Six C-Level Cyber Blunders (and Solutions)

Criminals lust for your data. Competitors hire the employee you just fired for the thumb drive full of confidential files they smuggled out. Data thieves drool over an executive’s Facebook profile – a veritable “how to” guide for exploiting corporate access. Cyber criminals digitally “sniff” the wireless hotspots your team accesses from cafés, conferences and even in their own homes. The end game? To intercept the data that drives your profits without your faintest knowledge.

Every business, large and small, is under assault by forces intent on hacking your data: identity records, customer databases, employee files, intellectual property, and ultimately, your bottom line. Research is screaming at us—more than 87% of businesses surveyed have already experienced at least one breach and have no idea of how to stop a repeat performance. The average recovery cost, according to the Ponemon Institute, regularly tops $6 million. These are clear, profit-driven reasons to aggressively defend your data.

Here are Six C-Level Cyber Blunders I see repeatedly as I wade through the wreckage of organizations that failed to “do something” before it was already too late:

1. Board-endorsed Arrogance, Ignorance and Inaction. Building a culture of security begins at the top. When the CEO arrogantly emails his unprotected username and password (Sony), it signals to those below that security is a façade rather than a priority. A board of directors with no CISO (Target) or a smaller business that thinks their assets are worth too little to exploit, demonstrate ignorance about a universal truth – everything that is digital… is hackable. Solution: At your next board retreat or executive meeting, host a facilitated “C-Level Cyber Chat” to ask and answer relevant questions about necessary budgets, executive accountability and feedback loops.
2. Failure to Engage the Humans. Companies waste billions attempting to indoctrinate employees on security solely from the perspective of the organization. Leading with a mind-numbing compliance policy or boring PowerPoint ignores a crucial reality: All security is personal. In other words, expect no one (except your CISO, whose job it is) to care about securing data until they understand how it impacts Solution: Educate everyone from the boardroom to the mailroom that security is, at its heart, an emotion – a burning internal reflex – not a department. Enlist them as soldiers in data defense and empower them with the knowledge and authority to protect virtual property. Finally, make sure your training isn’t boring – in order for education to work, it must be entertaining and “sticky”.
3. Blind Reliance on Happy Security Audits. C-Level executives don’t have time to “get into the weeds” on security, so they often turn a blind-eye and delegate every aspect of the job to the IT department, risk management or to no one at all. These people, in turn, rely on internal security audits to expose weaknesses. The resulting reports are often “Happy” (“we’re doing a great job!”), because what else is someone going to say when they’re grading their own test? Solution: Have an annual External Security Audit performed by an impartial advisor. They’ll help you patch costly holes (human, physical and cyber) and will report back honestly to the C-suite. Combined with internal assessments, 3^rd party evaluations make for an efficient security barometer. 
   
4. “Going Mobile” with Everything But Seatbelts. To drive a car without a seatbelt would be laughably naïve for most educated adults. And yet we mobilize our offices and information with smartphones, tablets and laptops that don’t have even the most basic protections (passcodes, encryption, remote tracking and wiping, tethering) let alone more sophisticated enterprise protections (app whitelisting, MDM, VPNs, workspace sandboxing, BYOD policies). Solution: As you mobilize your information access, processing and storage, build security measures directly into the fabric of your network. This will keep your data out of the hands of competitors, criminals and industrial spies. Go mobile, but go wisely.
5. Overlooking the Lowest Hanging Fruit. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of ignorance, fear, ego, confusion, greed or sense of urgency. Social engineers exploit human goodness to extract information from you and your co-workers by pushing buttons that trigger automatic responses. Solution: Fraud-response tactics arm your employees with skills to repel threatening requests for login credentials, phishing exploits and information leakage. Simulation training turns this response into a reflex, making employees (and even customers) your first and finest line of defense.
6. Ignoring the Security of Resilience. Statistically, everyone reading this article will experience some form of personal identity theft in the next three years. And every organization with an Internet connection will experience a data loss incident. Security is not just about building higher walls or attaining 100% prevention (a myth); it’s about how quickly you respond to and bounce back from an attack. Are you prepared to learn from the failure of others, to leverage your own mistakes to motivate change? Solution: Proactively create a Breach Response & Cyber Resilience Plan before the attack occurs. A small amount of preparation could save your reputation.

Leaders with the foresight to invest wisely, implement consistently and manage cyber risk in a  “business-as-usual” manner rarely end up as tomorrow’s front-page, data-breach blunder. Fear is only for those who fail to act. Where do you fall?

©  Copyright  John Sileo    All rights reserved.