In today’s technologically-driven business world, it is imperative for executives of all kinds to understand the importance of cybersecurity and how to protect the organization from threats. While these concerns used to be left to the roles such as the CIO, CTO, CISO or IT department, is it now the responsibility of executives across the organization to keep it secure and lead by example for the rest of the team.
More than half of businesses that have fallen victim to data breaches are subjected to extreme levels of public scrutiny—with overall negative results.
- 29 percent of businesses that were breached lost revenue—38 percent of those lost more than 20 percent of their annual revenue
- 23 percent of businesses lost new business opportunities after a cyber attack
- 22 percent of businesses that suffered a cyber attack lost customers
Without a strong cybersecurity system in place, your organization is at risk for loss of revenue, reputation and customers—which ultimately leads to a considerable drop in profitability. Even internationally-known and well-regarded companies and executives aren’t immune from cyber attacks and their consequences: In 2019, Target revealed that they experienced a cybersecurity breach six years prior in 2013, resulting in the theft of over 31 million customers’ sensitive data. The lack of corporate disclosure resulted in the CEO and a number of other executive team members resigning, as well as a massive settlement to those affected: $18.5 million throughout 47 states.
With how critical cybersecurity is, it can no longer be just the responsibility of the Chief Intelligence Officer, Chief Technology Officer or even the IT department to help guarantee that an organization is secure. All members of an organization play a role in the continued health of the cybersecurity infrastructure—and none are more influential than executives. The example they set often sets the standard for the company at large.
Types of Cyber Attacks
Raising cyber awareness throughout your organization—from the C-Suite to general staff—can help head off attacks before they occur. The first step in this process is understanding what the most common cyber attacks look like and who they’re most likely to target.
Malware is malicious software used to breach information systems by exploiting network vulnerabilities. When a user clicks on a malware-infected link or attachment, the harmful software is installed. Examples of malware include:
- Spyware: Spyware infiltrates a user’s computer, stealing internet usage data and other sensitive information. It gathers personal information and relays it to advertisers, data firms and external users. It can be used to steal credit card or bank information, as well as steal a user’s identity.
- Ransomware: This type of malware holds a computer hostage and demands money. It will lock up the computer, threaten to wipe all data and demand payment for the release or return of the information or ability to use the computer.
- Viruses: Much like a human illness, malware viruses appear harmless until they strike. A virus can exist on a computer for years without being activated—until the user opens a malware-infected program. They most often originate when downloading a file from the internet, during peer-to-peer sharing or through an email attachment.
- Worms: Worms can replicate themselves and infect multiple computers on a network, resulting in major damage. Network worms slow down network traffic and generally infiltrate outdated systems or those operating without an antivirus program.
Phishing is a social engineering attack that contains fraudulent communications that seem to come from a trusted source. These attacks most frequently occur in email, attempting to trick people into giving away sensitive information or installing malware. Types of phishing include:
- Deceptive phishing: This is the most common form of phishing and generally what most associate with the term. Deceptive phishing occurs when a recognized email address (or an imposter masquerading as a familiar contact) reaches out to the victim to gain access to sensitive information. These emails usually ask for their receiver to make a payment, re-enter protected information(e.g., a password or login), request a password change or verify account information.
- Spear phishing: Spear phishing is a more sophisticated kind of deceptive phishing. It tricks the recipient into believing they have an established relationship with the sender, by using full names, position information, addresses, phone numbers or other semi-private information. Once the link has been clicked, hackers have access to the user’s account.
- Whaling: Hackers engaging in whaling have bigger targets than the “fish” that make up a company’s general staff. Their focus is on executives and directors, hence whaling’s other moniker: CEO fraud. Unfortunately, it is incredibly successful due to a lack of security training among higher-ranking employees when compared with their lower-ranking counterparts.
- Phishing calls: These calls involve phishers presenting themselves as a legitimate organization—like a bank or credit card company—in order to gain access to sensitive information. They will call their victims by name or reference their address in order to gain trust, and then drill down further with requests for passwords or bank account numbers for “verification” purposes.
Phishing is the leading cause of cyberattacks worldwide. As such, ensuring employees have effective training on how to spot it is of the utmost importance.
Man-in-the-Middle Attack (MITM)
Also known as an “eavesdropping attack”, a man-in-the-middle attack involves a hacker intercepting and relaying messages between two parties who believe they’re speaking to each other. Once the attacker has inserted themselves into the conversation, they can filter, manipulate and steal sensitive information.
Distributed Denial-of-Service Attack
Distributed denial-of-service (DDoS) attacks overwhelm an organization’s central server with simultaneous data requests. Multiple compromised systems are used to generate these requests. A DDoS attack aims to stop the server from fulfilling legitimate requests, allowing the hackers to extort the organization for money.
Structured Query Language (SQL) Injection
Structured Query Language (SQL) is used in programming and is designed to manage data in relational database management systems. During SQL injections, hackers insert malicious code into the server that uses SQL, forcing the server to reveal sensitive information.
The Role of the C-Suite in Cybersecurity
The executive suite of an organization is held to high standards—and their role in cybersecurity is no exception. Just as they are expected to lead their own departments with integrity and decisiveness, so too must executives take a stance on company-wide cybersecurity measures.
