What is your position on cybersecurity in your business? You’ve invested, so you’re protected, right? Your IT team has you covered. Maybe not.
It is probably fair to say that in 2018, Amazon CEO, Jeff Bezos, had a larger IT team at his disposal than is currently in your business. Yet, his phone was hacked.
That incident involved some of the richest men in the world, including a king. It also involved international espionage, a connection to one of the largest newspapers in the United States, and a horrible crime against a journalist.
Most cybersecurity incidents, however, happen at a level relevant to small and medium-sized Oregon businesses. According to research by Accenture, 43 percent of cyberattacks target small businesses.
Looking locally, 131 data breaches were reported to the Oregon Attorney General in the first nine months of 2021. That was up 19 percent from the same period the year before, plus it only accounts for a very specific category of attack, i.e. reported data breaches. There will also be unreported data breaches, as well as other types of cyberattacks, including ransomware attacks. The Attorney General said these other types of attacks have also been reported and that breaches have involved Oregon businesses across all industries.
The Jeff Bezos example shows cybersecurity attacks can happen to anyone, while the stats above show businesses like yours are a target.
It is essential that cybersecurity becomes a top priority in your business. Here is what you need to know as CEO to make that happen.
1. Cybersecurity Is Everyone’s Responsibility
Cybersecurity is not a technology problem, and it’s not a technology risk. It’s a business problem and a business risk. After all, most cybersecurity breaches are the result of actions by employees. Examples include:
- Lapses in concentration, such as clicking on a link in an email without thinking first about the cybersecurity risks involved
- Not understanding the risks of their actions, such as using an unsafe password
- Deliberate actions for personal gain or to harm the company
Because cybersecurity impacts and relies on all users, it should not be the sole responsibility of your IT department. Your technical resources will play a major role in helping to protect your systems and data, and there are technology defenses they can put in place, but all these steps can be breached by the actions of employees.
The only way to look at cybersecurity in this increasingly connected world is to attach responsibility across the entire organization. Everyone has a role to play.
2. You Need to Lead from the Top
As the CEO, you need to lead from the top on cybersecurity issues. The most important aspect of this is to set the tone and outline the high-level expectations. Your aim should be to create a culture where mitigating cybersecurity threats is second nature.
You need to lead by example, too. For example, when was the last time you changed your password? Is the password you are using for critical systems in your business—including your email—a random collection of letters, numbers, phrases, and symbols? Do you use two-factor authentication? These are fundamental and absolutely critical cybersecurity mitigation measures that should be applied across your organization, from your office down.
Some steps you can take include:
- Accept that the question is not if your company will suffer a cyberattack, but when.
- Give cybersecurity board-level priority so it becomes a core part of your business strategy.
- Make sure you personally complete your company’s cybersecurity training, and make sure all your executives complete this training, too.
- If cybersecurity training in your organization is insufficient, invest in it.
- Assess your technical resources to see where there are deficiencies in cybersecurity that could be enhanced through recruitment or hiring an MSP.
- Ask tough questions of the technical resources on your team, particularly in relation to policies and procedures, and be prepared to invest, if necessary.
Finally, never forget that regardless of the technical mitigation measures you put in place, your organization’s biggest vulnerability is the employee clicking on something they shouldn’t. Your leadership is essential in preventing that click.
3. Think of Cyber Insurance as the Last Line of Defense
Let’s start by saying that your organization should have cyber insurance. However, there is often an over-reliance on cyber insurance, where senior company leaders believe they are covered if their organization is impacted by a cyberattack.
Your goal should instead be to prevent attacks from occurring in the first place. Think of it like health insurance, i.e. just because you have health insurance, doesn’t mean you allow your family to face unnecessary risks. It’s not about getting high-quality medical treatment after something bad happens, paid by your health insurance. Your role is to protect your family from harm in the first place.
In your business, most of the effort, resources, and investment in cybersecurity should be aimed at preventing cyberattacks from occurring. You can do this by:
- Raising your security posture, i.e. the strength of the defenses you have in place
- Lowering your risk, particularly in relation to human behavior
- Regularly reviewing all aspects of cybersecurity in your organization and taking remediation steps where areas of improvement are identified
4. Stay Informed
One of your jobs as CEO is to understand the key points and issues relating to your organization, even though you may not be an expert. For example, you might not be an accountant, but you understand the financials of your company, as well as wider financial topics. You may not know how to operate the machines on your production line, but you have a general overview of the process, and you may not be involved in the detail of your HR department, but you definitely understand the talent acquisition and retention landscape as it applies to your company.
Your level of cybersecurity knowledge should be no different. You don’t need to become an expert, but you should have a solid understanding of the key cybersecurity topics and risks that are relevant to your company.
Obtaining this knowledge may mean reading and other forms of self-directed learning, and it may not be easy. You might even feel a bit silly that you run a successful company but know very little about cybersecurity. However, given the level of risk posed by cybersecurity issues (and how you’ll feel if your company suffers a major breach), staying informed is essential.
Hey, reading this blog is a good start!
5. Know Your Security Posture
The security posture of your company (as described above) is an evolving picture. This is because the threat landscape constantly changes, as does the attack surface of your company (the potential “ins” that an attacker has to your systems or data).
You must stay on top of your company’s security posture, regularly reviewing essential cybersecurity metrics, policies, and procedures, as well as your cyber insurance policy, disaster recovery processes, data backup reliability, and more.
Reviewing your overall security posture is also important in comparing it with previous reviews and targets. This will tell you what further steps you need to take to strengthen defenses and lower risks.
Finally, it is also helpful to get a third-party perspective, including conducting penetration testing to see how your defenses actually hold up in the face of a controlled, but aggressive attack.
The Ongoing Cybersecurity Reality
Your business will always have competition and it will always have to pay taxes. You will always need talented people on your team, continuous innovation will always be necessary, and cybersecurity threats will always exist. That’s the ongoing cybersecurity reality.
Fronting up is the only viable approach, but there is help and support available. Contact us at StepUP IT Services to discuss cybersecurity in your company and how you can harden your technology and human behavior defenses.