Top executives already face tremendous pressure to reach financial goals and hire and maintain productive employees, in addition to a long list of other priorities. Now, they must also contend with the big cybersecurity bullseye on their backs and in their online activities.
Cyber criminals target executives because they hold the key to a treasure trove of sensitive and valuable company data. But because leaders are busy, they have little time to consider their digital risk and what they need to do in order to prevent a breach.
For example, some executives forget that even though their social media accounts might be private, if they make comments on public groups, they are potentially revealing information about themselves that could be used to hack their accounts.
Fortunately, they have you – their trusted security manager – to inform them of the dangers of cyber communication. Take the initiative to train your executive team (and their PAs) about the cyber threats and the steps they can take to secure their accounts. They'll appreciate your help, and you'll possibly save your company from a damaging breach.
More Digital Use Leads to Increased Risk
People are online more than ever. Consider that every minute, more than 300,000 Twitter tweets are sent, 300 hours of video are uploaded to YouTube, more than 4 million Facebook posts are liked, and 1.7 million Instagram photos are liked, according to research by CyberInt.
This heavy engagement has a price: People are largely unaware of phishing, social engineering and other types of cyber attacks that accompany their increasing use of digital tools. For executives, this relative lack of awareness makes them even more susceptible to cyber crime because they are prime targets. For example, cyber criminals use social engineering to trick people into thinking they are using a brand’s official social media site to surreptitiously have them click on malware.
All an astute cyber criminal has to do is read a recent survey of the U.K.'s 300 larger firms to find his next victims. Two-thirds of these company boards haven't received the appropriate training to deal with a cyber incident.
Despite these constant threats, top decision makers don't have the ability, or the time, to assess the impact of breaches and their enormous costs. Quite simply, they aren't a priority. No executive should be unaware of these growing and evolving cyber threats. Their jobs and the longevity of their companies depend on awareness and vigilance.
Here are five things to discuss with your executive team to ensure your company deflects these threats and that your executive team does not act as an attack vector into your business..
Step 1: Understand the Consequences
The consequences of a cyber attack are steep. First, business as usual stops, with servers temporarily shutting down, emails halting, and work being delayed as your company focuses on post-breach analysis and recovery. You may also be a victim of industrial espionage, in which case, the secrets that had led to success are now on the open market for all to see, damaging your competitive advantage.
And if that isn’t enough, your business could be subjected to regulatory fines for not protecting sensitive customer data. Regulations that ensure the protection of data -- including the EU’s General Data Protection Regulation (GDPR) and the U.S. Health Insurance Portability and Accountability Act (HIPAA) -- impose steep fines for such failures.
You don’t have to look far to find organizations that could face serious consequences for data breaches. The accounting firm Deloitte was hit last year by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients. Also last year, the personal data of 143 million customers of the credit monitoring agency Equifax were accessed or stolen in a massive hack. It was the second time in 2017 that Equifax was breached, the details of which are still unveiling.
Step 2: Know the Costs of a Breach
The average total cost of a data breach is a staggering $3.62 million, according to a 2017 IBM-Ponemon Institute study. But there are many hidden and unexpected costs after a damaging breach as well. For instance, your company may lose value due to the broken relationships with customers, while they let contracts lapse. Operations will slow or be halted. Insurance premiums will rise. It will cost more to raise debt.
There are also a multitude of "incident triage" costs, including notifying all affected parties, investigation and remediation, identity and credit monitoring, security improvements, attorney fees and possible regulatory fines. In short, expect to pay a lot of money and spend a lot of time cleaning up the mess. More importantly, even if you have cyber insurance, it covers only 2-6% of the damage.
Step 3: Create a List of "Dos" and "Don'ts"
If company leadership hasn't yet created a clear and comprehensive cyber security policy, tell your boss it's long overdue. Leadership should have an understanding of what they should do and not do to protect digital assets.
First, executives must take larger steps to foster proper cyber security throughout the organization. Appoint an executive to push cyber initiatives in the company, who will be diligent in the mission and clear to employees about the steps they can take to improve security. Run tabletop exercises to see how attacks can unfold and prioritize cyber security as a business enabler by having a cyber security firm regularly brief the executive team on the latest hacks and spoofs.
There are also tactical “dos” and “don’ts” that executives should never forget in order to tighten their online security. "Dos" should include limiting administrator access to only required personnel so that important data isn’t open to all; creating strong and hard-to-remember passwords; and using two-factor authentication when possible. "Don’ts" should include remembering not to trust links, attachments and other hidden doors to phishing and other cyber scams; don't rely solely on antivirus protection; and don't stop learning about cyber security because threats constantly evolve.
Step 4: Plan Accordingly for the Inevitable
No matter how well your company approaches cyber security, it will eventually get hit. That's why it's important to have an action response plan in place for the inevitable cyber incident.
After determining the scope and severity of the breach, you’ll want to immediately notify customers of the breach, and be ready to provide details on how they were affected and what you're doing to mitigate the damage.
Executives need to stay on top of every aspect of the breach reaction. Be prepared to address the media, shareholders and customers when the time comes to give a full appraisal of what transpired and what steps your organization is taking to ensure it won’t happen again. We’ve created an instructive “Post incident presentation” with ready-to-use slides that you can present when talking about the breach with your executive board. Also, don’t hesitate to ask for outside help in case the breach is too extensive to mitigate.
Executives have access to your “crown jewels" – all of the important, valuable data that defines your company. Training your bosses on the digital risks they face, as well as the risks the company faces, will keep them vigilant and prepared.