Cyberthreats are one of the top concerns facing CEOs in 2019. But not enough CEOs are acting on those concerns. They’re relying on their IT departments to handle security, as they should, but CEOs need to take a more personal interest in security, too.
Some Telling Statistics
Let me give you some context: One of the services we provide is managing clients’ websites on a secure cloud platform. Many of those clients are publicly traded firms. On earnings day, it’s not unusual for a business to experience a 400% lift in malicious traffic. Fortunately, businesses like us exist to keep the bad guys from disrupting your site. But you don’t want to learn the hard way why companies like us exist. According to Symantec’s 2019 Internet Security Threat Report, in 2018, the number of web attacks increased by 56%, and the number of mobile ransomware infections increased by 33%. All it takes is one of those attacks to succeed, and you’ll pay a heavy price.
An organization is vulnerable for many reasons, chief among them is neglecting practices such as educating their own people on proper security awareness behavior, such as leaving passwords on Post-it Notes or uploading sensitive information to personal emails. These behaviors go well beyond the realm and responsibility of your IT department. Your entire company needs to be involved, with you leading the charge. Here’s how you should be making a difference.
1. Know the basics.
You don’t need to understand information security inside and out, just as you don’t need to know every nuance of finance to be a CEO. But it’s essential to get a working vocabulary of the security threats that apply most to you. For example, do you know the difference between phishing and spear phishing?
According to Google’s dictionary, phishing is a broader term for “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
On the other hand, spear phishing involves sending fraudulent emails that seem to come from someone known to the intended victim of the attempt, such as an email from the CEO of the company — in other words, someone pretending to be connected to you. The email may contain a link to a malicious page or an attachment with embedded malware. A spear phishing attack sent to you personally may seem to be from someone you know, like a member of your own team.
Security awareness training is the best way to protect against these threats. And that’s not something you can let someone else report back to you. You need to take the training, too.
2. Make sure everyone gets trained.
Everyone in your company needs to undergo training, not just you and your team. But that’s not going to happen unless you personally take ownership of the training agenda. It’s not down to you to implement a training program, but you should be the one who gets the entire company on the same page by issuing a mandate to train.
Every six months, all of our people need to take an IT security awareness training, which is developed by IT security. You better believe I take a vested interest in making sure this training is done across the entire company. There’s too much at stake for me not to do so. As CEO, I ask all managers to track compliance as part of annual employee reviews.
3. Audit your third-party IT and data protection.
In some industries, performing an outside audit is mandatory. You should make at least a yearly audit mandatory, whether the law requires you to do so or not. I insist we do audits even though we don’t have to. Being able to show a client and prospect that we’ve subjected ourselves to a rigorous audit is like posting the date of your latest elevator inspection: you increase confidence.
The CEO should not only order the audit but also expect to be presented the findings. The goal should be to understand the strengths and vulnerabilities. That’s how you address potential issues before they become crippling problems.
4. Make security a board-level issue.
At least twice a year, convene a meeting with your board and head of IT security to review the state of security. An ideal time to do so is after you’ve undergone your audit, when you can discuss its outcomes with the key stakeholders in your company. Making security a board-level issue helps you secure budget to affect any changes you need to make to improve security in your company. When your board understands the risks and ways to manage against them, you have more mandate to make the change.
5. Challenge your security team.
You don’t need to be involved in the selection of security software or the development of protocols. But you do need to challenge your team to report to you their security game plan and to offer regular status updates on how well your company is progressing. And don’t be a passive listener; challenge them.
For example, ask them what processes your competitors and clients have put in place. How do you measure up? Since new security threats emerge each year, ask them what they’ve done to address those threats. No CEO has the time to get into the weeds of IT security. But if you take cybersecurity threats personally, you’ll be an active participant in challenging your team. To cite a parallel situation: You’re not going to write your quarterly company earnings announcement, but that doesn’t mean you passively accept the results.
The Mindset Change
Making security a personal issue requires a mindset change — from viewing security as a cost to an investment to protect your company. No reasonable executive would ever consider the locks on the front doors of their office to be overhead. Protecting your brand is worth the investment. It’s your reputation; make it personal.