In a joint NYSE Governance Services and Veracode survey of nearly 200 directors of public companies across a variety...
of industries, 81% of respondents said cybersecurity is discussed at most or all boardroom meetings.
Yet 18% admitted it is only a hot topic because of recent internal, industry or high-profile incidents. Nor does boardroom discussion lead to readiness: 66% of those polled said they are not fully confident their company is safe against a cyberattack.
Additionally, board members ranked cybersecurity as the second to last concern when developing new products -- behind revenue potential, competitive differentiation and development costs.
"This reflects a common reluctance to add more security (such as requiring stronger passwords or two-factor authentication) because of the perceived inconvenience on the part of customers and partners," the report reads.
However, it doesn't mean security teams should give up the cybersecurity threat fight.
"CISOs should leverage the momentum created by the board's increased focus on cybersecurity to build consensus and support around what it takes to reduce risk for the business, across people, process and technology," said Chris Wysopal, Veracode cofounder and CISO. "There will be bumps in the road for everyone involved, especially now that the board is becoming an active participant in what was once a deeply technical domain. This requires CISOs to expand their skillset and get comfortable describing cyber risk relative to other business priorities and board-level concerns."
The report also offers pointers to help CISOs become more effective boardroom leaders, listing the top qualities of a good CISO as technical skills and experience.
The report reads, "CISOs need to combine their strong technical skills with solid business and communication skills in order to convey security information to the board in terms directors will understand."
In other news
- Ponemon Institute LLC released its annual "Cost of Data Breach Study Global Analysis" Wednesday. The report, which surveyed 350 companies across 11 countries, found the average total cost of a data breach is up to $3.79 million, a 23% increase over 2013. The cost per lost or stolen record containing confidential information increased 6% from $145 in 2014 to $154 this year. The healthcare industry had the highest cost at $363 per record; retailers' costs jumped from $105 in 2014 per record to $165 in 2015. "Based on our field research, we identified three major reasons why the cost keeps climbing," said Institute Chair Dr. Larry Ponemon. "First, cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."
- On Wednesday, researchers from SEARCH-LAB the results of an independent security assessment which found a total of 53 unique vulnerabilities in the latest version of D-Link firmware, dated July 30, 2015. If exploited, hackers could potentially control victim devices. The assessment, which analyzed four D-Link routers, found CVE-2014-7858, CVE-2014-7859 and CVE-2014-7860, a login bypass vulnerability, buffer overflow flaw, and unauthenticated photo publish issue, respectively, affect D-Link routers DNS-320A, DNS-320L, DNS-327L and DNR-326. Other devices that may be affected include DNS-320B, DNS-345, DNS-325 and DNS-322L. Some or most vulnerabilities were fixed in DNS-320L 1.04.B12 and DNS-327L 1.03.B04, as well as DNR-326 2.10.B03 and DNR-322L 2.10.B03. Two other authentication bypass vulnerabilities (CVE-2014-7857) were disclosed by researchers to D-Link, but have not yet been fixed; details on this flaw will be published after June 22, 2015. SEARCH-LAB researchers suggest beyond installing patches that users don't expose the Web interface of DNS and DNR devices to the Internet and disabling the UPnP feature.
- Researchers from FireEye Inc. are warning about a new point-of-sale (POS) malware that leverages a social engineering scam involving a résumé attachment. The malware, dubbed NitlovePOS by FireEye researchers Nart Villeneuve and Daniel Regalado, can "capture and exfiltrate track one and track two payment card data by scanning the running processes of a compromised machine. It then sends this data to a webserver using SSL." Track one data includes the cardholder name and account number while track two data includes the cardholder's encrypted PIN, account details, etc. Spam messages from spoofed Yahoo accounts bearing the subject lines "Any openings?", "Job details" and the like have a résumé attached that is infected with a malicious macro. If enabled, the macro downloads and executes; the NitlovePOS will decode itself and search for payment card data. If unsuccessful, it will sleep for five minutes before resuming its search. According to researchers, the spam campaign started May 20.
- New research from Distil Networks Inc. marked 2015 as the first year mobile bots moved out of the "emerging threat" category, as well as the first time a mobile carrier appeared on the list of top 20 ISPs serving bad bot traffic. Researchers found 22.78% of all 2014 traffic was from bad bots, while 36.32% was good bots. The number of bad bots decreased from 24.22% in 2013, with good bot traffic increasing from 20.98% last year. However, bad bots are responsible for 8% of mobile Web traffic. The report covered 23 billion bad bot threats in 2014 from a dataset residing in Distil's Hadoop Cluster, including data from hundreds of customers as well as Distil's global network of 17 data centers. Distil Networks CEO and Cofounder Rami Essaid said, "For the first time in history, mobile bad bot traffic makes up a significant portion of overall bad bot traffic, having increased tenfold over the past year. Right now mobile bots make up less than 10 percent of the total bots, creating a greenfield of opportunity for the bad bot landscape to more than double very quickly." The report also found each of the top 21 global wireless providers serve bad bot traffic, with T-Mobile USA entering the list of top 20 ISPs serving bad bot traffic.
Gain further insight into convincing boardroom members of the cybersecurity threat