Recent years have shown just how wide-ranging the impact of a cyber attack can be, particularly for large organizations. The FBI's most recent Internet Crime Report suggested the total losses for all reports it received may exceed $6.9 billion. It’s important not only to protect your business but also implement cyber security measures to help prevent future attacks. Attacks can shut down global business operations, disrupt supply chains, prevent the delivery of important services like education, hinder law enforcement operations, and, in some cases, even lead to fatalities.
Cyber attacks can also attract major media attention, meaning your security measures may be publicly scrutinized. There are other reputation implications, as one recent survey found three-quarters of consumers would stop doing business with a company that suffered a breach that potentially compromised data. Not to mention the rise in cyber security breaches are an implication of an ever-growing national security threat which could add further strain on relations between the United States and hostile nations.
The role of executives in cyber security
Yet, despite these business risks reaching far beyond information security, there is still a lack of consensus over how involved the C-suite should be regarding cyber security and their level of responsibility. For example, an (ISC)2 survey of executives about ransomware found only 28% believed the C-suite should be ultimately responsible.
However, the broad range of potential business disruption risks from an attack shows why cyber security should not just be the purview of the chief information security officer (CISO) and their team. Recently a CISO was jailed for not disclosing a massive breach.
As the (ISC)2 makes clear:
- Cyber security professionals have a responsibility to inform and educate senior leadership about the threats of cyber attacks.
- All members of the C-suite have a part to play.
Discussing cyber security with the C-suite
Research suggests there is a strong desire from executive leadership for more communication from their cyber security team to help make more informed decisions about risk and budgets. When discussing how to protect your business from cyber attacks with your C-suite, it is useful to focus on specific business outcomes and think about how each executive is likely to view risks. While each executive is concerned about the overall health of your organization, they may want to prioritize certain security measures based on their role and area of responsibility.
As an example of how board members may see business risks differently, consider the broad range of impacts provided by executives when asked what their top concern would be if hit by a ransomware attack:
- Exposure to regulatory sanctions (38%)
- Loss of data or intellectual property (34%)
- Loss of confidence among employees (31%)
- Loss of business due to systems outage (31%)
- Uncertainty data wouldn't be compromised even after paying a ransom (31%)
- Reputational harm (31%)
- Remediation costs (30%)
- Loss of confidence in the organization's security (29%)
It’s also important to note that 2022 DBIR showed that ransomware is up 25%.
Cyber security safety measures to protect your business
Of course, when discussing security measures with executives, you don't need to get into the weeds about frontline security measures—the email filters, anti-malware, or other software you're using to protect your data. However, there are some measures relevant to senior leadership that they need to know about in order to protect your business.
- Executive breach simulation. It's hard to know exactly how your organization will respond when a breach happens. That's why tabletop exercises and simulations are so important; executive breach simulations test your breach response with a mock attack. By seeing how your organization responds, you can identify gaps in your cyber security strategy.
- Rapid response retainer. As soon as a data breach is detected, your organization will want to respond as quickly as possible to oust the intruder and mitigate damage. A rapid response retainer means you'll have a team on-call to quickly contain an incident. Even if you've already got a security team in-house, a rapid response retainer brings in experts to help during emergencies and to develop proactive plans before an incident occurs.
- Industry-specific health check. As the Verizon 2022 Data Breach Investigations Report (DBIR) shows, not all industries face the same threats. For example, healthcare organizations are more likely to suffer insider breaches, while financial companies are subject to financially motivated crimes. An industry-specific health check provides a thorough analysis of your cyber security strategy and compares it to trending incidents in your industry.
- Benchmarking. What do your competitors' cyber security measures look like? What threats do your partners face? Benchmarking helps you understand what risks you're likely to face by comparing your safety measures to those of similar companies.
- Post-incident support. Containing an incident is only the first part of the data breach battle. Determining how your organization will respond after the incident is a crucial piece of your cyber security strategy. Post-incident support includes helping your organization manage all the things that come after a breach: financial loss, legal repercussions, regulatory issues, or brand damage. By engaging a team to support you, you'll be able to access professional preservation of evidence, expert testimony, and e-discovery support after a breach.
Investing in security measures that will protect your organization from breaches before you've been attacked is an important part of your business continuity plan.
Learn more about how Verizon can help you understand exactly what risks you face, and help protect your business by leveraging our more than 25 years of security experience.
The author of this content is a paid contributor for Verizon.