A Guide to Cybersecurity for CEOs (and other business leaders)

In my experience as an IT & cybersecurity professional for over two decades, I have met and done business with hundreds of CEOs from numerous local and international industries, including non-profits, financial services, healthcare, manufacturing and law firms, and have had countless discussion about the importance of cybersecurity. From these conversations, I have noticed three questions CEOs frequently ask. These are:

1. What should I/we know about cybersecurity?
2. What should I/we do about cybersecurity?
3. How do I/we assess the quality of our cybersecurity program?

For CEOs, it is important to set the proper “cybersecurity mindset” at the top for their respective organisations, communicate the importance of information security and how cybersecurity is really everyone’s shared responsibility especially in today’s digital world. Creating a “culture of cybersecurity” is still one of the best defence against cyber threats. After all (and I’ve expressed this endlessly), an organisation’s people, and not technology, will either be its strongest defence or its most vulnerable link against a cyber-related incident.

It is therefore on every CEO’s shoulders to learn more about cybersecurity to ensure their organisation is properly setup and is actively taking necessary actions to secure their most valuable information assets. This does not mean that every CEO should take up a cybersecurity course or become a certified professional. This means that CEOs should have an active awareness and conviction to increase their knowledge of core cybersecurity concepts and leverage their own leadership skills to strategically manage risk with a high understanding of its impact to business.

Five Basic Things Every CEO should KNOW about Cybersecurity:

1. Cyber-attacks and breaches will occur and will negatively impact your business. It’s not a question of if but when. In 2020, 59% of Australian companies has had their business interrupted by a data breach. Today, the average cost of a data breach in Australia is $2.13M. (source: IBM Security)
2. According to recent industry research, over 60% of all data breaches originate from unauthorized access from one of your current or former employees, or third-party suppliers.
3. Compliance to information security or government regulatory standards (i.e. ISO 27001, NIST 800-171, HIPAA, GDPR, etc) is good, but not sufficient to ensure cybersecurity.
4. Cyber liability insurance premiums are significantly increasing in cost and often do not cover all of the damages caused by a cyber breach.
5. To achieve real information security and data resilience, it is vital to combine managed Monitoring, Detection, and Response services with comprehensive disaster recovery and business continuity plans.

Ten Things Every CEO should DO about Cybersecurity:

1. Secure your emails; make sure that robust email spam filters are in place. Email remains to be the top security vulnerability for all organisations. Last year alone, 96% of social engineering attacks were sent via email. (source: 2020 DBIR, Verizon)
2. Invest in continuous, dynamic Security Awareness Training. This ensures everyone in the organization from the top-down receives proper cybersecurity education and awareness training.
3. Apply security policies on your network. Examples: Deny or limit USB file storage access, enable enhanced password policies, set user screen timeouts, and limit user access.
4. Protect your computer’s data from malware, viruses, & other cyber attacks with advanced endpoint security. Today’s latest technology protects against file-less & script-based threats and can even rollback a ransomware attack.
5. Mandate additional layers of information security via encryption, multi-factor authentication, and highly restricted access to your company’s most valuable information assets.
6. Keep all software (e.g. Microsoft, Adobe, Java products) updated for better security. Sign up for a “critical update” service via automation to protect your computers from the latest known attacks.
7. Check the Dark Web. Knowing in real-time what passwords and accounts have been posted on the Dark Web can allow you to be proactive in preventing a data breach and lets you take action. (Get a Free Dark Web Scan here)
8. Setup Webgate Security. Because internet security is a race against time, cloud-based security detects web and email threats as they emerge on the internet, and blocks them on your network within seconds – before they reach the user.
9. Backup, backup, backup. Backup local or onsite and to the cloud. Have an offline backup for each month of the year. And test backups as often as possible.
10. Ensure your company has well-documented and periodically tested disaster recovery and business continuity plans to quickly recover lost or stolen data to mitigate potential damages of cyber breaches.

Three Strategic Questions a CEO should ASK to begin the Process of Assessing the Quality of Their Cybersecurity Program:

1. What is the threat profile of our organization based on our business model and the type of data our organization holds? Does our cybersecurity strategy align with our threat profile?
2. What percentage of our IT budget is dedicated to cybersecurity? Does it conform to industry standards? Is it adequate based on our threat profile?
3. Is there someone in our organization dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer? Have we passed on that responsibility to third-party professionals?

It is clear to me that a number of CEOs simply do not know enough about cybersecurity and that their Chief Information Officers, Chief Information Security Officers, or IT partners do not always provide them with an accurate portrait of the cyber risks which their organisation faces every day; while other CEOs appear to be suffering from a “knowing” versus “doing” gap. From our years of consulting experience, I understand that many CEOs are well aware of cyber risks, but for one or more reasons, often short-term financially motivated, they are choosing not to do what needs to be done in order to reduce the probability and/or impact of a cyber breach in their organisations. But in this day and age, when malicious attacks are getting more and more sophisticated, and even small and medium-sized businesses are no longer exempt, the risks are just too high not to take a pro-active stance on cybersecurity.

Looking to start a conversation on cybersecurity? Schedule a time with me here.

More cybersecurity resources online at xarigroup.com.au