13 Key Cybersecurity Questions and Answers for Non-Technical CEOs
Cyberattacks can be complicated, but in our experience over many years, most are really simple and exploit basic weaknesses.
In the vast majority of cases, simple steps can make you safe or minimize disruption in the event of an attack. But normally these decisions are taken by tech people and not a CEO.
Here is a simple list of 13 questions and answers to help non-technical start taking the right steps immediately.
- How do we get security risks and issues under control?
Every substantial business should maintain a list of risks and issues, with some analysis of the options and mitigations. Each risk or issue should be owned by someone in the C-suite who has the expertise, time and ability to manage it. This document should be reviewed at least annually. The list and the open discussion drives sensible, productive decision-making and avoids a culture of sweeping issues under the carpet. This approach prevents overspending in the wrong areas — it’s all about “proportionate response.” - What kind of insurance do we need?
Unfortunately, not all cyber insurance is created equal, and you need to take care to select an appropriate policy and provider. Check the exclusions on the policy and ensure someone in the C-suite understands the coverage. (Cyber insurance may not give you back money that’s stolen from you — that generally requires crime insurance.) Check that your IT is compliant with your policy conditions; the devil is always in the details, and your IT team or supplier need to know how to stay compliant. Finally, are your suppliers’ contracts clear about their liability, and are they insured appropriately? - How do we get our staff to take security seriously?
Security systems can be bypassed by canny criminals because they know what the weak link is — people. Create a “security culture,” where taking this stuff seriously is encouraged. Ensure that you and everyone else in the C-suite set an example — for instance, if you write your passwords on post-its, then you should fully expect your people to do the same…and you will probably be hacked as a result. Many hackers exploit helpful staff who simply hand over money! Sound financial processes, clear controls, good education, and ongoing training are all vital to security. Remind people to “think before you click!” - How do we keep data secure?
Access to systems and data should only be given to those who need it. This is known as a “least-privilege policy.” For example, when a person is given access to a system, the default should ensure that person has no rights to anything. Then privileges should be granted according to what that person needs to do in the system, building up to only include the data and processes they require. If you don’t follow a least-privilege system, then you are really exposed to cyberattack, to fraud and to errors. When users’ roles change, their access should be reduced if their job doesn’t require it anymore (and their access removed altogether when they leave!) - What are firewalls?
Start by ensuring your office has sensible physical security. Then make sure the equivalent measures are in place for your systems — these are your firewalls. Knowledgeable and trusted experts who understand the complexities of system and firewall management need to configure this equipment and to keep it up to date. Specifically ask them whether they have minimized points of access (ports) and are using secure ports for email and web access rather than standard ports. - Is our security up to date?
This should be so simple, but most hacks exploit the fact that many companies fall behind. All computers should use up to date operating systems which are properly patched; utilize up-to-date anti-virus and anti-malware systems. However, these systems only work well when they know what they’re up against. Newer protection systems coming on the market look for programs acting suspiciously and will automatically shut down the program before it has time to cause mayhem. These systems provide protection against new attacks (often called “Zero Day”) because they spot the bad behavior of an application, rather than recognize the malware itself. - What is data encryption?
To protect your data, it should be encrypted and only accessible to those with the approved rights to look at it. Where you have customer data, particularly user accounts and passwords, ask your IT team whether the data is “hashed and salted,” which will keep it secure even if your systems are breached. It is unforgivable nowadays to be holding personal or confidential data unencrypted (known as “clear or plain text”). - How should we backup our data?
Your data and systems should also be backed up and the backup must be stored off-site, preferably with no connection to your live systems (known as an “airgap”). Ensure the backups include multiple versions of the same document in case corruption or malicious encryption took place at some point in the past. Having a decent data backup can be the difference between having a business post-disaster and not. - What is a penetration test?
A penetration test is an assessment by an expert company of your website and network to find weaknesses. This is essential if your website includes custom software or any kind of ecommerce services. Poor technical practices can result in custom software being full of holes and these are well documented in a standard list known as the OWASP Top 10. This list are the standard vulnerabilities that almost all hackers focus on — ensure your penetration test includes checks against the OWASP Top 10. Simple! - Why should I take passwords seriously?
Hackers automate attacks by testing thousands of obvious passwords until they get lucky. So many hackers don’t have to be clever, because users make it easy by choosing “password123.” Users must take passwords seriously, choose long passwords that are hard to guess, use different passwords, and don’t share. Software can be used to store passwords securely, but if people must write down details then put them under lock and key. Make sure your systems are configured to enforce good password discipline, lock out users after repeated failure attempts, and use two-factor authentication wherever possible. - Do we have a plan in case of a cyberattack?
Establish how you will handle a crisis in advance! Who’s in charge if you are attacked by ransomware and decisions need to be taken on the spot? Who are the relevant authorities to notify, and who is responsible for making this happen? Because you’ll be fined if you don’t. - Why does security certification matter?
Certification will give a focus and purpose to your efforts to improve security and directly demonstrate to your company and your customers that you take it seriously. We know of clients that have won new customers simply because they stood out from the competition by having the right certification. - Who should be in charge of cybersecurity?
Someone from the C-suite with the time, expertise, and right business attitude! This person needs to start by getting clear on what you have who are the users, third parties, and suppliers who access your systems. List your equipment, networks, software, etc.—the crown jewels that really matter and ensure they are properly protected. If you want a high-quality CIO, CTO, or CISO in your C-suite, that’s where we come in.
You can download and read our full CEO’s Briefing about Cybersecurity, Legal, and Compliance here. Or, visit our Knowledge Center which includes all content related to this topic.