Most CEOs are not cybersecurity experts, and that’s perfectly fine because one hallmark of a great CEO is the ability to delegate responsibility for tasks to people who are more competent in those areas.
Problems start to happen when CEOs fail to follow cybersecurity best practices and ignore the advice of those who understand the current cybersecurity landscape. Even relatively minor incidents can then have disastrous consequences for the entire organization, as well as its customers.
The potential negative impact a CEO can have on the cybersecurity posture of the organization they’re in charge of can be observed most clearly in small and medium-sized businesses (SMBs), where the same people are used to wearing many different hats, even those that don’t fit them well.
If you’re a CEO of a small or medium-sized business, then this article is intended to be a potential eye-opener for you, highlighting several cybersecurity mistakes you need to be aware of to improve your ability to avoid and recover from cyber attacks.
Mistake #1: Not Having an Incident Response Plan
A study conducted by the Ponemon Institute on behalf of IBM revealed that 77 percent of organizations don’t have a consistent cybersecurity incident response plan, and more than half of the organizations that do have a plan don’t test it regularly.
“Failing to plan is a plan to fail when it comes to responding to a cybersecurity incident,” said Ted Julian, Vice President of Product Management and Co-Founder, IBM Resilient. Indeed, the time it takes an organization to detect and respond to a cybersecurity incident correlates with the financial, operational, and reputational impact of the incident.
If your organization doesn’t have an incident response plan yet, then the time to create one is now. A well-thought-out incident response plan must encompass all stages of the incident response process, from preparation through detection, response, and recovery, to post-incident follow-up. The plan must be regularly tested to iron out as many kinks as possible before its put to use.
Mistake #2: Not Investing in Cybersecurity Awareness Training
Statistically, almost nine in 10 (88 percent) data breach incidents are caused by employees’ mistakes, as revealed by a joint study from Stanford University Professor Jeff Hancock and security firm Tessian. Often, employees make basic cybersecurity mistakes, such as sharing passwords in plain text form or connecting to unsecured public Wi-Fi networks, because they’re not aware of the risks associated with them.
As a CEO, you need to find the time and money for cybersecurity awareness training that covers everything from password best practices to the risk of using public Wi-Fi and more. When conducted regularly and in an easily digestible manner, cybersecurity awareness training can prevent employees from being the weakest link in the cybersecurity chain.
Even if you consider yourself to be a cybersecurity expert, you should still attend the training sessions so that employees have no reason to doubt their importance.
Mistake #3: Not Following Cybersecurity Best Practices
CEOs can get away with many things regular employees can’t, but not following cybersecurity best practices isn’t among them. Cybercriminals see CEOs as highly valuable targets, and they use increasingly sophisticated techniques to target them.
One particularly damaging technique cybercriminals often use to attack CEOs is called business email compromise (BEC). As its name suggests, this technique exploits the fact that most CEOs rely on email when communicating with employees and business partners alike. Using publicly available information gathered from the web or obtained in a previous data breach, attackers impersonate a trusted sender with the goal of tricking the CEO into disclosing sensitive information or authorizing a wire transfer payment.
CEOs can effectively protect themselves against BEC and other threats by always following cybersecurity best practices, such as actively looking for signs of email spoofing, verifying unusual requests over phone, and protecting all accounts using strong, unique passwords.
Mistake #4: Not Investigating the Cause of the Incident
When a cybersecurity incident occurs, CEOs often want to move on as quickly as possible. While you should always strive to meet your recovery objectives, you also need to keep in mind that containment is not the same thing as remediation.
Simply pulling the plug and recovering from the most recent backup may be the fastest way to resume normal operation, but it’s not necessarily the best one. Unless you perform root cause analysis to figure out how the incident happened and take the necessary steps to prevent other similar incidents from ever occurring in the future, it’s likely that the same cybercriminals will pay you another visit.
The ability to access comprehensive activity logs can make a huge difference during root cause analysis and remediation, which is one reason why it’s a good idea to invest in security monitoring.
Mistake #5: Not Notifying Affected Parties in a Timely Manner
The direct financial impact of data breaches is no laughing matter, but the financial consequences of failing to report data breaches in accordance with data breach notification laws can be utterly devastating.
For example, all organizations that handle data of EU citizens are required to report a data breach no later than 72 hours after becoming aware of it. If they don’t, they can be fined up to €20 million ($24.1 million) or 4% of annual global turnover (whichever is higher). Not notifying affected parties in a timely manner is also a surefire way for an organization to forever tarnish its reputation and make its long-term partners and customers rethink their commitment.
Your job as a CEO is to ensure that everyone affected by the breach, both directly and indirectly, understands what’s going on and what’s being done to prevent another similar breach from happening in the future.