In today’s complex, digital landscape CEOs face a range of challenges when trying to ensure their businesses are a success. Yet, even with recent cyberattacks serving as stark reminders of the importance of data privacy, a worrying number of CEOs are failing to address one of the most pertinent modern businesses challenges – cybersecurity.
In the last six months alone we’ve witnessed numerous high-profile attacks, from the WannaCry attack on NHS England to the Ukrainian Petya attack which spread across Europe. Yet even with cyberattacks making global headlines on a near daily basis, few CEOs are making cybersecurity strategy a key business priority.
Historically, IT departments have assumed responsibility for overseeing all aspects of a company’s IT requirements, including cybersecurity. However, as cyberattacks become increasingly more malicious and sophisticated and the regulatory environment becomes ever more stringent, this practice simply isn’t appropriate or effective. To counter the threats posed by hackers, CEOs need to drive forward their cyber strategy from the top. More often than not, this means they must start by asking their CTOs and CIOs some frank questions.
Are we prepared to deal with a zero-day attack?
As cyber-attacks continue to become ever more malicious and sophisticated, a formalised zero-day response plan is now a fundamental part of an effective cybersecurity strategy. A zero-day attack takes advantage of a software vulnerability that is unknown to the vendor, and can go undiscovered by companies for weeks, months, and in extreme cases even years, on end. As such, it is crucial that CEOs ensure they have a detailed plan in place for if and when their data or systems are compromised.
The rapidly evolving nature of the cyber landscape means that creating a cohesive plan for responding to cyber-attacks, and completing wide-ranging risk assessments should both be continuous tasks. However, these tasks aren’t necessarily ones that should be completed by the internal IT department. Often it is difficult to be fully impartial or to scrutinise a system that has been built internally. Employing an external Managed Security Service Provider will ensure that risk assessments are always relevant and created without bias to help formulate comprehensive responses to the most advanced cyber-attacks.
Do we have 24/7 monitoring of our network?
Often businesses’ cybersecurity strategies rely either largely, or entirely, on firewalls and basic email solutions. However, these measures can lull business leaders into a false sense of security, as they fail to provide a comprehensive real-time overview of the strength of the network’s security. These solutions, which are often only intended for individual consumer use, don’t always provide alerts to when a cyber-attack has been attempted. This means many business leaders are in the dark about just how secure their networks actually are.
To address this lack of sight across business networks, CEOs should work with their CTOs to introduce a combined solution of host intrusion detection systems (IDS) and security information and event management (SIEM) software. Leveraging an external security operations centre (SOC) with a specialist team to monitor the network 24/7 is also a highly effective way to ensure that CEOs are always informed about when an attack has taken place or when there is suspicious behaviour on the network.
Will we be GDPR compliant by the time the new regulations are implemented?
The majority of businesses in the UK, and indeed globally, are entrusted with customers’ personal and company data in one form or another. However, with the new GDPR implementation fast approaching, a holistic cybersecurity strategy is no longer a ‘nice to have’ but a business necessity. To move towards full GDPR compliance, companies must ensure they have the appropriate governance policies and cybersecurity infrastructure in place.
CEOs need to ensure that, for the most part, cybersecurity and IT responsibilities are separated. Often IT departments are left to audit and test their own systems – a practice which simply isn’t appropriate. As mentioned above, it can be incredibly hard to provide adequate checks and balances when responsibilities are not clearly defined, and governance structures aren’t transparent. Without these appropriate checks associated with separating IT and cybersecurity tasks, businesses cannot be certain that existing measures are set up correctly. Neither can they be sure that they are effective in protecting the business against the ever-increasing variety of malware and ransomware employed by hackers.
Do we have the right skill set to deal with increasingly sophisticated cyber-attacks?
Unfortunately, many CEOs and CTOs are still failing to allocate enough time or money towards a holistic cybersecurity strategy. However, if leaders are serious about safeguarding their companies’ systems and, by extension, their customers’ data from cyberattacks, then they must start investing heavily into the often underfunded department.
By engaging with MSSPs and leveraging the expert knowledge of cybersecurity professionals, CEOs can ensure that they have the latest malware protection software installed, and start addressing whether they have the right skills at their disposal to deal with large-scale cyberattacks – before it’s too late.
It’s also important that CEOs are asking their CTOs about how they are educating their employees and equipping them with the skills to recognise and respond to attacks. According to a report published by the UK’s Information Commissioner’s Office in 2015, human error accounts for almost two thirds of cybersecurity incidents. For this reason, training staff in how to detect cyber-attacks is central to an effective cyber strategy. Further, educating staff on how to recognise phishing emails, the importance of regularly changing their passwords, and regularly testing their knowledge of a response plan can help to prevent attacks from occurring.
With cybersecurity one of the biggest threats to businesses right now, CEOs must start making it a business priority. This must start with talking to CTOs and Heads of IT about the measures currently in place and asking important but often difficult questions about what needs to be done to improve the existing landscape. However, once these questions have been answered, and new systems put in place, the organisation’s cyber health will undoubtedly be greatly improved.
Jeremy Rasmussen, CTO of Abacode