Questions Smart Leaders Ask About Cybersecurity

Questions for Organization Leadership

“Cybersecurity…? My IT guys handle all of that.”

I can't tell you how often I hear that, and it is frequently an indication that the leader making the statement has little to no knowledge about the real state of cybersecurity in their organization. And I guess, ignorance is bliss until it comes crashing down around your shoulders after the breach occurs.

As a management topic, cybersecurity frequently finds its way down a technical rabbit hole and is lumped into IT responsibilities. ? While it is true that IT tools are brought into play to implement cybersecurity policy, those tools do not constitute policy any more than FinTech IT tools constitute finance or supply chain policies.

If your organization does not have formal CISO or vCISO in place, executives and the corporate board should be asking these questions to those currently entrusted with cybersecurity:

1. Do we have a formal information security plan? ? Is it written down?

Any kind of meaningful security effort requires a plan.? The plan, after it is all boiled down to its core, is a set of actions that someone will do or will not do. ? If there is more than one person in an organization, that plan needs to be in writing or the chances of those someones correctly doing or not doing goes down dramatically.?

2. What are our most important assets and how are we protecting them?

100% security is simply not possible (if you are told that it is possible, you need to rethink your staffing immediately).? Nor are budgets unlimited; spending priorities will lead to potentially making difficult decisions. Executive management and the board must make sure the organization’s most important assets are correctly identified and are secured at the highest reasonable level. Is that “most important digital asset” your customer data, the systems and processes that operate your company, or is it your company’s intellectual property? ? Asking what is being protected and what needs to be protected is an important first step. If there is no agreement on what to protect, the rest of the cybersecurity strategy is moot.

3. How deep is our defense?? What are the layers of protection we have in place?

Effective cybersecurity is done with multiple layers of defense, procedures and policies, and risk management approaches. Leadership and the board should not be the ones making specific decisions about what those protections are specifically, but they should make sure that there are indeed multiple layers in place and how each layer protects the organization.

4. How do we know if we’ve been breached? How do we detect a breach?

The unfortunate reality in the world today is that for the vast majority of organizations the only way they find out about a breach is one of these three scenarios:

1. The first person in the office is greeted with a ransom note when they sit down at their workstation.
2. They get a call from the FBI or CISA that a government sensor or intelligence source has detected that they have been breached.
3. They get a call from a customer who has found that their data has been published on the dark web.

God help the organizations in scenario 3. ? There are detection tools out there (typically called EDR or XDR) that can help organizations avoid the 3 scenarios; when an incident occurs, be the first to know, not the last. ? The officers and board are ignoring an important part of their fiduciary responsibility (indeed perhaps rising to negligence of due care) if it does not ensure that the organization has both protection and detection capabilities.? Do you know what your detection capabilities are?

5. Where is our incident response plan?

When an incident is detected, then what? ? If there isn’t a plan when the incident occurs, it is too late to start formulating one.

• Who is responsible for what?
• If a ransom is sought, what is the policy about paying it???
• What is our communications plan?
• Who (if anyone) talks to the authorities????
• Which ones???
• Do we have any regulatory reporting requirements?
• Who talks to customers? ? Suppliers?
• How do we recover?

Having an incident response plan is critical to response and eventual recovery.? And though von Moltke’s truism that no plan survives first contact with the enemy is still true today, organizations with no plan are unlikely to survive first contact with a breach.??

6. Are we training our people to recognize phishing and social engineering?

According to Verizon's 2021 Data Breach Investigations Report, around 25% of all data breaches involve phishing and 85% of data breaches involve a human element.? ? According to the results of Terranova Security’s 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website. That means that 13.4% of employees are likely to submit their password on a fraudulent phishing page.

The easiest element to hack in any organization is almost always the people.

7. How are we protecting ourselves and our partners from BEC?

Ransomware and breaches always make the headlines (and TV shows).? ? But according to the FBI, Business Email Compromise (BEC) actually happens far more often and costs far more money than other cyber related crimes.? ? In 2021, there were over 20,000 BEC complaints filed with the FBI with an adjusted loss of $2.4 billion dollars, putting it at the top of the list.?

Deepfake technology will drive that number much higher when an indistinguishable AI version of the CEO can call (or even Zoom) into the organization and direct payments to be made. ? This is actually already happening.

There are both procedural and technological methods to combat this threat.? ? Is your organization taking steps to resist the BEC plight? If you don't know what BEC is or are not taking steps to defend against it, we should talk.

8. Are we secure from our supply chain partners?

Supply chain cyber attacks have become more and more prevalent of late. ? The most famous supply chain attack was probably Target stores in 2013.? That attack came through a compromised HVAC contractor, but the attack stole financial and credit card information of 40 million customers.???

These attacks haven’t stopped, they are just less likely to make the news anymore.? ? Cyber criminals always go for the easiest targets and go up from there. ? Are you taking measures to evaluate your suppliers and customers? ? Are there any potential threats from their connections?

9. Is our cybersecurity budget right?

You can’t invest enough to be 100% secure. We all have an organizational budget, and a portion of that budget absolutely needs to be devoted to address technical problems and protect against the vulnerabilities inherent in critical business functions. But how does that budget get set appropriately? ? By applying principles of risk management:? assessing asset value, vulnerabilities, and likelihood of loss, organizations can make informed decisions about budget to protect those assets.

Bottom line is that cybersecurity is a specific specialty and management responsibility, not just an IT function. There are some IT professionals that are also very skilled at cybersecurity, but they should be recognized as two different professions.? The executive officers and particularly the board of directors are responsible for oversight.? Don’t be willfully blind.? ? Ask the right questions. ? There are cybersecurity professionals in the market today that operate on a fractional or virtual basis and can provide the expertise needed to build a credible defense for your organization when appropriate.