Executive involvement is a critical component to any organization’s cybersecurity. Why? The IT department may not have all of the knowledge about what data could have a critical impact on the business if it was lost or exposed. IT can recommend security controls but may not have the financial data to compute Return on Investment (ROI) or the level of risk tolerance that the executive team is comfortable with. It also stands to reason that if cybersecurity is not important enough to the organization for senior level involvement that it may be viewed by other staff as not important to the business.
There are 10 key areas that every business leader should be aware of to ensure that their cybersecurity is aligned with the business goals, risk tolerance and financial realities:
- What data is most critical to your business? What are the crown jewels on your network? Financials, customer lists, pricing models – some of these seem obvious, but what other files does the senior management rely on that IT might not be aware are critical? Are all these critical files backed up and stored encrypted off site? Can critical files be recovered if ransomware strikes or if disaster strikes can you spin up a virtual instance of the data so your business can continue to function? A Datto survey of 1,100 IT professionals revealed that over 90 percent had clients that suffered ransomware attacks in the past year. Forty percent had clients that were subject to at least six ransomware attacks.
- What compliance requirements or best practices does the business use for cybersecurity? If your business falls under HIPAA to protect health data or PCI for credit card records, you have a framework of requirements to follow, but if not, aligning your cybersecurity program to a known framework like the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) helps make sure you don’t miss any critical components and can protect you in the case of litigation as being a “reasonable” standard of care.
- How do you know you are following compliance requirements/best practice guidelines? Are you 100% reliant on the internal IT staff or 3rd party IT support company who implements and runs the solutions to also validate that they are meeting compliance or cybersecurity guidelines? If so, do these folks have the proper training to do the validation? Non-compliance costs more than twice the cost of maintaining or meeting compliance requirements according to a Ponemon study.
- Do you have “least privilege” controls in place for sensitive data? A summer intern or part-time volunteer likely should not have access to critical data, but even long-term staff should only have access to the data they need to perform their functions to minimize the potential attack vector and risk of exposure through human error or malicious insider. More than 34% of businesses are affected by insider threats yearly and that number keeps going up. Over the last two years, the number of insider incidents has increased by 47%.
- How do you provide cybersecurity awareness and messaging about the importance of the entire team to be vigilant? It is critical to have ongoing cybersecurity awareness training as part of your security strategy because the human element is the weakest link in the security chain. Along with training you need to have a clear process for staff to report suspected threats, suspicious emails or behavior, and you should be rewarding employees with praise or other incentives to do so. Even though it is well known that emails are a main infection method for all types of cyber-attacks, people are still falling victim to malicious social engineering, and in doing so, infecting whole systems with dangerous ransomware. Lack of training in basic cybersecurity practices, such as reusing weak passwords, lack of proper access management, and poor user awareness as a whole are the causes of ransomware infection. Phishing attacks account for more than 80% of reported security incidents
- How do you budget for cybersecurity? Do you allocate a percentage of revenue or rely on IT staff or outside IT provider to make requests as needed? Is this enough or too much? If you know what data needs protecting, you can run some quick calculations on potential breach costs and use that along with the business risk tolerance to make budget decisions. 62% of organizations will increase cybersecurity spending in 2020.
- How would an incident be detected in your network? The sooner you are aware of a potential incident, the better the chances to stop it or at least minimize the damage. Average time to detect and contain a breach is 280 days. Companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.
- What resources do you have to respond to incidents? Whether a threat is detected by a technical control and requires investigation or a staff member comes in and admits that they just accidentally sent out a list of employee social security numbers via email, how do you know what steps need to be taken, who needs to be notified, and most importantly what NOT to do to make the situation worse? Companies studied who had fully deployed security technologies experienced less than half the data breach costs compared to those who didn’t have these tools deployed
- Do you have a business continuity plan (BCP) in the event systems are taken offline by ransomware or a critical piece of hardware fails? According to FEMA, following a disaster, 90% of smaller companies fail within a year unless they can resume operations within 5 days.
- Are the day to day security operations such as patching or configuration updates being done? 60 percent of breaches involved vulnerabilities for which a patch was available but not applied. 80% of companies who had a data breach, or a failed audit could have prevented it by patching on time or doing configuration updates. The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 days. Why aren’t IT teams patching? Because it is complicated and time consuming. 72% of managers are afraid to apply security patches right away because they could ‘break stuff’. On average it takes 12 days for teams to coordinate for applying a patch across all devices.