Cybersecurity and Decision Makers

Cyber security is a key issue affecting the confidence of Internet users and the sustainability of businesses. It is also a national issue with regards to economic development and resilience. As a concern, cyber risks are not only in the hands of IT security managers, but of everyone, and non-executive directors and managing directors may be held to account in relation to shareholders, customers, suppliers, employees, banks and public authorities. The implementation of a cybersecurity system, including processes, devices and training, is essential to protect a company against theft of strategic and personal data, sabotage and fraud. Cybersecurity and Decision Makers presents a comprehensive overview of cybercrime and best practice to confidently adapt to the digital world; covering areas such as risk mapping, compliance with the General Data Protection Regulation, cyber culture, ethics and crisis management. It is intended for anyone concerned about the protection of their data, as well as decision makers in any organization. Marie de Freminville is a non-executive director and founding partner of Starboard Advisory. She is also a member of the IFA (French Institute of non-executive Directors), HEC Governance and Swiss Association of Women Directors. In addition, de Freminville is an expert in governance, financial performance, risk mapping and data protection.

Foreword xi

Preface xiii

Introduction xvii

CHAPTER 1. AN INCREASINGLY VULNERABLE WORLD 1

1.1. The context 1

1.1.1. Technological disruptions and globalization 1

1.1.2. Data at the heart of industrial productivity 3

1.1.3. Cyberspace, an area without boundaries 3

1.1.4. IT resources 4

1.2. Cybercrime 4

1.2.1. The concept of cybercrime 4

1.2.2. Five types of threats 6

1.2.3. Five types of attackers 9

1.3. The cybersecurity market 15

1.3.1. The size of the market and its evolution 15

1.3.2. The market by sector of activity 15

1.3.3. Types of purchases and investments 16

1.3.4. Geographical distribution 17

1.4. Cyber incidents 17

1.4.1. The facts 17

1.4.2. Testimonials versus silence 24

1.4.3. Trends 25

1.4.4. Examples 27

1.5. Examples of particularly exposed sectors of activity 30

1.5.1. Cinema 30

1.5.2. Banks 31

1.5.3. Health 34

1.5.4. Tourism and business hotels 35

1.5.5. Critical national infrastructure 36

1.6. Responsibilities of officers and directors 37

CHAPTER 2. CORPORATE GOVERNANCE AND DIGITAL RESPONSIBILITY 39

2.1. Corporate governance and stakeholders 39

2.2. The shareholders 40

2.2.1. Valuation of the company 41

2.2.2. Cyber rating agencies 42

2.2.3. Insider trading 43

2.2.4. Activist shareholders 44

2.2.5. The stock exchange authorities 45

2.2.6. The annual report 45

2.3. The board of directors47

2.3.1. The facts 47

2.3.2. The four missions of the board of directors. 47

2.3.3. Civil and criminal liability 49

2.3.4. The board of directors and cybersecurity 50

2.3.5. The board of directors and data protection 53

2.3.6. The statutory auditors 54

2.3.7. The numerical responsibility of the board of directors 55

2.4. Customers and suppliers 56

2.5. Operational management 58

2.5.1. The impacts of digital transformation 58

2.5.2. The digital strategy 59

2.5.3. The consequences of poor digital performance 62

2.5.4. Cybersecurity 63

2.5.5. Merger and acquisition transactions 65

2.5.6. Governance and data protection, cybersecurity 66

CHAPTER 3. RISK MAPPING 69

3.1. Cyber-risks 69

3.2. The context 71

3.3. Vulnerabilities 72

3.3.1. Fraud against the president 73

3.3.2. Supplier fraud 73

3.3.3. Other economic impacts 74

3.4. Legal risks 76

3.4.1. Class actions 76

3.4.2. Sanctions by the CNIL and the ICO 77

3.5. The objectives of risk mapping 78

3.6. The different methods of risk analysis 79

3.7. Risk assessment (identify) 81

3.7.1. The main actors 81

3.7.2. The steps 82

3.8. Protecting 83

3.9. Detecting 83

3.10. Reacting 84

3.11. Restoring 85

3.12. Decentralized mapping 85

3.12.1. The internal threat 85

3.12.2. Industrial risks 87

3.12.3. Suppliers, subcontractors and service providers 88

3.12.4. Connected objects 89

3.13. Insurance 94

3.14. Non-compliance risks and ethics 96

CHAPTER 4. REGULATIONS 99

4.1. The context 99

4.1.1. Complaints filed with the CNIL 100

4.1.2. Vectaury 101

4.1.3. Optical Center 102

4.1.4. Dailymotion 103

4.2. The different international regulations (data protection) 103

4.2.1. The United States 104

4.2.2. China 104

4.2.3. Asia 105

4.2.4. Europe 105

4.3. Cybersecurity regulations, the NIS Directive 105

4.4. Sectoral regulations 106

4.4.1. The banking industry 106

4.4.2. Health 108

4.5. The General Data Protection Regulation (GDPR) 109

4.5.1. The foundations 110

4.5.2. Definition of personal data 110

4.5.3. The so-called “sensitive” data 111

4.5.4. The principles of the GDPR 112

4.5.5. The five actions to be in compliance with the GDPR 113

4.5.6. The processing register 113

4.5.7. The five actions to be carried out 113

4.5.8. Cookies 116

4.6. Consequences for the company and the board of directors 117

CHAPTER 5. BEST PRACTICES OF THE BOARD OF DIRECTORS 119

5.1. Digital skills 120

5.2. Situational awareness 121

5.2.1. The main issues 121

5.2.2. Insurance 125

5.3. Internal governance 126

5.3.1. The CISO 126

5.3.2. The CISO and the company 127

5.3.3. Clarifying responsibilities 131

5.3.4. Streamlining the supplier portfolio 133

5.3.5. Security policies and procedures 134

5.3.6. The human being 137

5.4. Data protection 138

5.4.1. Emails 139

5.4.2. The tools 141

5.4.3. Double authentication: better, but not 100% reliable 142

5.5. Choosing your service providers 142

5.6. The budget 143

5.7. Cyberculture 144

5.8. The dashboard for officers and directors 145

CHAPTER 6. RESILIENCE AND CRISIS MANAGEMENT 147

6.1. How to ensure resilience? 147

6.2. Definition of a CERT 149

6.3. Definition of a SOC 149

6.4. The role of ENISA 150

6.5. The business continuity plan 150

6.6. Crisis management 151

6.6.1. The preparation 151

6.6.2. Exiting the state of sideration 152

6.6.3. Ensuring business continuity 153

6.6.4. Story of the TV5 Monde attack 154

6.6.5. Management of the first few hours 159

6.7. Crisis simulation 163

Conclusion. The Digital Committee 165

APPENDICES 167

Appendix 1. Cybersecurity Dashboard 169

Appendix 2. Ensuring Cybersecurity in Practice and on a Daily Basis 173

Appendix 3. Tools to Identify, Protect, Detect, Train, React and Restore 175

Glossary 179

References 183

Index 187