Publications
Stout Article
Regulations, Guidelines, and Risks
SECURITIES AND EXCHANGE COMMISSION
NATIONAL ASSOCIATION OF CORPORATE DIRECTORS
RISKS
Regulations, Guidelines, and Risks
RISK ASSESSMENT
The FBI reports that some 90% of company security exploits result from employees clicking on an email link or opening a web
page with embedded malware.5 All it takes is one click and a fi rm’s systems can be attacked from the inside.
- ● Identify what needs to be protected, plausible threats, and known vulnerabilities
- ● Estimate the business risks if vulnerabilities are exploited (considering probability and potential severity)
- ● Prioritize these risks and identified protective gaps
- ● Document and agree to a plan to address these gaps
- ● Track progress of the plan, with executive and board updates
- ● Monitor the effectiveness of these protections
- ● Periodically and regularly repeat the above steps
PENETRATION TESTS
VENDOR REVIEWS
WRITTEN POLICIES
TRAINING PROGRAMS
INCIDENT RESPONSE PLAN
Important Questions and Considerations
BEST PRACTICES VERSUS GOOD ENOUGH
SECURITY TECHNOLOGY SOLUTIONS
FOR BOARDS AND SENIOR EXECUTIVES
CISOS AND VIRTUAL CISOS
- ● Advising boards and senior executives on their information and cybersecurity responsibilities, presenting security risks and choices in a prioritized business context, and supporting the development, implementation, and monitoring of an enterprise security strategy.
- ● Mentoring internal security officers, accelerating their professional development, and providing guidance on priorities, projects, and purchases
- ● Advising or leading specific projects such as vendor selections, purchase decisions, and reviews of security plans, or prioritizing audit findings and coordinating their remediation (as it is sometimes easier for an outside expert to bridge internal hierarchies).
- ● While most of the above work can be scheduled in advance, virtual CISOs also can provide emergency support, such as for breach evaluation and recovery efforts. Ideally your organization has a ransomware plan already prepared, but getting external advice in a crisis still helps.
SECURITY PROCEDURES COME FROM THE TOP
Aspire Profile
MAXIMISING SECURITY
ADAPTION IS THE KEY TO BE SECURE
GUIDANCE IS ESSENTIAL
vSEC Briefing: Identifying Phishing Emails
September 2023
Hints to Identify Phishing Emails
Is the message one you are expecting to receive?
Does the sender’s email address match the displayed name?
Does the website address match the displayed name?
Reminder: urls and website addresses anchor to the right.
Does the email or website address have a minor spelling error?
It is cheap to register a website or email domain, and to pick a name highly similar to a real site or company name. Some people won’t notice if the sender email is @chasse.com rather than @chase.com, or .biz instead of .com. Get in the habit of checking those details. Rather than use a provided link, open a new browser and access a site directly or via a Google search.
If you are curious, you can check information about a domain address at ICANN, the internet organization. As one hint of trouble, was the domain name created recently?
As a protective measure, many companies register domains similar to their own to prevent hackers or competitors buying and mis-using them, e.g., www.amazone.com was registered by Amazon. Consider registering domains similar to your business so others can’t.Is the content style reasonable from the sender?
Is the request usual and reasonable from the sender?
As noted, fraud requests often create a sense of urgency (‘for a big client’, ‘before I leave on vacation’, ‘pay immediately or else…’). Unexpected requests should be considered suspicious, especially if unusual from that sender. Would the CEO usually ask you for a rush wire transfer or to buy gift cards? Double check with the sender – call or text for confirmation. (Hitting Reply on a compromised or fake email just lets the hacker tell you ‘Yes, my request is legit’.)
Always be cautious if asked for your social security number, Venmo or other financial information, even – or especially if they want to send you money. The hook is ‘you won $$’, the follow-up asks for SSN or payment details, then a demand to pre-pay or re-pay money. Got ya.