{"id":47030,"date":"2023-01-30T16:12:54","date_gmt":"2023-01-30T21:12:54","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=47030"},"modified":"2023-02-08T13:04:48","modified_gmt":"2023-02-08T18:04:48","slug":"5-cybersecurity-lessons-ceo","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/5-cybersecurity-lessons-ceo\/47030\/","title":{"rendered":"Five key cybersecurity lessons for your CEO"},"content":{"rendered":"

Information security is nothing if not stressful: the constant lookout for potential incidents and chronically long hours are compounded by the never-ending battle with other departments that see cybersecurity as an unnecessary nuisance. At best, they try not to think about it, but in especially severe cases, they go out of their way to avoid anything that\u2019s cybersecurity-related. As a logical result, 62% of top managers polled<\/a> by Kaspersky admit that misunderstandings between business and information security departments have led to serious cyber incidents. To change attitudes toward information security in an organization, it\u2019s vital to gain support at the highest level \u2014 from the board of directors. So, what to tell your CEO or president, give they\u2019re always busy and probably rarely in the mood to think about information security? Here are five simple, digestible keynotes to keep repeating at meetings until senior management gets the message.<\/p>\n

Teach the team cybersecurity \u2013 and start at C-level<\/h2>\n

Any training requires trust in the teacher, which can be tough if the student happens to be the CEO. Establishing an interpersonal bridge and gaining credibility will be easier if you start not with strategy, but with top management\u2019s personal cybersecurity. This directly affects the security of the entire company, because the personal data and passwords of the CEO are often targeted by attackers.<\/p>\n

Take, for instance, the scandal of late 2022 in the U.S. when attackers penetrated the VIP social network Infragard<\/a>, used by the FBI to confidentially inform CEOs of large enterprises about the most serious cyberthreats. Hackers stole a database with the e-mail addresses and phone numbers of more than 80,000 members and put it up for sale for US$50,000. Armed with this contact information, those who purchased it would be able to gain the trust of the CEOs affected, or use it in BEC attacks<\/a>. Sometimes CEO become victims of quite dangerous \u201cswatting\u201d attacks<\/a>.<\/p>\n

With the above in mind, it\u2019s critical that management uses two-factor authentication<\/a> with USB or NFC tokens on all devices, have long and unique passwords for all work accounts, protect all personal and work devices with appropriate software, and keep work and personal digital stuff separate. All in all, the usual tips for the cautious user \u2014 but reinforced by an awareness of the potential cost of a mistake. For the same reason, it\u2019s important to double-check all suspicious e-mails and attachments. Some executives might need a hand from someone in information security to deal with particularly suspicious links or files.<\/p>\n

Once management has got to grips with the basic security lessons, you might guide them gently toward a strategic decision: regular information security training for all company employees. There are different knowledge requirements for each level of employees. Everyone, including frontline employees, needs to assimilate the aforementioned rules of cyber-hygiene as well as tips on how to respond to suspicious or non-standard situations. Managers \u2014 especially those in IT \u2014 would benefit from a deeper understanding of how security is integrated into product development and usage lifecycle, what security policies to adopt in their departments, and how all this can affect business performance. Conversely, infosec employees themselves should study the business processes adopted in the company to get a better feel of how to painlessly integrate the necessary safeguards.<\/p>\n

Integrate cybersecurity into company\u2019s strategy and processes<\/h2>\n

As the economy digitizes, the cybercrime landscape\u2026 complexifies, and regulation intensifies, cyber-risk management is becoming a full-blown, board-level task. There are technological, human, financial, legal, and organizational aspects to this, so leaders in all these areas need to be involved in adapting the company\u2019s strategy and processes.<\/p>\n

How do we minimize the risk of a supplier or contractor being hacked, given that we could become a secondary target in such a scenario? What laws in our industry govern the storage and transfer of sensitive data such as customers\u2019 personal information? What would be the operational impact of a ransomware attack that blocks and wipes all computers, and how long would it take to restore them from backups? Can the reputational damage be measured in money when an attack on us becomes known to partners and the public? What additional security measures will we take to protect employees working remotely? These are the questions that information security services and experts from other departments must address, backed up by organizational and technical measures.<\/p>\n

It\u2019s important to remind senior management that \u201cbuying this [or that] protection system\u201d isn\u2019t a silver bullet for any of these problems, since, according to various estimates, between 46%<\/a> and 77%<\/a> of all incidents are related to the human factor: from non-compliance with regulations and malicious insiders to a lack of IT transparency on the part of contractors.<\/p>\n

Despite this, information security issues will always revolve around the budget.<\/p>\n

Invest appropriately<\/h2>\n

Money for information security is always in short supply, while the problems to be solved in this area seem infinite. It\u2019s important to prioritize in line with the requirements of the industry in question and with the threats that are most relevant to your organization and have the potential to cause the most damage. This is possible in virtually all areas \u2014 from vulnerability closure to staff training. None can be ignored, and each will have its own priorities and order of precedence. Working within the allotted budget, we eliminate the key risks, then proceed to the less likely ones. It\u2019s a near-impossible task to rank the risk probabilities on your own, so you\u2019ll need to study threat landscape reports<\/a> for your industry and analyze the typical attack vectors.<\/p>\n

