3 Questions CEOs Should Ask Their Cyber Chiefs

The cyberattack on Kronos is a portent of things to come.

First, criminals broke into the timecard management company’s network. Then they shut down employee payroll systems at thousands of its customers. Months after the initial breach, the blast zone continues to ripple out from the initial hit. Now nurses, transit drivers and other essential workers are reporting delayed or missing paychecks.

Yet despite the repercussions of the Kronos attack, most companies still don’t have a true sense of their cyber vulnerabilities. To prepare for the newest evolution of threats, CEOs and their boards should ask their cyber chiefs these three questions that will both illuminate the risks and help them support their teams.

How will you know you’re getting the right answers? If you walk out of that meeting still feeling uneasy about the threats to your business, you know there’s further work to be done.

1. What will hackers want and is it protected?

Cyber threats have evolved dramatically since companies first developed their security protocols. Now we see nation-states coming for intellectual property such as vaccine formulas. Hacking groups are trying to steal customer data or taking medical records hostage—whatever brings the highest ransom. Opportunistic thieves are breaching unsecured networks to scan for any vulnerabilities: Maybe they’ll find incriminating documents or infect software with bugs that spread to a company’s customers.

The key is identifying what’s most attractive to an enemy invader, then verifying your ramparts are built accordingly.

If nation-states are targeting your military drone designs or your vaccine formulas, is your company up to speed on their evolving attack techniques? If ransomware thieves could access critical infrastructure, such as pipelines or food supplies, through your products or processes, have you identified the weakest points in your defenses of those most-valuable assets?

Your CIO or CISO should be able to itemize what they’re doing to manage security, and what they’re doing to mitigate the risk of its theft.

2. How can we fortify our enterprise?

Think of your organization’s network as your home…except thousands of people have keys.

While there are many ways to strengthen your doors and windows, here’s one approach that’s immediately effective: It’s called privileged access. Better yet, it’s preventative instead of merely defensive.

Most companies are far too lax about adding new privileged user accounts to their networks. Privileged users can be anyone from a new salesperson to the CEO. Once credentialed, they have administrative access to one or more systems.

As Verizon found in its 2021 breach report, privilege abuse is a leading entry point for hackers. Many employees have privileged access to customer data, for example. That access portal often remains open even after they’ve changed jobs or left the company. It becomes an open door for hackers and cybercriminals.

Does your CIO practice the principle of least privilege? If so, she’s only giving access to people who need it for the specific task at hand. After any change in circumstance, a system should exist to withdraw credentials that are no longer necessary. Do the IT and security teams have current insights into always-on, always-available admin access?

No IT team can fortify everything. There will always be weak spots. But controlling who has access to your most valuable digital assets is vital to fortifying your enterprise.

3. How prepared are we to respond to an incident?

There’s still much to learn from the Kronos ransomware attack. Months after the breach, nurses still aren’t getting paid and angry employees are suing their employers. Did Kronos realize how many customers would be impacted by the software hack? In other words, had they calculated the blast radius? Even if they’d understood the possible consequences of such breach, the response measures they put in place haven’t been sufficient. Just ask those nurses.

Let’s be honest: Your company will have a cybersecurity breach if it hasn’t already. The important thing is to have a defensible incident response plan that must quickly and effectively contain the blast radius by protecting your customers or victims of collateral damage.

Over the years, there’s been an explosion of cybersecurity products, from antiviruses to firewalls to endpoint detection and response platforms. They can improve security by stopping something before it does damage.

Yet these are merely defensive systems.

The proactive company doesn’t wait to be hit. War games, for example, test your security before the enemy is at the door. Red team and purple team drills provide telling blueprints of your weaknesses—where and how you might be breached, what kind of damage can be rendered, and how quickly you can become operational again. Does your chief security officer have, and frequently practice, their incident response playbook?

Hackers are constantly adjusting their modes of assault. They’re laser focused on the most valuable asset, they’re probing your fortifications, they want the biggest blast radius. Woe to the company that isn’t making these adjustments. By asking your CIO or CISO these three questions, boards can better identify unseen vulnerabilities and help their company develop further protections.