Cybersecurity threats are increasing year after year. Attacks and breaches will occur, and there will be negative effects on businesses. Cybersecurity breaches can be more likely to occur when leadership has failed to take initiative in cybersecurity. One challenge that companies can face is having a chief executive officer (CEO) and board of directors that do not fully understand or know how to respond to organizational risks.
CEOs and CISOs need to consider the following items to run a business more effectively and more securely.
Set the Tone From the Top
CEOs and board of directors do not need to become security experts. However, by increasing their knowledge of cybersecurity and allowing them to fully understand cybersecurity risks, they can help influence security throughout the entire organization leveraging their leadership abilities.
CEOs and Chief Information Security Officers (CISOs) need to take the lead, setting the tone from the top, to ensure their organizations are prepared to face cyber threats without major impact. It is extremely important for CEOs and CISOs to effectively communicate the importance of cybersecurity with other leadership throughout the organization. It needs to be highlighted that cybersecurity is everyone’s responsibility.
Proper Funding & Staffing
- What percentage of the company budget is dedicated to IT?
- What percentage of the IT budget is dedicated to cybersecurity?
- Do these numbers conform to industry standards?
Being under constant attack, organizations need to make sure that their IT and security departments are properly funded and managed. A lack of investment in the organization’s security department could result in self-inflicted harm that permanently cripples the organization.
Does the organization have someone dedicated to cybersecurity such as a CISO? It’s extremely important that CEOs and CISOs are able to take proactive steps to reduce the risks of cyberattacks.
Require Third-Party Security Assessments
Hire an independent company to conduct cyber risk assessments to identify potential gaps in processes, procedures, and technologies. Third-party security assessments should be performed with all new implementations, major network changes, and major application changes.
Cyberattacks Are Not an If, but a When
Your organization is probably being scanned for vulnerabilities as you read this. Discuss the damage that could be caused if a cyberattack is successful. Do you have a plan to detect threats? Do you have a plan once a threat is detected? What is the plan to mitigate damage after a breach?
Cybersecurity Is Now a Board-Level Issue
Many CEOs think that cybersecurity is just an IT concern or is the sole responsible of other leaders within the organization. However, that is not the case. Cybersecurity has become a board-level discussion and CEOs need to be ready to communicate cybersecurity concepts effectively to board members.
Embed Security into Employee Behavior
One of an organization’s greatest defenses against cyberattacks can often be the people, not just the technology. Consider pushing for security-focused behavior changes along with security awareness. Just making employees aware of cybersecurity may not be enough. By investing time to properly train employees, you may be able to embed security into their behavior and change their decisions and actions to be more security-focused.
Create a Security-First Culture in Your Organization
Create a security-first culture in your organization. Identify your risky departments and employees, then provide additional training, alternate methods of training, and consider tailored training. Consider how often employees receive security training. Consider if all new employees & contractors immediately receive security training. Awareness alone may not be enough. Work to improve employee behavior. Routinely test the effectiveness of your security training. Track your metrics to create historical trends. Routinely require independent security assessments and independent phishing assessments to obtain an outside perspective on your security posture.
Require Third-Party Phishing Assessments
Third-party phishing assessments can provide the organization with unbiased testing and reporting to reveal the true organizational risk. Phishing campaigns run by internal security teams can often be influenced by inside knowledge or can be influenced by requests from leadership resulting in inefficient scenarios and inaccurate metrics.
Improve Your Risk Management Program
Identify organizational risks, threats, and vulnerabilities. Once identified, administrative actions should be taken and solutions should be implemented to make sure the organization is sufficiently protected.
Have a plan to identify, assess, and respond to risk. Assess the likelihood and potential impact.
Determine the best approach to respond to the risk. Typically risk can be avoided, transferred, accepted, or mitigated. Keep in mind, not all risks can be eliminated and the organization may not have the budget or personnel to address all risks.
Prepare for Attacks on Your Reputation
Ensure that the organization is prepared to deal with reputational attacks. Attacks on an organization’s reputation could have a crippling effect. Consider the vast amount of damage that could be caused from bad news on an organization’s reputation. Negative effects could include large decreases in share prices and a decrease in the organization’s competitiveness, resulting in a massive drop in business. Ensure plans are in place to quickly address reputational damage, should a reputational attack be successful. Usually, the quicker an organization can respond to a reputational attack, the better the outcome will be.
Secure Your Supply Chain
Supply chains may be one of the main pillars supporting your organization. Would your organization be able to run smoothly if there were major disruptions to your supply chains? Often times, supply chain security is an afterthought and organizations do not realize how vulnerable they are to attacks through their supply chains. Question the security around your supply chains and close any vulnerable areas. Make sure that there are plans in place that consider attacks on your supply chain and consider the associated risks.
Watch for Insider Threats
Not all threats to the organization are external threats. Internal threats can cause just as much damage to an unprepared organization. Insider threats can vary from a disgruntled employee to a recently fired individual whose access was not terminated with their employment. Consider a security audit with a focus on reviewing your policies and procedures to look for any potential gaps.
Require Vulnerability Scanning & Vulnerability Assessments
Require routine vulnerability scans to be performed. Consider weekly and/or monthly vulnerability scans to proactively identify vulnerabilities. Vulnerability assessments may help you determine the vulnerabilities that have higher risk to the organization. This type of assessment could help direct your focus and remediation efforts.
Require Penetration Testing from a Third-Party
Verify that routine penetration testing is being performed to identify potential security vulnerabilities. Annual penetration tests are not enough. Monthly or quarterly penetration tests, along with weekly or monthly vulnerability scanning are much more effective at improving your overall security posture.
Include External Penetration Testing & Web Application Penetration Testing
We often see companies state that they already require penetration tests be performed. Then we find out that the penetration tests being performed only focus on one area such as the internal network and completely miss testing the external network, web applications, mobile applications, wireless network, physical security, employee awareness, and more. While testing the internal network is extremely important, other areas including the external network, web applications, and social engineering could be argued to be just as important, if not more important, to test.
Free Consultation with Central InfoSec
Central InfoSec specializes in a variety of professional security services to help you test, measure, and improve your overall security posture. Security services offered include red teaming, penetration testing, vulnerability assessments, web application testing, managed phishing, and other tailored security services to help you reduce risk to your organization.