Search
Close this search box.
Search
Close this search box.

3 Questions CEOs Should Ask Their Cyber Chiefs

© AdobeStock
Despite the crippling repercussions of well-known cyberattacks, most companies still don’t have a true sense of their vulnerabilities. Three ways CEOs can gauge their readiness for the next evolution of cybersecurity threats.

The cyberattack on Kronos is a portent of things to come.

First, criminals broke into the timecard management company’s network. Then they shut down employee payroll systems at thousands of its customers. Months after the initial breach, the blast zone continues to ripple out from the initial hit. Now nurses, transit drivers and other essential workers are reporting delayed or missing paychecks.

Yet despite the repercussions of the Kronos attack, most companies still don’t have a true sense of their cyber vulnerabilities. To prepare for the newest evolution of threats, CEOs and their boards should ask their cyber chiefs these three questions that will both illuminate the risks and help them support their teams.

How will you know you’re getting the right answers? If you walk out of that meeting still feeling uneasy about the threats to your business, you know there’s further work to be done.

1. What will hackers want and is it protected?

Cyber threats have evolved dramatically since companies first developed their security protocols. Now we see nation-states coming for intellectual property such as vaccine formulas. Hacking groups are trying to steal customer data or taking medical records hostage—whatever brings the highest ransom. Opportunistic thieves are breaching unsecured networks to scan for any vulnerabilities: Maybe they’ll find incriminating documents or infect software with bugs that spread to a company’s customers.

The key is identifying what’s most attractive to an enemy invader, then verifying your ramparts are built accordingly.

If nation-states are targeting your military drone designs or your vaccine formulas, is your company up to speed on their evolving attack techniques? If ransomware thieves could access critical infrastructure, such as pipelines or food supplies, through your products or processes, have you identified the weakest points in your defenses of those most-valuable assets?

Your CIO or CISO should be able to itemize what they’re doing to manage security, and what they’re doing to mitigate the risk of its theft.

2. How can we fortify our enterprise?

Think of your organization’s network as your home…except thousands of people have keys.

While there are many ways to strengthen your doors and windows, here’s one approach that’s immediately effective: It’s called privileged access. Better yet, it’s preventative instead of merely defensive.

Most companies are far too lax about adding new privileged user accounts to their networks. Privileged users can be anyone from a new salesperson to the CEO. Once credentialed, they have administrative access to one or more systems.

As Verizon found in its 2021 breach report, privilege abuse is a leading entry point for hackers. Many employees have privileged access to customer data, for example. That access portal often remains open even after they’ve changed jobs or left the company. It becomes an open door for hackers and cybercriminals.

Does your CIO practice the principle of least privilege? If so, she’s only giving access to people who need it for the specific task at hand. After any change in circumstance, a system should exist to withdraw credentials that are no longer necessary. Do the IT and security teams have current insights into always-on, always-available admin access?

No IT team can fortify everything. There will always be weak spots. But controlling who has access to your most valuable digital assets is vital to fortifying your enterprise.

3. How prepared are we to respond to an incident?

There’s still much to learn from the Kronos ransomware attack. Months after the breach, nurses still aren’t getting paid and angry employees are suing their employers. Did Kronos realize how many customers would be impacted by the software hack? In other words, had they calculated the blast radius? Even if they’d understood the possible consequences of such breach, the response measures they put in place haven’t been sufficient. Just ask those nurses.

Let’s be honest: Your company will have a cybersecurity breach if it hasn’t already. The important thing is to have a defensible incident response plan that must quickly and effectively contain the blast radius by protecting your customers or victims of collateral damage.

Over the years, there’s been an explosion of cybersecurity products, from antiviruses to firewalls to endpoint detection and response platforms. They can improve security by stopping something before it does damage.

Yet these are merely defensive systems.

The proactive company doesn’t wait to be hit. War games, for example, test your security before the enemy is at the door. Red team and purple team drills provide telling blueprints of your weaknesses—where and how you might be breached, what kind of damage can be rendered, and how quickly you can become operational again. Does your chief security officer have, and frequently practice, their incident response playbook?

Hackers are constantly adjusting their modes of assault. They’re laser focused on the most valuable asset, they’re probing your fortifications, they want the biggest blast radius. Woe to the company that isn’t making these adjustments. By asking your CIO or CISO these three questions, boards can better identify unseen vulnerabilities and help their company develop further protections.


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.