Cybersecurity leaders are also business leaders, working to protect data without business interruption. But the complexities and magnitude of today’s cybersecurity challenges are daunting for many organizations and not every executive is a cybersecurity professional, nor do they necessarily need to be. What’s important is that those with the primary responsibility for cybersecurity in an organization communicate risk effectively among their colleagues and across the business.
The World Economic Forum’s recently-published Cybersecurity Guide for Leaders in Today’s Digital World provides a practical guide to dealing with cybersecurity challenges. Is it a full-proof defence against cyberattacks and security breaches? No, there are no silver bullets, but it does contain 10 basic tenets for business leaders to incorporate into their companies’ day-to-day operations. Diligent application of these tenets – and making them a part of your corporate culture – will go a long way toward reducing risk and increasing cyber-resilience.
Zurich Insurance Group uses a risk-based framework to achieve this. Its Integrated Information Security Baseline (IISB) unites security efforts across the global organization and helps business leaders – business unit CEOs, COOs, CFOs – to better understand and manage critical cyber-risks. Jointly managed by the first and second lines of defence, it is comprised of crucial risk indicators that touch on several of the tenets in the World Economic Forum’s guide. Its primary benefit is that it helps to achieve the 10th tenet: creating a culture of cybersecurity.
A strong cybersecurity culture is not about making everyone in an organization a technical expert on the latest cyberthreats, but rather about keeping these essentials in mind:
- Nearly all individuals in an organization have access to information that is valuable to cybercriminals. This could be information with value in its own right, such as personally identifiable information that can be sold on the dark web; or information such as credentials that can be exploited and used to burrow into network systems and access other critical systems.
- Many data breaches are enabled by unintentionally risky behaviours, such as selecting weak passwords or sharing account login credentials.
- Most importantly, the bulk of today’s cyberthreats achieve their goal through humans and the targeting of individuals through phishing and social engineering.
Organizations can make their cybersecurity culture more robust by:
- Creating a framework for managing risk that can be understood across the organization, even by non-cybersecurity professionals. It doesn’t need to be a comprehensive measurement of all risks, but it should use risk indicators that are representative of the main risk areas so as to provide both an overall barometer of cybersecurity risk and to ensure its kept as part of the business conversation.
- Making sure cyber is part of the dialogue at the highest levels of the organization. If the CEO talks about phishing awareness, there’s a good chance this will become a priority at all levels.
- Creating a security instruction and awareness function and appointing a senior leader responsible for running security awareness campaigns and overseeing security training. This executive should be empowered to work with colleagues across various business functions to design programmes that address the needs of different employee specialities.
- Creating incentive programmes to reward and reinforce positive security behaviour. For example, phishing simulation training could be made more enjoyable through gamification and small prizes for those who report the most phishes.
- Many companies have a mandatory annual training requirement, but you can also find ways to make engaging, bite-sized security training available throughout the year. This can be delivered through fun quizzes, cartoons or security-focused webisodes.
- Ensuring employees know the right channel to quickly report suspicious activity and make sure this information is easily recallable and accessible. Even better, provide multiple channels for communication: an IT help desk, a dedicated cyber-reporting phone line, email, or even SMS and social media messaging.
- Communicate, communicate and communicate again. To keep cybersecurity top of mind, it needs to be communicated frequently and continually through multiple channels. Company newsletters, blogs, digital signage and posters are all good venues for promoting anything from a cybersecurity tip of the day or slogan, to an interview with a top company executive on the topic of cyber fraud.
In every company, in every organization, every person is a security champion. We all have a responsibility to remain educated and aware and to support the cybersecurity team in implementing best practices.
– Paige H. Adams, Global Chief Information Security Officer, Zurich Insurance Group