For every new cybersecurity technology that’s developed, it’s only a matter of time before cybercriminals figure out how to get around it. Today, strong executives must be knowledgeable leaders who understand, and prioritize, cybersecurity while demonstrating their commitment.
What Executives Need to Know
In the early days, protecting your business from a cyber incident was all about protecting your data. The worry was that personal information would be leaked, customer lists would be stolen, or credit card information compromised. While these are still issues today, cybersecurity is about much more than simply protecting data.
Today, we’re dealing with digitized processes like connected industrial control systems, remote management of equipment, and linked supply chains with automatic ordering and fulfillment. As a result, poor oversight can mean more than paying fines because data was not protected.
Executives need to implement a cybersecurity strategy – and there are many security frameworks available to help. One of the best is a framework developed by the U.S. National Institute of Standards and Technology. It gives executives a good look into the elements of a cybersecurity strategy. Implementing a framework can prepare your organization for an attack and mitigate the after-effects if one occurs. The NIST framework covers five areas: identity, protect, detect, respond and recover.
The key is to focus on risk, reputation, and business continuity in the event of a breach.
Seven Questions You Need to Address
To develop a cybersecurity strategy and put a framework in place, you need to understand how your business is managing your security efforts. Asking these questions will raise the awareness within your organization of the importance of cybersecurity, and the need to prioritize action.
- What are your most important assets, and how are you currently protecting them? While no business can be 100% secure, you need to make some difficult decisions. Important business assets need to be secured at the highest levels. Identifying what needs to be protected is the first step.
- What layers of protection have been put in place? A comprehensive plan is structured using multiple layers of defense, policies, procedures, and other risk management approaches. Identify which layers are in place and how each protects your organization.
- How do you detect a breach? You need both protection and detection capabilities. Since many breaches are not immediately discovered, you must know how to detect a breach and the resulting risk level.
- In the event of an incident, how will you respond? Although you may not be a part of the detailed response plan (that will be the responsibility of your IT team), you want to make sure that there is a plan in place. For example, in a ransomware attack, what is your policy regarding payment? Who alerts the authorities? What are your communication plans if your system is unreliable? While things might not go as planned, you need to have a plan in place BEFORE an incident occurs.
- What will management and your board’s role be in the event of an incident? It’s crucial to delegate and designate roles before an attack. For example, the board needs to decide whether or not to pay any ransom requests, who will speak to your important clients, and who needs to participate in emergency meetings in the event of an incident. Practice your response.
- What are your recovery plans in the event of an incident? Many companies have not tested their recovery plans. There can be significant differences in recovery depending on the incident. You need to designate a point person and test your recovery plans for several potential scenarios.
- Are you investing enough? No business can invest enough for 100% security, however, you need to set a reasonable budget to guarantee you have the tools and staff to keep your business safe. Evaluate your current level of protection and risk tolerance before any new investments. Do this by simulating potential cyber attacks and conducting penetration/vulnerability testing.
As an executive, your task is to manage your IT team’s response to cybersecurity threats. While you don’t have day-to-day management responsibility, you have oversight and financial responsibility. Don’t put off important decisions about your company’s vulnerabilities. Take a proactive approach. The time to prepare is before an incident occurs.
About Atlantic, Tomorrow’s Office
Atlantic is an award-winning office technology and IT solutions company providing Imaging Products, IT Support, Document Management, Cybersecurity and Managed Services to small and large companies in the New York City metropolitan area, and the Greater Philadelphia and Delaware Valley.