A Note to CEOs – The Cyber Crisis in Your Future
A Note to CEOs – It Can Will Happen to You
I recently read a short article on the understanding of US, UK and Japanese CEOs to prepare for and respond to a cyber breach. The bottom line of the article is that they aren’t!
“Ninety percent of the 1530 CEOs interviewed did not truly grasp the magnitude of the threat, did not understand their company’s cyber-security preparations, and did not understand their company’s plans to respond to an actual cyber breach. “
Appallingly, forty percent of the CEOs did not even think it was their responsibility!
Some basic facts:
- Every company, organization and person is the target of hackers
- Every 12 seconds (24/7/365), there is a cyber attack on a company in the U.S.
- Your IT security team must succeed 100% of the time 24/7/365 – forever. One failure and you have been breached.
- Two thirds of all cyber breaches are caused by your employees (including you) because:
- They don’t update their software as your IT team almost doubtlessly urges them to do
- They don’t pay attention to the basic cyber security tenets your IT team publishes (e.g. don’t use “PASSWORD” as your password)
- They don’t password protect access to their computer or they don’t routinely turn it off or put it to sleep when they leave their desk
- The allow access to their computer by a colleague, or (worse yet) a visitor
- They open emails from unknown senders (one in three employees do this)
- They click on links within suspicious emails (one in eight employees do this)
- An actual cyber breach is not just an IT security problem (they have already done their best) – it is a business problem, a liability problem, a PR problem, and (increasingly) a legal problem.
As the CEO, you are responsible for your company, including cyber security and cyber breach response – just as you are responsible for revenue and earnings. The buck does stop at your desk.
Since, as the CEO, you are almost certainly not the cyber-security or cyber-breach expert, what do you do? The same thing that you do for all of your other responsibilities – you find an expert and delegate authority and responsibility for cyber security and cyber-breach response to those experts. It is important to emphasize again that cyber-breach response is not an IT problem. It is a business problem, so you should not automatically delegate cyber-breach response to the IT or cyber-security folks. Pick the right person, empower her, support her and resource her.
It is irresponsible to behave as though your company will not be cyber attacked or that your cyber defenses will never be penetrated. A rapid, transparent and well conceived response to a cyber breach can enhance your company’s reputation rather than damaging it. The failure to be prepared for such breach will damage and may destroy your company’s reputation.
Predict your vulnerability to cyber attack – this is easy. You are vulnerable.
Plan your response to a cyber breach – as a business issue and not only a security problem.
Enhance your ability to Perform by exercising your cyber-breach plan regularly.