Some cyber attacks, particularly those like the spate of ransomware incidents that seem to be never-ending at present, have some very visible consequences for organizations: outage of customer-facing services, loses in productivity, revenue, and reputation, not to mention the costs of remediation (like, say, paying the ransom), possible data leakages and even regulatory fines. However, it’s not just damage to the organization that such cyber incidents can cause, it can also get personal. Beginning with the famous “Target Breach”, moving on to Home Depot, Sony, the Equifax breach and the Imperva breach, several CEOs have been held responsible and forced to resign after highly damaging cyber incidents.
It might be assumed that the CISO would be the one primarily in the hot seat for such failures, but industry analysts Gartner say that future cyber attacks could result in “personal liability” for 75% of CEOs by 2024. In short, the entire C-suite needs to prepare for the consequences of a successful cyber attack, which can damage both the business and the careers of those tasked with ensuring the organization’s security.
Risk, Regulation and Evolving Threat Actors
Until very recently, companies could have kept cyber incidents and data breaches under the radar and away from the public eye. However, advancements in regulation, public sentiment and the nature of cyber attacks have changed all that.
HIPAA, GDPR, CCPA, NYC DFS and a host of other data breach notification and privacy regulations have made it impossible for companies to legally hide the fact that they have suffered a major cyber incident. Companies and individuals that try to downplay this could be caught and penalized, as was the case with former CISO of Uber who is now charged with obstruction of justice. He allegedly tried to cover up a 2016 hack that compromised the data of millions of users and drivers and present it as a security penetration testing exercise (while allegedly paying the actual hackers to go away).
The nature of attacks has also changed. Modern ransomware attacks are now exfiltrating huge data sets before encrypting and announcing to the world that their victim has been hit. The cyber criminals threaten to publish or sell the stolen data if their ransom demands are not met. In many cases, this means that the public will almost certainly become aware of the incident, at which point it only harms the victim’s reputation further if they continue to deny it or refuse to even make a public comment on it. Moreover, as the public have become increasingly aware of just how much data – and how sensitive it can be – is held about them, there is increasing anger at companies and organizations accused of having lax security practices. Many consumers now indicate that organizations should be held accountable for security negligence: A recent survey found that 35% of UK consumers see the CEO as personally responsible in case of a cyber incident.
It’s no surprise, then, that cases of executives being held personally accountable for such incidents are not hard to find. The CEO of Austrian aerospace parts maker FACC was fired after the company was hit by cyber fraud that cost it some $47 million. The details are murky, but it has the hallmarks of a classic Business Email compromise: someone very senior within FACC, perhaps the CEO, was approached by email from a business partner or vendor and approved a wire transfer directly to the fraudsters. After the transfer was made, it was discovered that the actual partner never approached the company and the money was gone, costing both the CEO and the CFO their jobs.
In other cases, executives have been held accountable because cyber is now considered a fundamental business operation. For example, after the SingHealth data breach, the CEO and 4 other senior managers were fined due to their “collective leadership responsibility”.
Seven Steps to Secure Your Organization
It’s famously been said that “Cyber is hard”, but there is a well-defined path to enterprise security that responsible organizations can follow, limiting both the risk of and the fallout from a security breach.
- Assess Your Security Posture – The first step to consider is the status of the organization’s security posture. The C-suite (CIO, CSO, CISO) needs to have a clear and updated understanding of the organization’s security apparatus, including staffing levels, training, systems and procedures, incident response and business continuity. Are you still relying on legacy AV solutions that are easily bypassed by today’s threat actors? Who is tasked with threat hunting, and how often? What does your Incident Response procedure look like today? In the heightened security environment we now face, when threat actors from script kiddies to APTs are able to access and wield sophisticated malware, it is imperative to have a clear understanding of your current security posture.
- Conduct a Cyber Risk Assessment – The CEO and C-level executives need to understand the nature of the cyber threats the organization faces. There are plenty of tools available for risk assessment, including using industry benchmarks, government and law enforcement agencies recommendations and threat intelligence feeds. The risk assessment should also include regulatory and commercial risks such as reputation loss due to cyber attack.
- Develop a Business-wide Security Plan – With a clear understanding of the threats facing your organization and your current security stance, it is possible to assess where the organization fares well and where there is room for improvement. It is vital to have a plan to address these gaps according to the organizations’ risk appetite. The plan should include a modern EDR platform, Incident Response and mitigation capabilities, backup systems and business continuity procedures.
- Allocate Sufficient Resources – After formulating and approving a security plan, the appropriate staffing, organizational and financial resources must be allocated. This is critical. A plan that calls for human resources you don’t have and don’t make provision to supply is not so much a plan but wishful thinking. A plan that cannot be implemented because it requires structural changes that the organization is not willing to make is merely a wasted thought experiment. A plan that lacks a fully-worked out and approved budget suggests there was no real will or intent to facilitate change. None of this is going to look good when stakeholders start apportioning blame in post-incident analysis.
- Practice Continued Oversight – The implementation of a well-thought out, sufficiently-resourced plan must be accompanied with monitoring and reporting to senior management. A contingency plan that was only partially implemented, not implemented as intended, or that (in practice) was not as “fit for purpose” as it seemed on paper, may be worse than no plan at all. Security executives should also monitor business operations development and how operational changes might impact the security plan. For instance, the sudden shift to working from home has markedly changed the risks organizations face, but how many business have updated their security planning and solutions to take that into consideration?
- Engage an External Audit – It is advisable to introduce an external audit in order to validate the CISO’s plan and its execution. The benefits here include a non-partisan, objective look at your preparedness and compliance that can not only provide internal confidence that you are doing the right thing, but it can also be a vital part of rapidly rebuilding external confidence after a security breach.
- Rinse and Repeat – By the end of the period (fiscal year, calendar year, quarter) it is imperative to assess the success of the plan and decide if to continue with its implementation or make changes. Plenty of organizations thought they had a great plan in place, only to find a threat actor had repeatedly breached their defenses for months on end.
How To Respond When a Cyber Attack Happens
But executives are not only measured by how well they plan and let their people execute. They are also measured by how well they respond to crisis. When a crisis hits, it is best to act according to the predefined plan. If there isn’t one, bring in experts in Incident Response and crisis management as soon as possible.
It is imperative to communicate the situation promptly and openly with the board, employees, customers and the media. Organizations that react quickly, honestly and transparently usually receive the support of all these factions, and the mistakes (if there were any) are often quickly forgiven.
For example, Q&A site Quora suffered a data breach in late 2018, effecting approximately 100 million Quora users. The CEO responded quickly, publishing a very transparent blog post and notifying all users via email of how the breach affected stakeholders. The company then set up a dedicated Q&A site with timely updates to users as the situation unfolded.
Securing your organization against today’s cyber threats is a business imperative. Long gone are the days when management only needed to hire an IT admin to install an off-the-shelf antivirus, erect a firewall around the network perimeter and sit back and think about “more important” things. In today’s world of cloud computing with containerized workloads, a remote workforce, and a dizzying array of unsecured IoT devices jumping on and off your network, combined with the exponential growth and sophistication of cyber attacks and cyber attackers, security is not only the C-suite’s responsibility, it may be their number one priority.