Security: 5 Key Questions Board Members Should Ask

By Tim Boivin

The increasing frequency, sophistication and cost of cyberattacks continue to handcuff enterprise operations around the world – for businesses in every vertical industry, for government agencies, for education systems, and even for non-profit organizations. 

The good news is that more than 95% of companies have implemented or are considering a Zero Trust approach to protect their infrastructure from attacks, according to an IDG Security Priorities study. The other good news is that board members are increasingly putting their IT teams under a much more focused microscope to determine if they are, indeed, prepared for such attacks.

CSO Magazine recently published this article on 13 traits of a security-conscious board of directors in which it examines the key traits that can help an IT team and their leaders to understand the security mindset of their organization’s board of directors. 

On the other side of the table, an excellent resource for board members is our e-book, Cybersecurity Risk: A Board’s-Eye View. In this e-book, we examine the five critical questions board members need to ask their IT teams to be able to fully assess their security posture:

Is complexity your enemy?

More is not necessarily better. Yes, you’ve invested millions in security solutions over the past decades. But if those solutions don’t talk to each other, if they don’t work together, they add a staggering amount of complexity that is hard for your IT team to manage across all those applications – not just on your local network, but in cloud, SaaS, web services, and even Shadow IT solutions that your IT team may not even realize are being used. All it takes is one unpatched solution, as happened in the notorious Equifax hack, and you could be facing millions or even billions in costs from a breach.

What role do your end users play in security?

Yes, it is all well and good that you have a security education plan in place for your end users. Every little bit of knowledge helps prevent hacks and reduce risks. But you also need to evaluate how much of a burden you are putting on the shoulders of your end users for security. Does your IT team require multiple different ways to access systems for different situations – such as cloud apps, VPNs, RDP, mobile devices and so on? If so, your end users will come up with their own workarounds to get the resources they need to do their jobs, and that will make your attack surface even more porous.

How vulnerable is your attack surface from open ports left exposed?

The ports your IT team opens up in your firewalls to allow access to applications, data and tools such as VPNs, RDP, the cloud and others, are ticking time bombs when it comes to your IT security. It’s important that your IT team can comprehensively identify how many open ports that they have across your infrastructure, and then determine whether your security profile is properly designed to prevent hackers from accessing those resources. 

Does your IT team rely too heavily on usernames and passwords to protect your infrastructure?

Research shows that 57% of end users who suffer phishing attacks still don’t change their passwords after the attacks. If all you’re relying on is end user training to prevent these phishing attacks, your organization runs a much higher risk of being attacked by hackers using your own seemingly valid credentials. And without microsegmentation of your infrastructure, hackers can then easily move from resource to resource across your hybrid network to launch additional attacks. At a minimum, you should have some form of multi-factor authentication in place, and even better be able to evaluate the end user’s full context of their access request – where the user is requesting access from, the type of device being used, the security status of that device, whether it is a managed corporate device or a jail-broken iPhone or rooted Android, if it’s running a current anti-virus application, does it have the proper certificates, and much more. 

Is your IT team still taking an obsolete “castle-and-moat” approach to cybersecurity?

In today’s perimeterless world, where not only does your IT team have to protect its local network but also cloud applications and web services, is your obsolete network design putting you at risk? They may be hardened on the outside, but they’re squishy on the inside. And without microsegmentation, again, you run the risk of being attacked with your own valid credentials if a hacker uses a successful phishing attack to gain entry to your most valuable crown jewels.

As a board member, ask your IT teams these questions to ascertain how effective your security posture truly is. And if you want to become even more informed about how you can take a Zero Trust approach that gets you up and running faster, more securely, and with a lot less pain, read this eBook. It will explain:

  • Why your IT team’s approach to cybersecurity may not be enough in today’s perimeterless world.
  • The advantages and disadvantages of the three types of Zero Trust approaches in use today.
  • Why an access-focused approach offers the best cost/benefit advantages of the various Zero Trust solutions.