Close this search box.
Close this search box.

CEOs: Are You Prepared For The Real World Ramifications Of Cyber Attacks?

A CEO needs to enlist the entire company in the effort to establish common metrics around cyber risk, building a culture of security through open dialogue, planning and testing.


Global cyberattacks like WannaCry and NotPetya have bumped cyber risk firmly to the top of C-suites’ agendas. Even with this increased attention, businesses are still grossly underestimating their exposure, particularly because the attacks happening now are only the tip of the iceberg. The disruption to businesses’ growth, competitiveness, operations and existence is already playing out – and will dramatically increase in the near future. Cyber risk threatens the viability of all organizations; no CEO should be under an illusion about the implications to their business. Nonetheless, a huge proportion of executives are not translating this attention into implementation of the right people, processes and technology to protect their companies.


The misperception that cyber risk is predominantly a data breach issue for large companies continues to exist. Outside industries like retail, financial services and healthcare, organizations often underestimate the size of the target on their backs, as they have not traditionally operated under strict regulations on the use of data, such as protected health information (PHI) and personally identifiable information (PII). The responsibility for cyber risk management urgently needs to expand to organizations across all sectors. The powerful convergence between the digital and the physical worlds means the damage caused by cyber attacks now extends far beyond loss of data security and intellectual property. Tangible and intangible assets, systems as well as processes continue to be tightly intertwined. As a result, cyber risk will have an even more dramatic impact on business operations, research and development, supply chains, manufacturing plants, third-party service providers and customer relationships.

Bringing critical business functions online is increasing operational risk. For example, testing exercises for companies in the energy sector have successfully invaded critical supervisory control and data acquisition (SCADA) systems that companies wrongly believed to be separate from their main corporate network environment. SCADA systems and devices control different processes in various contexts. The energy sector may regulate electrical flow to turn machines on and off, as well as other aspects of the exploration, transportation, and production of oil and gas. If a malicious actor had hacked the corporate network and moved laterally into the SCADA system before our technical experts discovered the issue, it would not have been only the company’s valuable data and information that could have been exposed. Imagine the production disturbance, business interruption or even physical damage and human injury or loss of life that could have been inflicted if normal functioning had been altered. There has been similar success in testing exercises in other sectors, for example, hacking manufacturing companies and accessing unreleased product designs, configurations and launch plans. The convergence of the digital and physical world in many industries, including biomedical devices in healthcare and connected cars in automotive, increases the threat.

“While the majority of media reporting on cyberattacks is focused on data breaches, the consequences for revenue, operations and other functions are very real.” 

A Clear Disconnect

This disconnect between the seriousness of the risk and the measures in place also varies by the size of the organization. Executives at smaller firms are often skeptical over whether they represent such a significant target for cyber attacks, which can limit their investment in cybersecurity. However, criminals are not only targeting high value corporates but launching large-scale attacks to disrupt as many organizations as possible. For example, the Locky, NotPetya and WannaCry ransomware attacks hit companies indiscriminately – regardless of size – exploiting specific vulnerabilities, such as poor patch management. A small to mid-sized organization might weigh the cost of a ransomware payment at a few hundred dollars against the cost of a security assessment, remediation and insurance, and decide to roll the dice. This approach often fails to acknowledge the very tangible consequences of systems and information being unavailable, even if there is no risk of physical damage or human injury. It can be an existential miscalculation, as smaller enterprises in any sector cannot always afford to withstand the interruption to sales and operations caused by an attack.

Basic Fundamentals

While the majority of media reporting on cyberattacks is focused on data breaches, the consequences for revenue, operations and other functions are very real. Even in smaller or less mature organizations without a fully staffed security department, there are some basic fundamentals that CEOs should be asking about and ensuring are implemented:


  1. Create a multidisciplinary committee for cyber risk management: The impact of cyber risk can be felt across every department in a business – from legal, to compliance, human resources, finance, communications, operations, information technology and elsewhere. A cyber risk committee is a relatively low cost organizational change that brings together the relevant expertise to assess how cyber risk will impact multiple functions, and how changes in the business – such as an M&A transaction, working with a new vendor, or implementing new technologies – will alter the security posture. The General Counsel, due to their apolitical position in the organization, as well as familiarity with the regulatory environment and downstream liabilities should chair this multidisciplinary committee and report out to the CEO and Board with their findings.
  2. Conduct a security assessment: The best way to understand the current state of a company’s security, is to conduct an independent security assessment. Smaller organizations with less complex systems may consider SaaS-based solutions, which can be cheaper and allow IT or information security leaders to input information and receive an instant score on their security posture. The results of the assessment should then be shared with the multidisciplinary committee so as to inform where budget is spent to close gaps, prioritize critical data and assets for protection, and what to insure.
  3. Create a culture of security: Weaponize your employees in the fight against cyber crime by investing in training and awareness programs. No one should be exempt from these exercises – including the board and senior executives. For example, proactively teaching how to spot suspicious phishing emails as well as implementing better password management practices. These small security strategies can have an immediate positive effect.
  4. Incident response planning: Incident response planning focuses on improving the company’s resilience in the face of attacks. Many companies now have an incident response plan, but it’s important to test the plan with all stakeholders involved and keep it regularly updated. Planning for an incident – particularly ransomware – also involves creating regular back-ups of critical data and systems to reduce downtime, and testing defenses, all by simulating attacks.
  5. Have a tailored cyber insurance policy: Even after taking a number of proactive steps such as those outlined above, the evolving threat landscape means that no company can be completely secure. It’s important to ensure that any cyber insurance policy takes into account the results of a security assessment, so it covers areas of greatest vulnerability that it may not be feasible to remediate.

A CEO needs to enlist the entire company in the effort to establish common metrics around cyber risk, building a culture of security through open dialogue, planning and testing. It all starts with the CEO.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.