Why Cybersecurity Needs To High On The CEO’s Priority List
Your company’s greatest risk of cyberattack may lie in an unexpected place — your CEO suite. CEOs that do not place a high priority on understanding cybersecurity and investing in it are putting their businesses at great risk.
CEOs need to adopt an “it starts from the top” approach to cybersecurity. The tone needs to be established by and permeate from the top of the organization about how important cybersecurity is and how to combat cyberattacks.
“Industry leaders … must take the initiative to make life harder for cyber threat actors. They cannot wait for government leadership on policy, strategy or coordination,” noted one recent study.
What Mistakes Do CEOs Make When it Comes to Cybersecurity?
CEOs often take an “it can’t happen to us” approach to cybersecurity. However, such an approach is naive. CEOs too often believe the following:
- They are protected. Senior executives and board members are often prime targets for cybercriminals. Their access to sensitive, proprietary and confidential information makes them attractive to thieves, who will attempt to exploit professional and personal accounts.
- It’s not their job. Digital security does not rest solely with the IT department. As cloud migration, the Internet of Things and data analytics grow in popularity, so too does the distribution of security responsibility. Today, internal IT departments, managed service providers and individuals all share in the responsibility to protect against cyberattacks. However, it still generally begins with the end user.
- Threats are external and intentional. While it’s true that the majority of cyberincidents are the result of an external bad actor’s actions, there are other players. Disgruntled employees often can easily retrieve, steal and sell sensitive information or disrupt systems, especially on their way out the door. Too many attacks are the result of unaware employees who click on a link or attachment included in a seemingly innocent email that installs a virus, worm or another attack vector.
- The managed service provider is responsible for security. Cloud solutions, either on public or private clouds, offer advanced, cost-effective and highly secure platforms that protect against the majority of attacks. It’s impractical, especially for small- and medium-sized businesses, to spend the resources and time that external managed service providers can offer at scale. As good as those services are, they should complement internal IT security processes, training and awareness.
- Cloud email is completely secure. If your email is hosted, stored and accessed via a public cloud, it’s a prime target for hackers. Consider that the 2019 Verizon Data Breach Investigations Report showed that 94 percent of all malware attacks were delivered via email and that 45 percent of the delivery types were a Microsoft Office document. Again, awareness and training are critical.
CEOs need to be cognizant of these inaccuracies and address them throughout the organization.
What Questions Should CEOs Ask?
CEOs need to make sure their organizations have regular and thorough IT security assessments that address key questions about their security protections and procedures, including:
- Are our cybersecurity systems robust? Companies today need an overlapping canvas of cyberprotections that include next-generation firewalls, identity protection, continuous system and network monitoring, anti-malware and anti-virus solutions and automated patch and updating.
- What are the top risks our company faces? Are spearphishing or DDoS attacks the most likely? Know what other businesses in your industry and of your size are facing and what protections they are using.
- Are employees adequately trained? Your business needs a regular plan for training new and all employees about the importance of cybersecurity. Employees should be keenly aware of the threats, how to detect them and how to notify officials if they suspect something is amiss.
- Are mobile and desktop devices secure? Be sure that there are adequate password management and encryption tools in place to keep employees’ tools secured. Multi-factor authentication, frequent password reset policies and password complexity are important considerations.
- What are our compliance obligations? Your business may be subject to various federal, state, local, international or industrial regulatory mandates or standards. Often, security is a large component of those requirements. Working with your managed IT service provider and internal staff can ensure the processes are in place for automated tracking, recording and reporting on required compliance elements.
- Do we have the right protections in place to identify and prevent new threats from affecting your workplace?
- What percentage of our budget is spent on cybersecurity and is it enough?
- Is sensitive data secure and regularly backed up?
What Can CEOs Do Now to Enhance Cybersecurity?
To ensure that your company has the most robust protections available, consider the following:
- Require cybersecurity education and awareness for everyone
- Have an independent cyber risk assessment done, especially if your business is subject to compliance requirements
- Do penetration testing to identify vulnerabilities
- Implement automated software patch management
- Invest in canvassed security that includes 24/7 monitoring, next-gen firewalls and anti-virus software
- Develop business continuity and disaster recovery plans
- Assess your cyber liability and secure adequate insurance coverage
- Establish metrics regarding your cybersecurity protocols
CEOs need to be aware and proactive to protect themselves, their company and their stakeholders, shareholders, employees and customers from disastrous cyberattacks.
Earl Foote is the CEO of Nexus IT Consultants in Park City, UT. Nexus IT Consultants work exclusively with C level executives to help build cybersecurity strategies. To learn more on how Nexus IT Consultants helps business executives across the United States, visit their website by clicking here.