Are you an executive or senior manager in your organization? If so, you bear many responsibilities, not the least of which is your obligation to ensure that your company is in compliance with the regulations governing the protection of health and financial information and your duty to protect the company’s assets. How you manage that responsibility – by delegating to others or being actively involved in the approach to cybersecurity – may impact your organization’s long-term health, financial stability or cyber maturity.
Here are five reasons why you and every member of your C-suite and board of directors should pay attention to cybersecurity.
- Cybersecurity is a top regulator priority: Regulators are increasingly testing and assessing organizations’ implementation of security procedures. Companies that handle health, payment and financial information, for example, have an imperative to demonstrate that they meet HIPAA, PCI-DSS and GLBA requirements. Executives should closely review how their organizations manage private data and whether they pass compliance.
- Execs are on the cyber threat front line: Two of the most rapidly growing cyber threats are ransomware and business email compromise (BEC). C-level executives and other company leaders are being targeted with ransomware 25 percent of the time because of the potential for higher ransom payments, according to an Osterman Research, Inc., survey. In a BEC attack, fraudulent requests disguised to be from a CEO or chief financial officer are sent to financial and administrative executives ordering the transfer of funds. The Federal Bureau of Investigations (FBI) reports that billions of dollars have been lost in 2015 and 2016 through these attacks.
- Execs recognize threat but don’t get involved: Executive surveys continue to show a disconnect between the recognition of cyber threats and the way in which they are addressed. A KPMG/BT survey of Fortune 500 CISO/CIOs and IT executivesshowed only 22 percent of companies have comprehensive plans in place to deal with major cybersecurity incidents, though 95 percent have been the victims of digital attacks. The 2016 IBM C-Suite Survey of executives noted that key C-level executives feel “the least engaged in cybersecurity threat management activities” despite being “stewards of data most coveted by cybercriminals.”
- Supply chain risks require attention and collaboration: Businesses, especially small ones, depend on third-party vendors. Disengagement by key stakeholders creates scenarios that can contribute to successful attacks or breaches. For example, a department that unilaterally signs a service level agreement with a vendor without input from the IT and legal teams may be oblivious to vulnerability created by a third-party relationship.
- Enterprise risk equals dollars: Corporate executives from each department must be aware of the numerous ways in which breach bills add up, including forensic investigation, remediation, notification to customers, credit monitoring, regulatory fines, business interruption and loss and even legal action. Management should also consider the role of risk mitigation through cyber insurance, paying close attention to limits and exclusions.
The reasons for executive-level buy-in to create a culture of cybersecurity are clear. So how do you begin? Here are seven ways to get started:
- Lead from the top by creating governance processes: Cybersecurity is a shared responsibility. Each person in an organization should understand this and be accountable. It starts with ensuring processes are in place to provide the core governing security-related activities – from processes covering vendor access management to firewall configuration to remote wipe capability procedures within an enterprise BYOD deployment.
- 2. Conduct security awareness training: Risk managers and other enterprise security leaders understand the adage of being only as strong as the weakest link. As phishing and ransomware attacks grow in prevalence, being able to recognize threats and prevent accidental clicks becomes crucial. Employees must be trained to adopt a sense of skepticism that aims to defeat the increasingly clever ways in which adversaries use social engineering to trick them. Some solutions might include simulated phishing attacks and training on social engineering techniques.
- Recognize the role of insider threat:While cybersecurity solutions tend to focus on computing (a problem for the computer guys), insider threat is a human vector. People tend to over-emphasize and prepare for the spectacular attack. However, it’s more likely someone will leak details of a planned merger than carry out a “sophisticated cyber attack.” Enable and empower your HR department to not only detect but also mitigate employee issues, which lowers the risk of inadvertent and malicious insider threat.
- Don’t overlook the obvious – basic cyber hygiene: Surprisingly, many enterprises fail to implement even the most basic security protocols, including strong password policies, the use of strong authentication and setting up a virtual private network (VPN) so that mobile employees can connect securely to access files, applications, printers and other resources without compromising security.
- Establish a proactive cybersecurity strategy: A proactive cross-departmental strategy can begin with an information security working group or committee that includes representatives from HR, finance, legal, marketing and IT. Discuss the categorization of data and intellectual assets and identification of the most serious threats to data by understanding existing vulnerabilities.
- Plan for the worst:A proactive approach to cybersecurity recognizes the evolving nature of threats and, as such, plans for the possibility of a breach. Having business continuity and crisis management plans that are discussed and periodically tested gives organizations a clear set of steps to follow, and should help minimize reputation damage and promote continued confidence among stakeholders.
- A business continuity plan documents fundamental capabilities needed to preserve access to critical business information and assets. An organization must categorize its information and systems based on their criticality to operations, determine appropriate risk tolerance levels for these assets and then develop processes to be executed during a breach.
- A crisis management plan defines what constitutes a cyber crisis, identifies a crisis management team and leader (including C-suite and general counsel), develops internal and external crisis messaging and spokespeople and outlines steps for containment, remediation and lessons learned.
- Create a cyber toolkit with free resources: There are numerous resources available to large and small business leaders interested in raising awareness of cybersecurity and privacy responsibilities. In addition to the information on StaySafeOnline.org, the FBI and the U. S. Department of Homeland Security (DHS) have robust threat intelligence sharing and public/private sector outreach programs covering critical infrastructure, white-collar crime, economic espionage, terrorism and more. Depending on your specific industry, there are also numerous member-driven information sharing and analysis centers (ISACs), which collect, analyze and share threat information. Join one to maintain sector-specific situational-awareness.
The C-suite has a responsibility to foster cybersecurity at every level of an organization and support it through strategic communications with the workforce and through long-term investments in technology, process and training. Getting ahead of cyber risks will benefit the C-suite and the entire organization.
About the Author
Craig Guiliano is the director of security solutions and threat analytics at cyber risk assessment firm TSC Advantage. He has 15 years of experience in intelligence operations, threat remediation and intellectual asset protection. Connect with him on LinkedIn here.