Executives need to take a particular interest in cybercrime. That is a big ask since most business leaders have a minimal understanding of cybersecurity and don’t have the time to become experts in this field. But can they ask the right questions? Modern organisations rely heavily on digital systems to keep them fast, flexible, and competitive, but such systems also make them more vulnerable and open to various risks, including connectivity failure, data loss, and fines for legal failures. In particular, cyber-related crime and negligence loom large in risk registers. The Allianz Risk Barometer 2022 ranks cyber incidents as companies’ top business disruption fear. According to the same survey, South African companies ranked cybercrime and critical infrastructure blackouts as their greatest concerns.
What should an executive or board member ask?
My recommendation is to start with the following five questions:
1. How many endpoints are in the enterprise?
This question may seem very simple but it’s an effective way to check if your security teams are handling their responsibilities. An endpoint is a device that someone can access, and these are the most likely places for a security breach to occur. Astute security managers and executives should know how many endpoints are on the business network. They might need a moment to check for the exact number, but if they cannot cite the number or find it quickly, you can question whether they have accurate security reporting or insights.
2. What are our biggest risks, and what are our contingencies?
When a business experiences a cyber breach, it’s common to ask why it was the target. Executives often think the business was specifically victimised, but in most circumstances, it’s just a case of bad luck. Cybercriminals look for soft targets, using known successful attack methods. The worst thing a company can do is assume it’s not a target, because then it is likely to ignore its cyber risks. Your security experts cannot fall for this assumption. They should exhibit a clear understanding of the business’ risks and be able to show contingency plans and processes for when the worst happens.
3. How do we provide baseline security for a new project?
Modern companies run on software and digital systems, the playgrounds of cybercriminals. Therefore, security must have a place at the start of any new project. Even if the project is an extension of previous work, security staff should check and advise on the project’s protection. But the managers and executives who own the project must ask this question – it’s on them, not security teams, to prioritise security. Security added afterwards is less effective and will hamper the project’s performance. Responsible leaders plan their project budgets and deadlines before anything of consequence happens. Cybersecurity is no different.
4. Are we getting the expected value from our cybersecurity investments?
5. Do our security people have enough access to the rest of the business?
What if your staff give the wrong answers to these questions? It’s not necessarily their fault. They could struggle to answer because they lack the right tools, their workloads are overwhelming, or your leaders keep them at arm’s length. They may lack enough access to business operations and strategy. This questioning exercise aims to establish a rapport with your security people and identify gaps.
Organisations that make an effort to include cybersecurity as a part of business reduce their cyber risks. We call these businesses “cyber-safe”: a state where cybersecurity is as much a part of the organisation as finance, logistics, and human resources are. If you want a cyber-safe business, start by asking these questions