Some people think that cybersecurity is aimed only at making your system impregnable to hacking attacks, and nothing more. In reality, no system is completely safe. This is the reason why cybersecurity should also be focused on managing risks and keeping these at an acceptable level.
Planning for cyberattacks is a good way to ensure that you can prevent most breaches and respond more swiftly when they do happen. As CEO, what are the questions you should ask? Here’s a look at 10 key questions you should be asking about your company’s cybersecurity readiness.
1. What risk management framework are you using? Is this the right framework for you?
There are several risk management frameworks out there that you can use to benchmark and assess your risk profile and cybersecurity approaches.
For instance, you can use the National Institute of Standards and Technology's Cybersecurity Framework. This is a set of best practices that allows you to detect, respond to, and prevent cyberattacks. It can also help you recover after a cyberattack.
Other options include the United States Computer Emergency Readiness Team's Cybersecurity Framework as well as guidelines from different organizations such as the Cloud Security Alliance, the Open Web Application Security Project, ISACA (which established COBIT), and the Federal Financial Institutions Examination Council.
These frameworks should function as a roadmap that helps you implement cybersecurity measures without missing anything. They can help you work towards compliance as well.
2. What are you doing now to prevent cyberattacks?
To answer this question, every business needs to start by evaluating their security baseline, or the protections, policies, and processes that they are currently leveraging in order to protect themselves from cyberattacks.
This will help you identify what you still need to do and what controls are missing. You can also implement a defense in depth strategy that uses multiple layers of defense throughout your IT system. This would include overlapping security processes, such as using an intrusion prevention system, a firewall, and an anti-virus software.
3. How do you involve management in the cybersecurity picture?
C-suite executives and other managers need to be involved with cybersecurity, even if they do not belong to the IT department. Simply informing executive management of your overarching cybersecurity practices once a year is no longer enough.
4. How do you include cybersecurity risks in your enterprise risk management? Should they be part of your enterprise risk management at all?
Every business should have enterprise risk management, and ideally, cybersecurity should be part of that process. Cybersecurity should be measured the same way that other business risks are measured.
Managing cybersecurity risk should not be a question of returns on investment. Instead, you should be asking yourself what you risk losing if cybersecurity measures are not implemented properly. For example, Hilton was fined $700k for a data breach, but under the new GDPR compliance laws, that fine could exceed a whopping $420 million – and that doesn’t account for reputation damage and other costs. In other words, you can’t afford to skimp on cybersecurity.
5. How do you handle cyber risks coming from vendors and other third parties?
When you deal with an outside company, you must think about two things:
- What information or data are you sending them, and how sensitive is it?
- What kind of access do you give vendors?
- When do you call law enforcement?
- How will you inform your users and the public in case of a breach?
- How will you limit the damage in the event of a cyberattack?
- Who will be responsible for what response?
- What are the roles that need to be assigned?
