In fact, I talked to a few of the top Board Communication Portals in the market today to ask them a few questions about their security. The answers were frightening to say the least. None of them could provide a good answer to more than two of the ten questions I asked.
One leading company provided two alarming examples:
1) My question: Do you log when an admin accounts gets created and do you alert on it?
Their answer: We do not have an active directory system, we just have five Admin accounts created on each workstation and server.
My thoughts: They have no Active Directory--nor any Identity and Access Management system whatsoever!
2) My question: The most common way a bad guy is going to try and break into your network and get their hands on your customers' information would be leveraging advanced malware. Walk me through how you protect against this threat model.
Their answer: We have never had a malware problem to date, and we use a top anti-virus/endpoint security product to stop malware.
My thoughts: Ok, anyone that knows anything about malware knows that everyone has, or has had, a malware problem at some point. If you think you have never had one, that means you do not have any good malware detection technology. Second, AV is insufficient protection against malware; in fact Websense Labs finds 640 to 1,000 new malware per day that AV doesn't stop.
10 Questions for BCS Providers
Here are 10 questions to ask BCS providers to ensure that they are taking the proper steps to keep you safe. Speak to their IT security contact directly--don't waste time with the sales staff. If you are the CSO of a public company, ask your legal and investor relations team what BCS platform they are using, why they chose that one, and ask for a meeting to assess the risk.
Do you have a SIEM and logging system in place?
(You need to understand how they are keeping an eye on your data.)
Do you have a managed security system in place 24/7?
(Again, this goes to the vigilance of their team.)
What sort of intelligence do you have that correlates actions beyond a firewall and AV?
(It's commonly accepted that these are insufficient protections for material of this type. What more do they have?)
What sort of web security do you have in place internally?
(The web is the most common vector for malware. You need to know how they are protecting their computers and servers from malware infection.)
What about externally facing web--what have you done to secure the application or harden the interface? Do you have regular application penetration tests to assess the real-world security of your internet-facing applications? Can I see the report?
Sign up for CIO Asia eNewsletters.