Should those in the C-Suite be concerned when it comes to cybersecurity? The short answer: yes. There is no denying that being in the C-Suite signals that an executive has “arrived” and is among the movers and shakers of the organisation. But most people tend to see the perks that go with the job, rather than the risks and responsibilities that are apt to make it onerous and burdensome. Where cybersecurity is concerned, at least, being in the C-Suite means the need for higher levels of cybersecurity awareness. The Chief Executive Officer (CEO), Chief Operations Officer (COO) and Chief Finance Officer (CFO) may set the firm’s rules but this does not make them any less vulnerable to cybersecurity threats.
In fact, research has shown that because they are in positions of authority, they are more likely to bypass corporate cybersecurity measures. Lapses like these could in turn leave the organisation open to cyberattacks and hacking attempts that may incur long-term damage. C-Suite executives often have access to the highest levels of security and confidential information, among the firm’s more valuable assets. They automatically become security targets as soon as they assume their positions. As such, bypassing security measures may have far-reaching, sometimes devastating, implications. Additionally, C-Suite executives may be under attack and not even realise it.
The level of cyberattacks and cybercrime has never been so sophisticated as they are today. Hackers may be in a system for months before they are discovered. The increase of such incidents in recent times is both dangerous and disturbing. Personnel at all levels of an organisation need to be vigilant to prevent breaches; none more so than those in the C-Suite. Cybersecurity issues are no longer the province of the IT department. Instead, the organisation would do well to have a cybersecurity framework in place that strategises for any eventuality related to its systems. Most organisations have an online presence at the very least; many depend on their online systems to drive business.
This dependency has reached a level where any disruption to the firm’s electronic networks operation systems, even minimally, may have long-lasting repercussions. In an era of instant gratification, even a denial of service lasting a few minutes will have an off-putting effect on customers, and have a serious impact on the business. Issues relating to the organisation’s cybersecurity actually have a tendency to extend beyond the technical environment and may have a knock-on effect on the entire business. In short, everyone is affected, so cybersecurity solutions should also include processes, procedures and controls, and the appropriate employee behaviour.
When C-Suite executives lapse, either advertently or inadvertently, in their cybersecurity vigilance, they inevitably become open to exploitation by cyber criminals. Statistics show that these criminals are aware that C-Suite executives are the majority of those who request exceptions to cybersecurity protocols – which is ironic, because they are the ones who usually set such protocols in place. This is not peculiar to any business or industry; it is reflected in the major cybersecurity challenges across the world today. This points to the need for a change in employee or user behaviour, before cybersecurity protocols can be truly effective.
There is no end to the damage which could occur if a C-Suite executive’s account is breached, and confidential information is accessed by unauthorised persons. It could also incur liabilities on the part of the organisation and the individual as C-Suit executives are usually subject to confidentiality clauses. Such breaches also reflect badly on the business, leading to loss of confidence of investors. The firm’s reputation may thus be put at risk, and customers’ confidence in the brand may decline. Of course, C-Suite executives are not the only high-risk group. Many employees are now choosing to Work From Home (WFH); matters become complicated when C-Suite executives are among these.
Many organisations also allow their employees to use their own equipment such as laptops and mobile phones for expediency when working remotely. These are often unsecured devices which employees may continue using even when they are in the office, thus putting the organisation’s systems at risk. What then can be done to mitigate the risks that come with new ways of working that seem to be virtual magnets for new threats and disruptions? Improving awareness of the dangers of cyber breaches and how they occur is one way. Development of a more risk-aware culture is another. Awareness of the importance of cybersecurity as a critical business function should be enhanced.
In all this, the organisation will look to its Board and management – its C-Suite executives – to set the rules and walk the talk. Legacy infrastructure may also be a source of risk; management will have to be aware of the systems they are dealing with. Close collaboration with the IT department will be necessary, as well as with external parties. A lack of awareness may lead to complacency among staff; this must be addressed through the appropriate training. Also, a strategy of Know Thy Enemy should be adopted in the course of training. Everyone should be aware that there are many players in the environment with a variety of reasons who are looking for ways to break into systems.
Sometimes these may be hackers who are in it for fun; but there may be others with more sinister motives. Cybersecurity threats are real, and constant vigilance is imperative. The consequences of cyberattacks have put defending against cybersecurity threats very high on the list of the C-Suite. They will need to identify the areas that will be at most risk in the event of cyberattacks, develop policies for workplace behaviour and remote working, and ensure that the whole organisation toes the cybersecurity line. And they will have to start with themselves.