Information security is nothing if not stressful: the constant lookout for potential incidents and chronically long hours are compounded by the never-ending battle with other departments that see cybersecurity as an unnecessary nuisance. At best, they try not to think about it, but in especially severe cases, they go out of their way to avoid anything that’s cybersecurity-related. As a logical result, 62% of top managers polled by Kaspersky admit that misunderstandings between business and information security departments have led to serious cyber incidents. To change attitudes toward information security in an organization, it’s vital to gain support at the highest level — from the board of directors. So, what to tell your CEO or president, give they’re always busy and probably rarely in the mood to think about information security? Here are five simple, digestible keynotes to keep repeating at meetings until senior management gets the message.
Teach the team cybersecurity – and start at C-level
Any training requires trust in the teacher, which can be tough if the student happens to be the CEO. Establishing an interpersonal bridge and gaining credibility will be easier if you start not with strategy, but with top management’s personal cybersecurity. This directly affects the security of the entire company, because the personal data and passwords of the CEO are often targeted by attackers.
Take, for instance, the scandal of late 2022 in the U.S. when attackers penetrated the VIP social network Infragard, used by the FBI to confidentially inform CEOs of large enterprises about the most serious cyberthreats. Hackers stole a database with the e-mail addresses and phone numbers of more than 80,000 members and put it up for sale for US$50,000. Armed with this contact information, those who purchased it would be able to gain the trust of the CEOs affected, or use it in BEC attacks. Sometimes CEO become victims of quite dangerous “swatting” attacks.
With the above in mind, it’s critical that management uses two-factor authentication with USB or NFC tokens on all devices, have long and unique passwords for all work accounts, protect all personal and work devices with appropriate software, and keep work and personal digital stuff separate. All in all, the usual tips for the cautious user — but reinforced by an awareness of the potential cost of a mistake. For the same reason, it’s important to double-check all suspicious e-mails and attachments. Some executives might need a hand from someone in information security to deal with particularly suspicious links or files.
Once management has got to grips with the basic security lessons, you might guide them gently toward a strategic decision: regular information security training for all company employees. There are different knowledge requirements for each level of employees. Everyone, including frontline employees, needs to assimilate the aforementioned rules of cyber-hygiene as well as tips on how to respond to suspicious or non-standard situations. Managers — especially those in IT — would benefit from a deeper understanding of how security is integrated into product development and usage lifecycle, what security policies to adopt in their departments, and how all this can affect business performance. Conversely, infosec employees themselves should study the business processes adopted in the company to get a better feel of how to painlessly integrate the necessary safeguards.
Integrate cybersecurity into company’s strategy and processes
As the economy digitizes, the cybercrime landscape… complexifies, and regulation intensifies, cyber-risk management is becoming a full-blown, board-level task. There are technological, human, financial, legal, and organizational aspects to this, so leaders in all these areas need to be involved in adapting the company’s strategy and processes.
How do we minimize the risk of a supplier or contractor being hacked, given that we could become a secondary target in such a scenario? What laws in our industry govern the storage and transfer of sensitive data such as customers’ personal information? What would be the operational impact of a ransomware attack that blocks and wipes all computers, and how long would it take to restore them from backups? Can the reputational damage be measured in money when an attack on us becomes known to partners and the public? What additional security measures will we take to protect employees working remotely? These are the questions that information security services and experts from other departments must address, backed up by organizational and technical measures.
It’s important to remind senior management that “buying this [or that] protection system” isn’t a silver bullet for any of these problems, since, according to various estimates, between 46% and 77% of all incidents are related to the human factor: from non-compliance with regulations and malicious insiders to a lack of IT transparency on the part of contractors.
Despite this, information security issues will always revolve around the budget.
Money for information security is always in short supply, while the problems to be solved in this area seem infinite. It’s important to prioritize in line with the requirements of the industry in question and with the threats that are most relevant to your organization and have the potential to cause the most damage. This is possible in virtually all areas — from vulnerability closure to staff training. None can be ignored, and each will have its own priorities and order of precedence. Working within the allotted budget, we eliminate the key risks, then proceed to the less likely ones. It’s a near-impossible task to rank the risk probabilities on your own, so you’ll need to study threat landscape reports for your industry and analyze the typical attack vectors.
Things get really interesting, of course, when the budget needs to be increased. The most mature approach to budgeting is one based on risks and the respective cost of their actualization and minimization, but it’s also the most labor-intensive. Live examples — ideally from the experience of competitors — play an important supporting role in boardroom discussions. That said, they’re not easy to come by, which is why it’s common to resort to various benchmarks that give average budgets for a particular business area and country.
Consider all risk types
Discussions of information security usually focus too much on hackers and software solutions to defeat them. But many organizations’ day-to-day operations face other risks that also pertain to information security.
Without a doubt, one of the most prevalent in recent years has been the risk of violating laws on the storage and use of personal data: GPDR, CCPA, and the like. Current law enforcement practice shows that ignoring them is not an option: sooner or later the regulator will impose a fine, and in many cases — especially in Europe — we’re talking substantial sums. An even more alarming prospect looming for companies is the imposition of turnover-based fines for leaks or improper handling of personal data, so a comprehensive audit of information systems and processes with a view to step-by-step elimination of violations would be very timely indeed.
A number of industries have their own, even stricter criteria, in particular the financial, telecom, and medical sectors, as well as critical infrastructure operators. It must be a regularly monitored task of managers in these areas to improve compliance with regulatory requirements in their departments.
Sadly, despite best efforts, cybersecurity incidents are pretty much inevitable. If the scale of an attack is large enough to attract boardroom attention, it almost certainly means a disruption of operations or leakage of important data. Not only information security, but business units too must be ready to respond, ideally by having gone through drills. At a minimum, senior management must know and follow the response procedures so as not to reduce the chances of a favorable outcome. There are three fundamental steps for the CEO:
- Immediately notify key parties about an incident; depending on the context: finance and legal departments, insurers, industry regulators, data protection regulators, law enforcement, affected customers. In many cases, the timeframe for such notification is established by law, but if not, it should be laid out it in the internal regulations. Common sense dictates that the notification be prompt but informative; that is, before notifying, information about the nature of the incident must be gathered, including an initial assessment of the scale and the first-response measures taken.
- Investigate the incident. It’s important to take diverse measures to be able to correctly assess the scale and ramifications of the attack. Besides purely technical measures, employee surveys are also important, for example. During the investigation, it’s vital not to damage digital evidence of the attack or other artifacts. In many cases it makes sense to bring in outside experts to investigate and clean up the incident.
- Draw up a communications schedule. A typical mistake that companies make is to try to hide or downplay an incident. Sooner or later, the true scale of the problem will emerge, prolonging and amplifying the damage — from reputational to financial. Therefore, external and internal communications must be regular and systematic, delivering information that’s consistent and of practical use to customers and employees. They must have a clear understanding of what actions to take now and what to expect in the future. It would be a good idea to centralize communications; that is, to appoint internal and external spokespeople and forbid anyone else from performing this role.
Communicating information security matters to senior management is a rather time-consuming and not always rewarding task, so these five messages are unlikely to be conveyed and taken to heart in just one or two meetings. Interaction between business and information security is an ongoing process that requires mutual effort to better understand each other. Only with a systematic, step-by-step approach, carried out on a regular basis and involving practically all executives, can your company gain the upper hand over competitors in navigating today’s cyber-scape.