Executive involvement is a critical component to any organization’s cybersecurity. Why? The IT department may not have all of the knowledge about what data could have a critical impact on the business if it was lost or exposed, IT can recommend security controls, but may not have all of the financials to computer Return on Investment (ROI) or the level of risk tolerance that the executive team/Board is comfortable with. It also stands to reason that if cybersecurity is not important enough to the organization for C-level involvement that it may be viewed by other staff as not important to the business.
There are 10 key areas that every C-level should be aware of to ensure that their cybersecurity is aligned with the business goals, risk tolerance and financial realities:
- What data is most critical to your business? Financials, customer lists, pricing models – some of it seems obvious, but what other files does the C-Suite rely on that IT might not be aware are critical? Are critical files stored in email? If so, is that properly protected, and what controls are in place to prevent accidental exposure of the information (especially if it could include protected data such as financial or health records).
- What compliance requirements or best practices does the business use for cybersecurity? If your business falls under HIPAA to protect health data or PCI for credit card records, you have a framework of requirements to follow, but if not, aligning your cybersecurity program to a known framework like the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) helps make sure you don’t miss any critical components and can protect you in the case of litigation as being a “reasonable” standard of care.
- How do you know you are following compliance requirements/best practice guidelines? Are you 100% reliant on the internal IT staff or 3rd party IT support company who implements and runs the solutions to also validate that they are meeting compliance or cybersecurity guidelines? if so, do these folks have the proper training to do the validation? For example, the PCI Self-Assessment Questionnaire or the Attestation of Compliance for NIST 800-171 for Defense subcontractors are signed by executives who by signing them are taking responsibility for knowing that the information is accurate.
- Do you have “least privilege” controls in place for sensitive data? A summer intern or part-time volunteer likely should not have access to critical data, but even long-term staff should only have access to the data they need to perform their functions to minimize the potential attack vector and risk of exposure through human error. Is their data so sensitive that it should have additional protections to prevent file copies or screen shots? A gourmet popcorn manufacturer lost their secret recipes this way, resulting in millions of dollars in damages.
- How do you provide cybersecurity awareness and messaging about the importance of the entire team to be vigilant? Annual online cyber training is great, but do you have a clear process for staff to report suspected threats, suspicious emails or behavior, and do you reward folks with praise or other incentives to do so?
- How do you budget for cybersecurity? Do you allocate a percentage of revenue or rely on IT staff or outside IT provider to make requests as needed? Is this enough or too much? If you know what data needs protecting, you can run some quick calculations on potential breach costs and use that along with the business risk tolerance to make budget decisions.
- How would an incident be detected in your network? The sooner you are aware of a potential incident, the better the chances to stop it or at least minimize the damage.
- What resources do you have to respond to incidents? Whether a threat is detected by a technical control and requires investigation or a staff member comes in and admits that they just accidentally sent out a list of employee social security numbers via email, how do you know what steps need to be taken, who needs to be notified, and most importantly what NOT to do to make the situation worse?
- Do you have a business continuity plan (BCP) in the event systems are taken offline by ransomware, staff cannot access the physical building (as in COVID-19) or a critical piece of hardware fails?
- Is your cyber insurance policy sufficient? When you answer question 1 and know what you need to protect, and look at question 6 to calculate potential breach costs, do you have enough coverage? Would you have the funds to cover the deductible? Are there exclusions for regulatory fines, notification costs, or litigation that could result in a much bigger loss than anticipated?
The more informed your executive team is in these 10 areas, the more confident you can be that you are carrying out your duty to protect the business with appropriate measures and budget.