The C-suite in any organisation is entrusted with the responsibility of spearheading innovation, progress, and company direction. Additionally, C-level executives hold a greater responsibility in maintaining the security of their network. Hackers believe senior executives are the weakest link in an enterprise network, often falling prey to fraud and phishing scams.
In the current digitally advanced era, it is imperative for senior executives to develop a solid foundation of security realities to ensure the organisation is prepared to detect and defend cyber threats at all times. However, certain myths around cybersecurity that c-level executives should consider seriously, which could prevent them from safeguarding the enterprise effectively.
Here are six such myths and healthy workarounds that can help decision-makers defy them.
Myth 1: Security defences don’t have to be very expensive
A CEO and Board Risk Management Survey by Deloitte highlighted that 95% of CEOs believe their enterprises will face severe threats and disruptions to their growth prospects in the next couple of years — with disruptive technologies and cyber incidents being the two greatest threats. However, many leaders still utilise traditional approaches, tools, and technologies to detect and manage risks.
Investments and budgets allocated to cybersecurity are quite low when compared to the magnitude of potential damage — reputational and financial — that a cyberattack can result in. Yet, many executive-level managers are sceptical about investing in security defences. It’s time they change their mindset that higher investments in cybersecurity, which will result in more significant expenses on the balance sheet. The c-suite must realise the need for sophisticated cyber defence methodologies to counter and prevent threats. Instead of focusing the discussions on the amount spent on cybersecurity, it should revolve around utilising cybersecurity investments intelligently.
Myth 2: Security cannot and should not be outsourced
While some enterprise leaders believe security is too expensive to be outsourced, a few others feel outsourcing could result in non-compliance to state or country regulations. However, some executives feel cybersecurity is a sensitive area that has to be managed in-house. As far as regulatory compliance is concerned, data protection mandates do not prevent outsourcing. When done in a controlled manner with all underlying signed service agreements with liability clauses in place, outsourcing will not just be legal and complaint but will also offer better defence in a cost-effective way.
IT security is more affordable and flexible when entrusted to the cybersecurity experts. Choosing the right security partner is critical. Firms with expertise in niche security skills will be able to streamline processes efficiently and ensure proactive monitoring against all incoming threats. Such firms are not only successful in identifying and hiring the best cybersecurity talent but are also able to retain the recruited security experts—by motivating them with opportunities for cross-skilling, upskilling, and working across technologies and horizontals.
Myth 3: Adherence to IT and cyber regulations equals 100% fool-proof cybersecurity
Developing such a mindset is one of the most expensive mistakes that decision-makers commit. While compliance with government and industry regulations is critical in carrying out business and building trust with partners and customers — it is the bare minimum. It only means that the enterprise has checked the first box with regard to cybersecurity.
Compliance can reduce reputation damage to a certain extent when entangled in a legal cyberattack battle, but it does not promise adequate security. A robust incident response plan is required to avoid the attack itself. Defining the right strategy to protect an organisation’s high-value assets is the responsibility of the leadership team over and above regulatory compliance responsibilities.
Myth 4: Controls? Implemented. Patches? Up-to-date. Hence, my organisation is completely safe
CEOs need to understand that controls implemented once do not protect an enterprise forever. They need constant auditing, reviewing, refreshing, and upgrading, to be protected from various threat vectors. In today’s digitally advanced era, an enterprise network is loaded with a plethora of applications, firewalls, routers, servers and connected devices. Keeping every single component in this network patched and up to date is a massive, extremely critical task. Hence, relaxing post executing basic controls and patches, and assuming that the enterprise is safe, is going to cost the enterprise dearly.
Permanent satisfaction is never a reality with regard to cybersecurity. Leaders need to understand the importance of keeping up with the trends of cyber defence. They should continuously monitor, audit, implement and embed security operations as part of the enterprise’s proactive defence strategy. Cybersecurity should become an essential element of board-level agenda.
Myth 5: Awareness programs are sufficient for employees to fight and prevent cyber threats
As threats and defences change constantly, lack of a structured approach toward tackling these threats could disrupt businesses to an unimaginable extent. Once-in-a-lifetime or annual cybersecurity training and awareness programs are not going to be enough anymore. Imagine the magnitude of damage that can be caused when an employee accidentally opens a malicious link in a phishing email, or uploads a client document to a public folder, or shares critical code with the wrong person. Today, social engineering attacks are one of the most popular ways to attack organisations in the cyberspace, and such incidents can be avoided through regular cybersecurity awareness campaigns and phishing simulations.
Organisations with security-aware employees tend to be better poised to prevent and counter cyber threats. Regularly educating employees on the do’s and don’ts associated with cybersecurity—via e-mail campaigns, communication campaigns, employee awareness programs, specialised training programs for IT teams, etc.—gets employees to think twice before unintentionally putting data into the wrong hands.
Myth 6: My enterprise’s current insurance policy covers cyber insurance
71% of 105 CFOs surveyed by FM Global felt that they were adequately covered in the event of a cybersecurity incident, and 26% expected the cyber insurance provider to cover their losses in full. Assuming cyber insurance is included in the firm’s existing insurance policy is a common mistake. Most traditional commercial general liability policies do not cover cyber risks such as data breach response, liability and privacy fines. While signing up for insurance policies, decision-makers need to be fully aware of the extent of coverage. The firm’s current insurance policy may not cover fines to regulatory bodies or financial losses due to attacks.
Cybersecurity insurance needs to be chosen after careful evaluation—identifying the possible levels of threat; identifying different types of penalty that could be applicable in case of an issue, and understanding if the cost that will be covered in the cyber insurance policy. It is crucial to opt for a cyber insurance policy that will include a reasonable level of damage in case of an attack.
The way forward
We are in the digital era of sophisticated cybercrime and ransomware that place cybersecurity as a direct responsibility on the enterprise leadership team. Establishing a cyber security-aware culture across the enterprise is possible only when CEOs and other C-level executives themselves are aware of the firm’s current security posture and risk appetite, understanding potential threats unique to the organisation, and are continuously looking for ways to strengthen the company’s security posture. As cyber threats continue to advance to new levels, it is crucial for leaders to be proactive in their stance, invest wisely in the right security defences, and safeguard company assets most sensibly.