Convincing the C-Suite that Cybersecurity Is Important
Recent large-scale cyber attacks have revealed just how vulnerable data can be when businesses don’t have the right protections in place. Target’s breach exposed information on 40 million customers, and assaults on Yahoo affected hundreds of millions of accounts. Both are high-profile cases to be sure, but companies of any size are at risk. In fact, more than 40 percent of cyber attacks targeted small businesses in 2015, according to Symantec.
So how can you convince decision-makers that cybersecurity matters? Start with this advice from Dr. Glenn S. Dardick, a cyber forensics consultant and associate professor of cybersecurity at Embry-Riddle Aeronautical University.
Bring Them Up to Speed
Decision-makers need to become generally knowledgeable about security issues. “Many of these decision-makers belong to professional organizations that offer information and continuing education on security issues, relative to their industries and job function,” Dardick says. “You don’t need to know how to program a computer, but you must understand what your responsibility is in securing your cyber infrastructure.”
Focus on Compliance
Because compliance requirements mandate that certain security measures be in place, it can spur action by leadership, Dardick says. For example, 17 CFR §248.30 requires companies to create written policies and procedures to protect customer information. “Compliance becomes a major motivator to get people to do something. If you are legally responsible for people’s data in your system, then you need to take certain actions to secure that data.”
Recognize That You May Already Be Under Attack
Computer criminals, like bank robbers, will scope out vulnerabilities far in advance of the actual theft. “They look for systems that are susceptible, and then they go in and test those systems,” Dardick says. “Most breaches don’t occur when you think they do. You may find out about it today, but in reality the breach started a year ago.”
Offer a Reality Check
Even after an organization has been breached, it can be difficult for decision-makers to accept that changes are needed. Dardick cites a case in which a law firm’s attorney-client privileged documents were compromised. “I had a problem convincing the firm that this was not a random attack,” he says. “People will think that these attacks are happening everywhere, and they were just one of the unlucky ones. Individuals go into denial, assuming that the hackers weren’t attacking the business personally. But they were, and if the organization doesn’t don’t do something, it will happen again. The organization needs to change what they’re doing, adopt good policies and procedures, and secure their system.”
Plan Ahead
The best way to thwart cyber attacks is to stay a step ahead. The online Master of Science in Cybersecurity Management & Policy at Embry-Riddle is specifically designed to give working professionals the knowledge they need to become leaders in cybersecurity.