Things get really interesting, of course, when the budget needs to be increased. The most mature approach to budgeting is one based on risks and the respective cost of their actualization and minimization, but it\u2019s also the most labor-intensive. Live examples \u2014 ideally from the experience of competitors \u2014 play an important supporting role in boardroom discussions. That said, they\u2019re not easy to come by, which is why it\u2019s common to resort to various benchmarks that give average budgets for a particular business area and country<\/a>.<\/p>\n

Consider all risk types<\/h2>\n

Discussions of information security usually focus too much on hackers and software solutions to defeat them. But many organizations\u2019 day-to-day operations face other risks that also pertain to information security.<\/p>\n

Without a doubt, one of the most prevalent in recent years has been the risk of violating laws on the storage and use of personal data: GPDR, CCPA, and the like. Current law enforcement practice shows that ignoring them is not an option: sooner or later the regulator will impose a fine, and in many cases \u2014 especially in Europe \u2014 we\u2019re talking substantial sums. An even more alarming prospect looming for companies is the imposition of turnover-based fines for leaks or improper handling of personal data, so a comprehensive audit of information systems and processes with a view to step-by-step elimination of violations would be very timely indeed.<\/p>\n

A number of industries have their own, even stricter criteria, in particular the financial, telecom, and medical sectors, as well as critical infrastructure operators. It must be a regularly monitored task of managers in these areas to improve compliance with regulatory requirements in their departments.<\/p>\n

Respond correctly<\/h2>\n

Sadly, despite best efforts, cybersecurity incidents are pretty much inevitable. If the scale of an attack is large enough to attract boardroom attention, it almost certainly means a disruption of operations or leakage of important data. Not only information security, but business units too must be ready to respond, ideally by having gone through drills. At a minimum, senior management must know and follow the response procedures so as not to reduce the chances of a favorable outcome. There are three fundamental steps for the CEO:<\/p>\n

    \n
  1. Immediately notify key parties about an incident; depending on the context: finance and legal departments, insurers, industry regulators, data protection regulators, law enforcement, affected customers. In many cases, the timeframe for such notification is established by law, but if not, it should be laid out it in the internal regulations. Common sense dictates that the notification be prompt but informative; that is, before notifying, information about the nature of the incident must be gathered, including an initial assessment of the scale and the first-response measures taken.<\/li>\n
  2. Investigate the incident. It\u2019s important to take diverse measures to be able to correctly assess the scale and ramifications of the attack. Besides purely technical measures, employee surveys are also important, for example. During the investigation, it\u2019s vital not to damage digital evidence of the attack or other artifacts. In many cases it makes sense to bring in outside experts<\/a> to investigate and clean up the incident.<\/li>\n
  3. Draw up a communications schedule. A typical mistake that companies make is to try to hide or downplay an incident. Sooner or later, the true scale of the problem will emerge, prolonging and amplifying the damage \u2014 from reputational to financial. Therefore, external and internal communications must be regular and systematic<\/a>, delivering information that\u2019s consistent and of practical use to customers and employees. They must have a clear understanding of what actions to take now and what to expect in the future. It would be a good idea to centralize communications; that is, to appoint internal and external spokespeople and forbid anyone else from performing this role.<\/li>\n<\/ol>\n

    Communicating information security matters to senior management is a rather time-consuming and not always rewarding task, so these five messages are unlikely to be conveyed and taken to heart in just one or two meetings. Interaction between business and information security is an ongoing process that requires mutual effort to better understand each other. Only with a systematic, step-by-step approach, carried out on a regular basis and involving practically all executives, can your company gain the upper hand over competitors in navigating today\u2019s cyber-scape.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Information security measures are far more effective when supported by top management. How to get this support? <\/p>\n","protected":false},"author":2722,"featured_media":47031,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[2141,527,3965,76,420,1146,1795],"class_list":{"0":"post-47030","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-business","10":"tag-hacks","11":"tag-incidents","12":"tag-phishing","13":"tag-ransomware","14":"tag-risks","15":"tag-training"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/5-cybersecurity-lessons-ceo\/47030\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/5-cybersecurity-lessons-ceo\/25132\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/5-cybersecurity-lessons-ceo\/20627\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/5-cybersecurity-lessons-ceo\/27759\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/5-cybersecurity-lessons-ceo\/25465\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/5-cybersecurity-lessons-ceo\/25847\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/5-cybersecurity-lessons-ceo\/28364\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/5-cybersecurity-lessons-ceo\/34613\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/5-cybersecurity-lessons-ceo\/20086\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/5-cybersecurity-lessons-ceo\/20717\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/5-cybersecurity-lessons-ceo\/29720\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/5-cybersecurity-lessons-ceo\/33197\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/5-cybersecurity-lessons-ceo\/25825\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/5-cybersecurity-lessons-ceo\/31504\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/5-cybersecurity-lessons-ceo\/31218\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/business\/","name":"Business"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=47030"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47030\/revisions"}],"predecessor-version":[{"id":47108,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47030\/revisions\/47108"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/47031"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=47030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=47030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=47030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}