The chief information security officer (CISO), also known as the chief information officer (CIO), oversees reporting and tackling of the various technical vulnerabilities an organization faces. However, as the Covid-19 pandemic continues to loom over our personal and professional lives, forcing us into more quarantines, lockdowns and self-imposed isolations, this role has increasingly become a shared responsibility with all members of an organization including the entire C-suite, explains Richard Massey, VP EMEA North at Arcserve.
organizations today are faced with many challenges, but none more obvious and immediate than the threat of cybercrime. This continues to rise in scale and complexity, affecting essential services, businesses, and private individuals alike. The National Crime Agency reported that the UK has seen significant growth in cyber criminality in the form of high-profile ransomware campaigns over the last year. Breaches leaked personal data on a massive scale leaving victims vulnerable to fraud, while lives were put at risk and services damaged by the WannaCry ransomware campaign that affected the NHS and many other organizations worldwide. According to the World Economic Forum Global Risks Report cyberattacks are one of the top ten global risks of highest concern in the next decade, with more than $90 trillion potentially lost to threat actors. On top of that, cybercrime will cost the world $11.4 million each minute in 2021 according to Cybersecurity Ventures. This has a significant impact on organizations here in the UK, with over 33 percent of them reporting a loss in customers after a data breach. This is in addition to other stats which show that 41 percent of UK consumers will stop spending with a business temporarily after a security breach. The stakes have never been higher.
However, with remote working becoming the norm for most, cybersecurity has now become a shared responsibility with all members of an organization, especially the C-suite. As threats become increasingly sophisticated and data breaches influence a company’s bottom line, overall reputation, and investment outlook, people are looking towards the people in charge. Customers hold them responsible whenever there is a data breach that compromises their credit cards and investors are questioning the C-suite whenever an attack devalues the company. And the public always points to the failings of the C-suite when a cyberattack cripples an organization. It’s clear that the C-suite, besides the IT team, is one of the first responders on the scene in case of an attack and as such it should be their top priority. Here are three ways the C-suite can protect their organizations and help reduce the risk of cyberattacks on the frontlines now.
Prioritize employee education and training from the top
The earliest step that the C-suite needs to take to ensure their organization’s data is protected against any potential cyberattacks, is through educating and training their employees on the latest threats out there. Whether that’s malware, phishing emails, or DDoS attacks, the C-suite needs to invest time and money in teaching employees about the everyday basics in cyber hygiene. This includes teaching them how to spot and recognize fraudulent emails that contain suspicious links, updating passwords to key endpoints such as emails and social media sites on a regular basis, and providing clear and simple IT guidelines/frameworks that will increase overall cyber literacy within an organization. By going that extra mile and hiring technical specialists, the C-suite can also help promote practical and interactive training sessions that involve simulating certain attacks, to help boost the company’s level of experience and cyber maturity.
Take responsibility from the top
But, while CIOs typically spearhead these efforts, other C-suite executives can rise in support of these programs, to add an extra level of reassurance and integrity. The Chief Operating Officer (COO), often second in command behind the CEO, can help provide the authority needed to advocate for an improved company security culture and practices. The Chief Human Resources Manager (CHRM) can also help communicate this further down to other employees and stakeholders, improving the level of trust and uptake in the company’s security vision. Even the Chief Marketing Officer (CMO), who is directly tied to customers and clients can communicate how company data is protected and provide assurances. Most of all, the CEO, the de facto leader and face of the company, can become more active in making data security a key point of discussion and engagement in meetings with the entire c-suite, investors board, and partners. He or she needs to always be ahead of the curve on the latest regulatory landscape involving security, as well as the latest threats and threat actors, to make intelligent decisions about IT budget allocations.
Ensure recovery and continuity plans from the top
The global pandemic has created an excellent diversion and bad actors are taking full advantage. The coronavirus has spawned several pandemic-themed attacks, including ransomware disguised as an official COVID-19 tracing tool that targeted Android users in Canada. Every CIO out there has modeled their company’s plan A, B, and Z in preparation for any eventuality, but they still get caught out by a new, more sophisticated attack. The C-suite simply need to implement a strong enough response and recovery plan to keep their business running in the event of a cyberattack. They need to conduct an inventory of all data present, encrypt sensitive information such as employee data and financial records, and create regular backups stored safely outside of the network. Backing up data is the best way to ensure that even if data gets lost in an attack, there are external copies that can be accessed and used later on. This means that an organization never loses its data entirely. Take for example the recent ransomware attack on videogame developer CDPR and their recent headline-grabbing video game Cyberpunk 2077. Soon after the attack occurred, the company immediately secured its IT infrastructure and restored data from existing backups. The company is being transparent about the attack but also says it is not negotiating with the cyber-criminals, instead relying on well-managed backup systems.
However, for some executives, investing in these security options is a hard-line item to justify because there’s rarely any tangible payoff. Often this type of investment gets overlooked because it does not correlate directly with reduced spending or an increase in employee productivity, and as such it always gets left behind. On the flipside, the risk of not investing in secure solutions could put their organization at risk of financial and reputational damage. For example, cybercrime in the UK has doubled in the last five years, costing businesses £87 billion since 2015, with over 88 percent of UK companies having suffered breaches in the last 12 months.
The C-suite needs to find better solutions now, and budget security resources intelligently whilst weighing the cost vs ratio, in order to find that perfect balance.
Richard Massey, VP EMEA North, Arcserve (opens in new tab)
- Also check out our list for the best antivirus software (opens in new tab)