Cybersecurity and the C-Suite: What You Need to Know
We’re only human, which means the National Cyber Security Alliance cuts us a little slack when it comes to our inability to recall 30 passwords for different personal and professional log-ins, says Russ Schrader, executive vice president of NCSA, a nonprofit dedicated to educating the public about internet safety and security.
But when it comes to cybersecurity, no one gets a hall pass.
Schrader says business leaders need to look no further than the front page of the Wall Street Journal or New York Times to see why everyone in an organization should make cybersecurity a priority. It appears that every week another security breach makes the headlines—from Target to Home Depot—and it’s when companies don’t realize that cybersecurity is a concern for everyone, not just the IT department, that these breaches are more likely to happen.
“Take the Target breach,” says Schrader. “The hackers supposedly accessed information through the HVAC contractor. An HVAC contractor’s main concern is ensuring the heating and cooling system are functional, not cybersecurity. But it’s this type of oversight when breaches occur.”
Matthew Kellam, partner at law firm Laner Muchin, says that everyone in an organization must understand the catastrophic nature of a security breach. He says that while many breaches compromise employee or customer information, there are many types of data that can be accessed.
“If you’re in the food industry, for instance, and your products and ‘secret’ ingredients are critical to your trademark, that information could suddenly be out in the public,” says Kellam. “Hackers could also get their hands on customer lists, which is possibly the most valuable information relating to the business.”
Ken Anderson, vice president and business information security officer at Equifax Workforce Solutions, says that security threats evolve every day and have expanded to impact both businesses and individuals.
“When the Ukrainian power grid was attacked in 2015, it left nearly 3 million people without heat or power in the middle of winter,” he says. “The Yahoo! security breach didn’t just impact its sale to Verizon, it also compromised 3 billion user accounts, including passwords, email addresses, and security questions and answers.
At Equifax Workforce Solutions, Anderson develops relationships with customers to understand and improve their security experience, as well as with the security team, HR and other senior leaders throughout Equifax. This unique position allows him to help the C-suite understand why cybersecurity is everyone’s job and how they can assist security teams both on-site and in their personal lives by practicing proper cybersecurity habits at work and at home.
Jeremy Bergsman, practice leader at professional-services company Gartner, says that over the past five years, he has seen executives take an increased interest in improving security measures. However, he says, 95 percent of all attacks occur because of a failure on a basic level.
“Most breaches happen when people are doing the right thing,” says Bergsman. “Strong anti-malware is in place, systems are configured properly, but one small thing may have been forgotten. It’s that small, basic measure that significantly increases the chances of an attack.”
Bergsman adds that every business decision has an equal or greater risk implication. For example, HR is responsible for purchasing HCM systems, which contain confidential employee and company information. HR leaders must ensure that they make informed purchasing decisions and should speak with chief security officers to help finalize the choices.
From there, says Bergsman, keep it simple.
“Complexity is the enemy of security,” he says. “Everything you do to keep things simple makes the company more secure.”
A simple mnemonic device to remember what’s most important are the three Ps, says NCSA’s Schrader: patches, people and passwords. Ensure all equipment is regularly updated and patched, determine who has access to what (track access and implement password-protection or sleep mode on computers) and change up passwords, he says.
Bergsman cautions that chief security officers and CHROs shouldn’t fall back on once-a-year training or once-a-year password changes as sufficient cybersecurity protocols.
To ensure that security becomes a top-of-mind objective for everyone within a company, he says, there needs to be frequent, informal communications such as newsletters, posters and content on the company intranet. It should also be built into employee goals and onboarding.