While it may be tempting to leave the complex, mysterious world of cybersecurity to “the experts,” business leaders cannot fall back on that handy escape hatch any longer. They need to be aware and involved, even to the point of elevating cyber reporting to the CEO directly. According to the federal Cybersecurity and Infrastructure Security Agency*, here are some practical steps that leaders would be wise to follow:
CEOs should ask the following questions about potential cybersecurity threats:
- How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
- What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
- How can my business create long-term resiliency to minimize our cybersecurity risks?
- What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
- What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?
- Elevate cybersecurity risk management discussions to the company CEO and the leadership team. Executives should construct policy from the top down to ensure everyone is empowered to perform tasks related to reducing cybersecurity risk.
- Implement industry standards and best practices rather than relying solely on compliance standards or certifications. Compliance standards and regulations (Federal Information Security Modernization Act) provide guidance on minimal requirements. Businesses should strive to go beyond the minimum, however.
- Evaluate and manage organization-specific cybersecurity risks. Ask the questions necessary to understand your security planning, operations, and security-related goals.
- Ensure cybersecurity risk metrics are meaningful and measurable. For example, reducing the days it takes to patch a vulnerability to directly limit risk to the organization.
- Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery. It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment.
- Retain a quality workforce. It is important to have people who can identify the proper tools for your organization, since new cybersecurity threats are constantly appearing.
- Maintain situational awareness of cybersecurity threats. Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes) and subscribe to the Homeland Information Sharing Network.
Of course, making sure your cybersecurity insurance coverage is sufficient and current remains vitally important, as well. The professionals at Evergreen Insurance can help.
* https://www.cisa.gov/tips/st18-007
Copyright 2023 Evergreen Insurance
Evergreen Insurance provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.