had breaches, but we have been able to keep them contained as a result.”
- The guest at the consulting firm shared a story about a company he was familiar with but was not a client. He said the business had done everything right to set up a cybersecurity policy, but didn’t properly vet its cloud provider, which had a breach resulting in the disclosure of customer names.
- “That’s why we have dark web monitoring, so we can notice any servers or domain names for sale by malicious actors,” he said. “So we can tell our clients, you’re fine, but your supply chain has a problem.”
Auditing with a fine-tooth comb. But it’s not as simple as vetting every tool that the company itself employs. Apps can be easily accessed and downloaded by individuals, which creates exposure to a number of risks business leaders may not even know about.
- One member said that the messaging app WeChat was being used by treasury employees to collaborate on projects, but the company hadn’t granted access to the app. “Our external auditors even wrote me a note that there was a typo—’WeChat.’ They didn’t know what it was!”
- “Legal is often the last to know about these things, which is where the risk is,” the presenting member said. “The people that can protect you from a threat might not know it exists, they don’t know what to protect us from.”
- The solution, she said, is to closely monitor all employees and the tools they use, especially ones connected to the internet.
International footprint, international policies. For companies with a global footprint, it is also important to establish policies that account for differences in risk across regions, and employees who travel to high-risk parts of the world as geopolitical tensions rise.
- One member has guidelines requiring that specific apps are turned off during flights to certain countries; other companies issue encrypted burner phones and laptops, which typically include less sensitive information on hard drives, for travel to riskier regions including China, Russia and Eastern Europe.
- “We have several countries that we do specify burner requirements,” the presenting member said. “But we only have so many PCs and phones lying around that are ready.”
- Having regional risk policies is also important for data breach reporting, which countries regulate differently. In the US, a proposed SEC rule would require public companies to inform shareholders within four days of determining a cybersecurity breach was a “material” incident.
- “It’s very important to have a plan for a breach in place ahead of time,” said the guest. “We go in before there’s a problem, and we just want to know what the environment is. I’ve heard that some data breaches can take 25-30 days before they are back up.”