In late November 2018, Marriott International Inc. reported that it had fallen victim to a colossal theft of customer data. Up to 500 million customers’ personal information was exposed, including passport and credit card information. The breach, which began in 2014 and continued until this September, is only the latest in a long string of high-profile cyberattacks making headlines this year.
Despite the eye-popping figures and high stakes, according to a McKinsey survey of corporate directors, the majority of respondents reported that their boards had, at most, one technology-related discussion a year. Similarly, according to EY’s 19th Global Information Security Survey, only one in five executives fully considers information security in planning their larger corporate strategy.
However, this gap between how important cybersecurity is and how much involvement there is by senior corporate executives can be hard overcome. To do so, organizations must learn to see security the way they see all other operational risks, and not as just a technical issue.
To help get the attention of your senior executives and make cybersecurity a priority for your organization in 2019, follow these four key tips:
Clearly Communicate Cybersecurity Goals
If you want your organization to know and understand where you want them to go when it comes to improving your cyber defenses, first you need to create a structure to foster clear communication between and across different parts of the organization. This begins with security professionals understanding business priorities and operations staff understanding the role of cybersecurity and why it is important to your organization’s success.
Next, executives need to make sure that the entire organization understands the specific cybersecurity steps the company is taking to improve its security posture. This can include participating in communications campaigns, sending out reminder emails and links to policies, and even facilitating meetings or other discussions.
Discuss the Risks of Cybersecurity Threats to the C-Suite
According to Verizon’s 2018 Data Breach Investigations Report, the last year saw 53,308 security incidents and 2,216 data breaches. Making sure senior executives understand these risks and how they can affect not only their bottom line but also their customers and their brand’s reputation is an effective way to get their attention.
In the wake of a cyberattack, there are nearly always up to hundreds of thousands of dollars in damages due to the costs of investigation, incident remediation, forensics, credit-monitoring services, litigation, and the associated regulator penalties. According to the Cisco Annual Cybersecurity Report, 53 percent of cyberattacks between 2016 and 2017 resulted in damages over $500,000 or more.
Risk to Customers
According to a 2017 PWC Consumer Intelligence Series report, 72 percent of consumers believe businesses, not the government, are best equipped to protect them from cyberattacks. On the other hand, 69 percent believe that companies are vulnerable to hacks. Therefore, it is critical for organizations to understand and respond to their customers’ cybersecurity concerns in a regular and proactive way to earn and maintain their trust, and, ultimately, their business.
Damage to Reputation
Two-thirds of companies (67 percent) reported that cyber incidents have damaged their reputations, according to 2017/18 Kroll Annual Global Fraud & Risk Report. Of those, 23 percent also said that their companies suffered long-term losses of 7 percent or more in revenues in the wake of the incident.
Though consumers can be forgiving, preventing a cyberattack in the first place can often be a lot less expensive than having to pay for marketing, legal, IT, and other services in the wake of an attack.
Get the Right Technology in Place
Long an afterthought, security must now garner as much attention as plans for new products, emerging technology, and innovations. Yet, according to a 2018 Ponemon Institute study, only 31 percent of IT professionals believe that their organization’s funding for security is sufficient.
Out-of-date applications and operating systems are a favorite target of cyberattackers with hackers trading in exploits known to be effective against outdated systems. Similarly, it is important to test and evaluate existing defenses and evaluate new and emerging security products against your business needs to help ensure that your network has the flexibility to accommodate current and future security challenges.
Not to be overlooked, patches and updates from vendors should be identified and installed as part of a regular maintenance cycle and according to existing application change management procedures. Security policies and rules may also need to be updated as additional applications and devices are added to your network environment to help ensure any new gaps are appropriately addressed.
Implement Cybersecurity Training Programs
One of the biggest threats to organizational security actually comes from within: through the employees and other contractors that are familiar with your infrastructure and operational practices. Witting of their role or not, insiders are involved in 28 percent of attacks, according to the Verizon report. This includes employees making simple mistakes (such as responding to phishing emails or storing passwords in the open) that can lead to sensitive information being disclosed.
A key way to make sure your employees are aware of the signs of malicious cyber activity as well as how they can fix their non-malicious (but still risky) behavior is through organization-wide security awareness training. Though the investment sounds hard to quantify when budgets are closely watched, making security education a priority can pay off in the event of a cyberattack. One study even found that organizations that implemented regular security awareness training for employees had an average financial loss of $162,000, compared to an average loss of $683,000 for those without training.
Now Is the Time to Make a Change
The new year is a great time to refocus priorities and change habits. Taking the time to communicate your cybersecurity goals, develop a plan to train employees, and articulate the risks of complacency to your executives can help to not only make 2019 a milestone year, but also keep your organization out of the headlines.