As I discussed yesterday, a recent survey by KPMG of the CEOs of over 1,200 businesses shows that many firms are woefully unprepared to address cyber attacks.
After the report was issued, I spoke with Malcolm Marshall, Global Head of Cyber Security at KPMG, and asked him what areas of weakness he and his team have observed in firms that already have cybersecurity plans and technology in place (for those that do not yet, please see this article), and what CEOs should be doing now to better protect their firms.
Here are eight interesting points from our conversation.
1. Make sure your firm does not suffer from "corporate security attention deficit disorder."
So many businesses have launched cybersecurity programs with great fanfare only to find that within months many organizational commitments fall by the wayside. Policies and procedures to ensure the timely implementation of patches or the installation of upgrades are undermined with "exception cases" that seem to grow in number over time. Don't let that happen, as there may be a huge price to pay for doing so. Security may not be glamorous or a profit center, but, as those who have suffered major breaches can tell you: it is mission critical.
2. Understand what your informational assets are, and prioritize their security.
From a practical standpoint you are unlikely to be able to protect all of your data and systems with maximum security (however you define that for your organization). Those who have tried have learned the hard way--by harming people's morale, making business processes inefficient, adversely impacting the ability to compete, or running up unacceptable costs.
3. Address Internet of Things risks.
While many media reports make it sound like the "Internet of Things"--that is, the proliferation of Internet-connected devices that are not traditional computers--is something that will happen in the future, it is actually here today. CEOs must be aware of what is attached to their networks, and adequately secure against the risks that all attached machines create. Providers of smart appliances often do not adequately consider security when designing and creating their offerings--so, if you are using smart appliances you need to take action.
4. Security needs to be thought about at the executive level, not just within departments.
There needs to be someone responsible for security throughout the entire organization ensuring that nothing "gets lost in the shuffle" as can happen if a piecemeal, department-by-department approach is taken. The person in charge may sometimes have to manage inter-department politics in order to keep the organization as a whole secure.
5. Address generational differences.
Many businesses have not fully adjusted their onboarding and absorption processes to accommodate Millennials, whose behaviors and cultural expectations differ from those of earlier generations of workers. If you don't address how younger people work in more open and collaborative environments, share information, use mobile devices, or interact on social media, you may be in for problems.
6. Everyone working in a business needs to have security on his or her mind.
If an executive is overseeing the creation of a new product within her division for example, she should make sure to involve the security department from the get go. So often, security is brought in later--leading to vulnerabilities and other problems.
7. Understand who is targeting you and what are their motivations and capabilities.
Sun Tzu taught this millennia ago about conventional warfare, and it is true in the cyber-era as well. Media reports and law enforcement briefings can often help with this.
8. Understand what third-party risks impact you, and offer positive ways to address them.
If you rely on providers of cloud applications, for example, security risks at the application providers can impact your data security. Instead of simply issuing security mandates to those firms, and making demands, provide positive input to help them get where they need to be vis--vis security. In the end, your goal is to keep your data safe, not to be someone else's headache.
Please feel free to discuss this article with me. I'm on Twitter at @JosephSteinberg.