Executives need to understand and approach cybersecurity as a company-wide risk management issue, not just an IT issue
While the design and implementation of an organization’s cybersecurity system is solely IT’s responsibility, the task of ensuring the rest of the organization understands how to securely operate within its confines falls to executives. Expressing the importance of risk-management and leading through example can head off IT breaches before they occur.
Executives should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific circumstances
With responsibility comes accountability. A lack of awareness of legal regulations regarding cyberattacks can be a professional disaster. Due to their high status within their respective companies, many executives are being held accountable for high profile breaches—the recent data breaches at both Target and Equifax resulted in both CEOs resigning—even if they weren’t the individual responsible for the breach. All members of the executive team should receive up-to-date training regarding current legal requirements as a key part of their roles as cybersecurity leadership.
Executives should set the expectation that management will establish an organization’s risk management framework with adequate staffing and budget
The NACD handbook mentioned in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was specifically created to enable “organizations—regardless of size, degree of cybersecurity risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” Using this guide as a starting point can help any organization craft an effective and efficient cybersecurity framework.
Executive-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach
This requires an understanding of the relative significance of organizational assets in order to determine the frequency by which they’ll be examined for risk exposures. Having an executive team member—outside the IT department—with significant experience or training in cybersecurity can be a boon in this endeavor. Properly identifying and safeguarding against risk is no easy task—it will need to be a team effort to be as beneficial as possible.
Cybersecurity Measures Your Organization Should Take
There are a number of procedures executives can implement in order to best prepare their organization to handle any potential cyber risks or attacks. While none can absolutely guarantee the complete elimination of cyber risk, having such protocols in place can greatly lower the chance and severity of attacks.
Create a dedicated insider threat role
While executives may serve as leaders when it comes to the state of cybersecurity within their organizations, it’s unrealistic to expect them to be the point person charged with its constant monitoring. A dedicated insider threat professional can bring together the cross-departmental teams needed to quickly detect, investigate and respond to insider threats when they occur. This individual can also proactively assemble policies and tools to prevent insider threats before they occur.
Conduct phishing simulations
As previously mentioned, phishing attacks remain the most prevalent and pervasive form of cyber-attacks. Raising employee awareness about what these attacks look like and even performing phishing simulations can help prevent future attacks.
Educate all employees on cybersecurity policies for remote work and business travel
With remote work on the rise, educating employees on proper out-of-office cybersecurity policies is key to preventing easily avoidable breaches. Seventy-seven percent of employees admitted to connecting to a free public WiFi network on their corporate computers and phones. Given the generally unsecured nature of these networks, this puts their organization and devices at risk. Offering a refresher on travel and remote cybersecurity policies may reduce the chances of employees unthinkingly connecting to vulnerable networks.
Prioritize employee privacy
Data privacy awareness and sensitivity are at an all-time high. Given the uptick in federal—and even international—regulatory motions, such as the General Data Protection Regulation (GDPR) rules and the California Consumer Privacy Act (CCPA), data privacy is more of a business imperative than ever. An easy step to prioritize employee privacy is to anonymize any data collected from them in an insider threat capacity, as well as communicating clearly about how and why cybersecurity policies impact their privacy in any way.
Create a cybersecurity awareness training program
Given that two out of three insider threat incidents are caused by employee error, investing in a cybersecurity awareness training program is key to any organization’s continued success. According to research from the SANS Institute, eighty-five percent of cybersecurity awareness professionals reported that their work had a positive impact on the security of their organizations. Giving employees the tools they need to become advocates and active participants in cybersecurity measures lends to an organization’s benefit.
Enforce the use of a password manager, single sign-on and multi-factor authentication features
Despite heightened awareness about the importance of hack-proof passwords, the use of weak or repeat passwords is still incredibly high among employees. Offering training on how to create more secure passwords is an excellent way to ensure employees are taking this step to protect both theirs and their company’s data. Additionally, turning to a password manager can reduce the margin of user error. Other security measures that can also prove useful include single sign-on (SSO) and multi-factor authentication (MFA).
Audit privileged access
Auditing the number of employees that have access to sensitive information can lessen points of entry for cyber attacks. Do all of the current users truly require that access? Adopting a system of temporary or rotating credentials can help eliminate access for users who may have left the organization, changed roles or who simply no longer work on tasks related to their admin credentials.
Perform penetration testing on the cybersecurity system
Penetration Testing helps organizations understand and identify their information security vulnerabilities in a clear and concise manner. Adaptable to any organization’s needs, penetration tests can be performed in multiple forms to best flush out areas of weakness. Perhaps most importantly, performing recurring penetration testing ensures the organization is meeting whatever compliance standards an industry requires.
Effective cybersecurity begins at the top of an organization. The benefits of executives involving themselves in the creation, implementation and execution of their organization’s cybersecurity procedure are numerous and long-lasting.
How A-LIGN Can Help
Staying vigilant, being aware of current threats and protecting yourself with the latest defense tactics are important. A-LIGN’s experience and commitment to quality can help your business achieve the cybersecurity goals it is seeking, thanks to our comprehensive suite of cybersecurity services.
Are you ready to strengthen your organization’s defenses? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity professionals.