Sunday, February 13, 2022

How To Address The Log4j To Your Board Of Directors: 4 Point Guide

 


So far this year, the Cybersecurity front seems to be, about the same as it was last year.  Of course anything can happen right now, given that a Russian attack on Ukraine seems to be more or less imminent. 

Because of this, our own Federal Government has been putting out news alerts about a huge escalation in the number of Cyberattacks that could potentially originate from that area.  Fingers crossed, that nothing happens. 

Trying not to get political here, but what the world needs right now is peace, given what the Omicron variant has done so far to the world. But last month, lots of attention and news headlines were spent on another major hack, which probably had ramifications far worse than that of the Solar Winds attack.  What is this hack you may be asking?

Well, it is the Log4j.  Now, I don’t know all of the details about this one, and I know it sounds bad on my part, but truthfully, I have not really kept up to speed with what has been happening on this front. 

Essentially, Log4j is a log recording tool which can be used by both network administrators and end users alike.  Here is a good, technical definition of it:

“Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s open-source software provided by the Apache Software Foundation.”

(SOURCE:  https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896)

It consists of an Open-Source platform, and while the intent of this is provide a tool to keep track of suspicious behavior, its very nature allows it to be quite easily used in a malicious way by the Cyberattacker. 

Because of this, there are many open backdoors in which the Cyberattacker can penetrate through, and from there, deploy their malicious payloads in a simultaneous fashion like how the Solar Winds hack occurred.

I will write another blog in the future that will cover more about the technical nature of this hack, but the main purpose of tis one today is the lack of communication that took place in Corporate America when it came to notifying all of the impacted stakeholders. 

This is especially true for the Board of Directors of any company.

Many of these people that occupy this high perch still have no idea of just how truly devastating a Cyberattack can be.  In fact, according to a recent survey from Gartner, 88% of all businesses in Corporate America still view Cybersecurity just as a business risk. 

They still do not take the holistic approach that it is also a technological risk, which can have dire consequences for the entire company they are in charge of leading.

More information about this study can be found on the link below:

https://www.gartner.com/en/newsroom/press-releases/2021-11-18-gartner-survey-finds-88-percent-of-boards-of-directors-view-cybersecurity-as-a-business-risk?_sp=08da4deb-e68b-4d57-b132-36a807ba4534.1644774530609

In fact, the Log4j hack had such a far-reaching impact that even the Cybersecurity and Infrastructure Security Agency (also known as “CISA”) had issued various bulletins on how to mitigate the risk and damage that it posed. 

Heck, even the FTC also just recently announced that it would take legal action against those companies that did nothing to further protect the PII datasets of employees and customers that could have been impacted by it. 

These messages were also targeted to the Board of Directors in Corporate America, by pointing out directly that they could even be criminally negligent if they don’t further steps to be more proactive about Cybersecurity.

But unfortunately, explaining all of this to a Board of Directors falls squarely on the shoulders of the CISO.  And if they cannot do this in a succinct way, then of course their jobs are in limbo.  So what can a CISO so to talk about the damage potential a hack like Log4j can have on their company?

Here are some tips:

1)     Explain the entire picture:

In order for your Board of Directors to get the complete of what is going on, you have to explain this to them in terms that they can understand.  For example, mention all of the big-name IT vendors that have also been hit by this:  Amazon Web Services, Oracle, Cisco, IBM, Fortinet, VMware, Microsoft, etc.  Hammer down the point here that even despite the fact that these companies had probably some of the best lines of defenses possible, they too became victims.  The idea here is to point out that anybody can be a victim, even your own company.  So what is the point of waiting until you are impacted to be proactive?  Enunciate the importance of doing this now.

2)     Break things down into dollars and cents:

Unfortunately the boards in Corporate America only understand one thing: The bottom line.  So in this regard, perhaps, you the CISO, should work closely with the financial analysts in your company to actually break down the dollar and cent cost of an impacted company (assuming that you can get those numbers from somewhere), and from there, extrapolate those findings as to what the potential financial loss could be to your company.  This should get some ears perked up.

3)     Illustrate the picture of who all will be impacted:

In a large-scale attack such as this one, it is not just you, your employees and customers that are impacted.  Keep in mind also your external third parties, such as suppliers, will also be bear the brunt of the damage as well, because they are making use of the PII datasets that you have provided them.  Also tell your board that if they are impacted, they will not be held legally responsible, rather, it is your company that will be.  Explain what this will mean in terms of brand loss and reputational damage.

4)     The need for manpower:

Just about every IT Security team imaginable is stretched well beyond their breaking points.  There is simply not enough people around to help detect and thwart off the looming threat variants that are out there.  Explain to your board you need more people, and that you desperately need the funding to do that.  Tell them that you do not have get direct hires (which of course will bring more cost to the company), even hiring contractors will work just as well to (of course, after they have properly vetted).  Heck, even tell them you can hire college graduates with not much experience.  This will also help solve the problem of the huge employment gap that the Cyber industry is faced with today.

My Thoughts On This:

In the end, in a large business setting, everything comes from the top, and that is how all employees all the way down to your overnight cleaning will act.  Don’t blame the CISO for anything and everything.  In the end, the buck stops with the Board of Directors, and the people who occupy these seats need to act as such. 

The time for these people who think that they have God like powers has to stop here and now. 

In the end, your Board of Directors are normal human beings, just like you and me. They have no special or magical powers, maybe except for the ego trip they get by being at the top.  But this all has to be put aside, and your Board of Directors must understand that they have a huge stake in the Cybersecurity of your company as well.

Once all of the ego checks have been put into place and the finger pointing as has stopped, only then can Corporate America be truly on the road path to instilling a proactive mindset which will transcend down all the way to the employees.

No comments:

Post a Comment

Why Students From K-12 Are So Vulnerable In Becoming A Cyber Victim

  Whenever we hear about a Cyberattack or a security breach, we often think that the entity involved is a Fortune 500 company, or even a hea...