What's the best way to communicate about advanced persistent threats?

Advanced persistent threats are a constant risk for enterprises, so the board needs to know about them. Expert Mike O. Villegas discusses how to effectively communicate about APTs.

Fear, uncertainty and doubt seem to be crude methods of communication when there are risks to an enterprise. With a growing trend of advanced persistent threats, I want to make sure I'm communicating with the board in the most effective way, instead of relying on FUD. What's the best way to communicate with the board specifically about advanced persistent threats? Or should I just stick to the basics and avoid going too deep into specifics about advanced persistent threats?

Board members are extremely smart individuals. One does not get to that level by chance. That said, the board's primary objective is to maximize shareholder wealth. That is why they rely on subject matter experts. Some may be members of the board, but most are company employees who provide the board with the necessary information to make informed decisions.

An advanced persistent threat (APT) is an attack in which an unauthorized party gains entry into an IT environment and remains there undetected for an extended period of time to do more damage. Its mission is to exfiltrate data, rather than to cause damage to the network or organization. To maintain access without discovery, the intruder must continuously rewrite code and employ sophisticated evasion techniques. They typically gain access through spear-phishing emails, where an unsuspecting employee is asked to log into a bogus page that requests the employee's username and password, or they're prompted to click on a link that will download spyware or other malicious programming.

With a growing trend of advanced persistent threats, the most effective way to communicate with the board is to deliver the message in terms they understand. FUD is a good attention-getter, but it's short-lived. It is not enough to share the risks of advanced persistent threats. They want to hear that the enterprise will not be the next casualty, and, if they are unfortunate enough to experience a breach due to an APT, the enterprise is in a position to minimize the exposure and able to readily bounce back to business as usual.

Security experts say any effective approach to defending against advanced persistent threats must include defense in depth, a detection capability, an APT incident response plan -- fully vetted and tested -- a recovery plan and security-awareness training. Share this approach with the board. Put it in simple terms and make sure they understand. Map this approach with a security framework and use graphical icons to portray the information security posture of the enterprise. Do not overwhelm them with technical minutiae. That will only cloud the message and marginalize its importance, but be ready to answer any question that might arise.

Remember, they hired you as an expert in your field. They would expect nothing less than to rely on your expert advice. Be confident, aplomb, resolute and informed. Share how advanced persistent threats affect other businesses in your industry, how others have deployed protection and detection measures, and how your enterprise compares with those successful in dealing with the APT. Share your plan in dealing with advanced persistent threats, and at subsequent board meetings, demonstrate its progress. Whatever you do, do not leave the impression the enterprise will never be hit with an APT breach. Instead, assure them that even if it does occur, the damage will be minimal and recovery will be swift.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how to defend against APTs with big data analytics

Find out how to stay secure in an era of advanced persistent threats

Discover whether APT detection can find custom malware

This was last published in July 2016

Dig Deeper on Information security program management