The Chief Information Officer (CIO), together with the Chief Information Security Officer (CISO), is primarily responsible for taking care of the organisations’ data and overseeing reporting and tackling any technical vulnerability an organisation faces.
However, in a pandemic situation, like we are having in India, the frequent lockdowns, quarantines, and self-imposed isolations are affecting both our personal and professional lives, and the obligations of a CIO has increasingly become a shared responsibility with all members of an organisation, including the entire C-suite, explains Nikhil Korgaonkar, Regional Director, Arcserve India & SAARC.
Organisations today are facing many challenges, especially after the COVID phases. However, as threats to a business, none are more evident and immediate than the threat of cybercrime. This continues to rise in scale and complexity, affecting essential services, businesses, and private individuals alike.
As per reports by the Indian Computer Emergency Response Team (CERT-In), 394,499 and 11,58,208 cybersecurity incidents have been observed during 2019 and 2020, respectively, in the country. From September till December, 2020, nearly 115,000 cyber-attacks were reported every month, totalling about 460,000 total cases, as per the report.
According to the World Economic Forum Global Risks Report, cyberattacks are among the top ten global risks of most serious concern in the next decade, with more than $90 trillion potentially lost to threat actors. On top of that, cybercrime will cost the world $11.4 million each minute in 2021, according to Cybersecurity Ventures. Research firms and experts said cases are likely to increase in 2021, and all sectors, including manufacturing, services, education, and healthcare, may see more such attacks.
However, with remote working becoming the norm for most, cybersecurity has now become a shared responsibility with all members of an organisation, especially the C-suite. As threats become increasingly sophisticated and data breaches influence a company’s bottom line, overall reputation, and investment outlook, people are looking towards the people in charge. Customers hold them responsible whenever a data breach compromises their credit cards, and investors are questioning the C-suite whenever an attack devalues the company. And the public always points to the failings of the C-suite when a cyberattack cripples an organisation.
Three ways the C-suite can protect their organisation against cyberattacks
Besides the IT team, the C-suite is one of the first responders on the scene in case of an attack, and as such, it should be their top priority. Here are three ways the C-suite can protect their organisations and help reduce the risk of cyberattacks on the frontlines now.
Prioritise employee education and training from the top
The earliest step that the C-suite needs to take to ensure their organisation’s data is protected against potential cyberattacks, is through educating and training their employees on the latest threats out there. Whether that’s malware, phishing emails, or DDoS attacks, the C-suite needs to invest time and money in teaching employees about the everyday basics of cyber hygiene. This includes teaching them how to spot and recognise fraudulent emails that contain suspicious links, updating passwords to critical endpoints such as emails and social media sites regularly. Providing clear and straightforward IT guidelines/frameworks to the employees will increase overall cyber literacy within an organisation. By going that extra mile and hiring technical specialists, the C-suite can also help promote practical and interactive training sessions that involve simulating specific attacks, to help boost the company’s level of experience and cyber maturity.
Take responsibility from the top
But, while CIOs typically spearhead these efforts, other C-suite executives can rise in support of these programs, to add an extra level of reassurance and integrity. The Chief Operating Officer (COO), often second in command behind the CEO, can help provide the authority needed to advocate for an improved company security culture and practices. The Chief Human Resources Officer (CHRO) can also help communicate this further down to other employees and stakeholders, improving trust and uptake in the company’s security vision. Even the Chief Marketing Officer (CMO), who is directly tied to customers and clients, can communicate how company data is protected and provide assurances. Most of all, the CEO, the de facto leader and face of the company, can become more active in making data security a key point of discussion and engagement in meetings with the entire c-suite, investors’ board, and partners. He or she needs to always be ahead of the curve on the latest regulatory landscape involving security and the latest threats and threat actors, to make intelligent decisions about IT budget allocations.
Ensure recovery and continuity plans from the top
The global pandemic has created an excellent diversion, and bad actors are taking full advantage. The coronavirus has spawned several pandemic-themed attacks. Just recently, hackers tried targeting unsuspecting Android mobile users in India by circulating a fake SMS message that offered an app for vaccine registration. Despite the multiple plans and strategies in place for any eventuality in every company, companies still get caught out by a new and more sophisticated attack. The C-suite simply need to implement a more robust response and recovery plan to keep their business running in the event of a cyberattack. They need to conduct an inventory of all data present, encrypt sensitive information such as employee data and financial records, and create regular backups stored safely outside of the network. Backing up data is the best way to ensure that even if data gets lost in an attack, external copies can be accessed and used later on. This means that an organisation never loses its data entirely.
However, for some executives, investing in these security options is a hard-line item to justify because there’s rarely any tangible payoff. Often this type of investment gets overlooked because it does not correlate directly with reduced spending or increase employee productivity, and as such, it always gets left behind. On the flip side, the risk of not investing in secure solutions could put their organisation at risk of financial and reputational damage. Research firms and experts said instances are likely to increase in 2021, and all sectors, including manufacturing, services, education, and healthcare, may see more such attacks.
The C-suite needs to find better solutions now and budget security resources intelligently whilst weighing the cost VS ratio to find that perfect balance.