Cyber Exercises Your Executives Should be Doing (But They’re Not)
Joe Kerfuffle, CEO of the large enterprise Widgets Inc., arrives at the office at 9am. He sits down at his desk and turns on his computer. To log in to the organization’s network, Kerfuffle types in his password – “12345.” Best to keep my password simple so I won’t forget it.
After logging in, a reminder pops up on the screen. It asks if he would like to enable two-factor authentication on this device. That just seems like a complete nuisance. He declines.
Kerfuffle checks his email. There’s a memo in his inbox from his cybersecurity team, proposing that Widgets do an annual cybersecurity exercise. Nobody here has time for that. He deletes the email.
Kerfuffle then looks at his CFO’s budget proposal for the next fiscal year. He sees a line in there for “cybersecurity training.” What a waste of time and money! Everybody here already knows how to use a computer. He crosses the line off the budget.
Kerfuffle then looks at his calendar. He’s got a quarterly cybersecurity briefing from his CISO scheduled for 11am. I never understand anything my CISO says, with all that jumbled jargon. I’ll just let the tech guys handle it. He tells his secretary to cancel the meeting.
A month later, Widgets’ databases are breached. More than 100,000,000 international customer records are stolen. The story makes the front page across major publications, including the New York Times, and dominates the news cycle for days. Kerfuffle and his team never respond to any of the coverage or the hundreds of media inquiries. An emergency board meeting is called. Soon thereafter, shareholders revolt and demand that heads roll. The board fires Kerfuffle, ending an otherwise flawless, five-year tenure at the top of Widgets.
A Cautionary Tale
Alas, Joe Kerfuffle doesn’t actually exist. He’s merely a cautionary tale – a fictional example of an executive who employs cybersecurity worst practices. But unfortunately, there are plenty of CEO’s like Kerfuffle out in the real world. Too many business leaders don’t take their cybersecurity responsibilities seriously, potentially putting their organizations, and their reputations, in peril.
Taking Action: Top 5 To-Do's
So how can you avoid the same unfortunate fate as Joe Kerfuffle, and dodge an induction into the cybersecurity hall of shame? Here are five cyber exercises your executives should be doing (but they’re not).
- Use stronger passwords. You hear it all the time, but your employees still haven’t changed their behavior. The two most commonly used passwords are still “123456” and “Password.” You and all of your employees need to use long (eight characters or more), complex (alphanumeric, special characters, mix of upper and lowercase, etc.) passwords and should be prompted to change passwords regularly (i.e., every 30 or 60 days). Refrain from reusing old passwords. You don’t want your team members using the same password for your organization's networks that they use for their personal Facebook accounts.
- Require multi-factor authorization. This would help to further protect your organization by mandating that your employees provide a second level of authentication in order to verify identity and gain access to your organization's systems. There are many solutions for multi-factor authentication, including sending a verification passcode to a cellphone, setting up a Time-based One-Time Password algorithm (TOTP), or even using biometric data. This makes the login process a little longer, but it’s well worth it to have an extra layer of security.
- Conduct an annual cyber breach exercise. Remember when you used to do fire drills in school? The idea was to go through the motions in preparation, so everybody knew what to do in case of an actual fire. This is a version of that for the cyber world. An annual cyber breach exercise, also known as a tabletop exercise, allows you to test your organization’s response to a major cyber crisis. Specifically, you’ll have an opportunity to outline roles and responsibilities, and spot any particular points of failure. When it comes to planning for breaches, practice makes perfect. By doing an annual cyber breach simulation, your organization will be prepared when it inevitably experiences a real cyber incident.
- Get a quarterly cybersecurity briefing from your CISO. This gives you an opportunity to address any new or developing cyber threats. It also allows you to discuss what steps the organization is taking to address potential risks. If you don’t understand any of the technical terminology, ask your CISO for clarification. Don’t fear cyber speak. The cybersecurity lexicon may sound a bit confusing, but once you get past the jargon, the risk management techniques will look familiar and become clearer.
- Invest in companywide cybersecurity training. Spending money on the snazziest security technology can only get you so far. Ultimately, the biggest source of cyber threats isn’t technology, it’s humans. Your workers are your greatest asset, but also your biggest vulnerability. Threat actors are skilled at exploiting people’s inherent trust in order to access systems and data. Thus, it’s important to train your workforce on cyber best practices. As an added benefit, training programs can help you make more informed purchases of cybersecurity tools. By getting a better understanding of your workers’ cyber strengths/weaknesses, and by gauging their feedback, you can select solutions that are most likely to benefit your business. Training programs will require an investment upfront, but they can pay off handsomely by mitigating costly cyber incidents.