Critical Questions CEO’s Need To Ask When Evaluating Cyber Security Risks

The number of cyber attacks has continued to increase exponentially. In fact, the FBI reported that since January 1, 2016, the number of cyber attacks using ransomware has risen to more than 4,000 daily attacks. Evolving technology and an increasing dependence on digital communications have created higher risk factors for businesses of all sizes. To effectively evaluate their cybersecurity risks, CEOs need to ask a few critical questions.

Understanding The Cyber Security Landscape

Much like addressing any boardroom problem, CEOs need to ask the right types of questions if they are to effectively map out their cybersecurity defense system. A failure to effectively implement cybersecurity best practices can not only lead to stolen business files, but it can cost the company millions of dollars. In fact, in 2018 the average cost of a data breach increased by 6.4 percent from 2017 to reach $3.86 million. To avoid this hefty cost, CEOs should ask their IT teams the following questions.

1. What critical information could be stolen during a cybersecurity attack?
2. Who is authorized to access mission-critical information?
3. Is our business involved in any type of information sharing? For example, are other companies or outside consultants allowed to remotely access the networks where critical information is stored?
4. What security measures are already in place to avoid ransomware attacks? For example, have employees been trained on cybersecurity best practices and is two-step authentication used for all digital communications?
5. How many threats does the business receive on a daily basis? Secondly, what are the identified areas of strength and weaknesses, and how can cybersecurity policies be enhanced?

The next series of questions will help CEOs to better understand specific risk levels.

• What is the identified current level of cybersecurity risk?
• What is the protocol when a cybersecurity risk is a) identified, b) escalated, and c) resolved?
  • Are lessons learned implemented so that the specific type of cybersecurity risk can be mitigated in the future?
• How is the cybersecurity plan designed to mitigate insider threats (e.g., when an employee accidentally opens a corrupted file containing ransomware)?
• Does the business continuity and disaster recovery plan include the potential for cybersecurity incidents?
• Are best practices being implemented and is the cybersecurity plan up to industry standards?
  • Is the business prepared to effectively work with local, state, and federal government cyber incident responders/investigators in the event of a cybersecurity breach?

The goal of these questions is to help CEOs effectively evaluate and manage their company’s specific cybersecurity risks. For example, by identifying which critical assets would be most impacted by a cybersecurity attack, CEOs can best prioritize how to protect these particular entities by allocating resources and developing the policies and strategies needed to manage the heightened cybersecurity risk areas. In short, the goal of asking and answering these questions is to establish a “what if” environment rather than an “it won’t happen here” mentality, which can not only create a sense of false security but can also cause costly data security lapses.

How CEOs Can Implement Cyber Security Best Practices

As they answer the above questions, CEOs should also look to create a cybersecurity environment that leverages best practice approaches. In fact, by answering the above series of questions CEOs will be taking the first step needed to develop a robust cybersecurity plan. By elevating cybersecurity risk management discussions with not only the IT department but also with leaders from each department, CEOs can ensure that best practices are implemented across the company. After all, when it comes to cybersecurity, a company is only as strong as its weakest link, which in many cases is an employee who doesn’t follow the security guidelines.

The next step that CEOs should take is to ensure that the new cybersecurity plan adheres to industry standards. Instead of merely relying on compliance certifications and standards (which often represent the “bare minimum cybersecurity protocols” that a company should implement), CEOs should instead turn to industry best practices. For example, CEOs should ensure that they meet the guidelines outlined in the Federal Information Security Modernization Act, that they follow the insights provided by top organizations, and that create a proactive environment focused on consistency.

Finally, CEOs should ensure that any and all cybersecurity risk metrics are a) useful, b) measurable, and c) meaningful. In this vein, a useful metric would be to measure how long it takes for the IT department to patch an identified vulnerability. If the number of days it takes to create the patch reduces, then it shows that the cybersecurity risk is being lowered. However, if the number of days it takes to create the patch increases, then the company is being placed at a higher risk. If the threat continues to increase, then weakness in the company’s cybersecurity has been identified and should subsequently be addressed.

It is equally critical that companies test their entire incident response plan. As seen through the previous example, the trickle-down impact of a cybersecurity weakness can lead to costly results. By examining the incident response plan across the entire company, CEOs can ensure that both minor and large-scale cybersecurity incidents will be effectively resolved using industry best practices. In this vein, CEOs should evaluate in a mock cybersecurity incident how the department leaders, employees, and IT respond. After all the best incident response plans and cyber security tools are only as good as a) the people using them and b) the people reviewing them. If the entire company is not dedicated to implementing cybersecurity best practices, then the organization will remain at a higher risk level.

The Bottom Line: CEOs Need To Remain Prepared Against Existing And Emerging Cyber Security Threats

It’s no secret that new cybersecurity threats appear every day; however when CEOs fail to create a “what if” approach to cybersecurity, then they are leaving the doors open for an unwanted digital invasion. Through employee education, asking the right questions, and implementing the best practices approach, CEOs can shore-up their cyber security and keep critical data assets safe from threats. In conclusion, CEOs need to remain proactive in their approach to cybersecurity by leveraging the skills of industry experts and becoming a part of the more significant security conversation to ensure that their business and those that they exchange information with remain secure in the coming year.