3 steps for better cybersecurity (2/2): What follows the initial discussion

The previous article explained how, if you want to take cybersecurity seriously, the first step is a thorough initial discussion. After that, what comes next?

Illustration

Second step: Fire drills

Testing the cybersecurity functionality of your company may be compared to conducting a fire drill. Live testing will provide accurate information regarding the extent to which your company is vulnerable.

For data breaches, phishing emails are still the most common method. Indeed, although many people are aware of phishing, they often don’t realise how easily these scams can surprise them.

Test board members as a group in order to ascertain how many of them would be likely to fall victim to phishing. And don’t be afraid afterwards to share the results with both management and employees.

Top management may feel uneasy about such a step but there is no better way to raise awareness of the threat posed by phishing. This way you will prove that at your company cybersecurity is a top-level priority.

Some companies are getting particularly tough when it comes to vigilance enforcement. Exxon Mobil, after a phishing test, revoked the internet privileges of those employees who had taken the bait.

Third step: Final responsibility

Board members are often shocked when they first see the results of a cyber-exposure audit. Realising just how many risks there are stemming from vendors and IT suppliers can sometimes be rather unpleasant.

Exposure can be defined by how connected the company is with suppliers and their services and what dependencies exist. So the more you rely on third-party software and services, the more vulnerable you become. This cyber-exposure means that assets, services and processes are accessible through public networks. There are numerous exposure points:

  • Technical assets such as networks and online applications
  • People who use e-mail and social media
  • Information exchange between systems
  • Such processes as transactions, maintenance or software development

Once the board comprehends the sheer number of these risks and their scale, it will become obvious that IT cannot manage cybersecurity efforts on its own. Directors will surely realise that the final responsibility rests with them.

-jk-

Article source INSEAD Knowledge - INSEAD Business School knowledge portal
Read more articles from INSEAD Knowledge

Články v sérii

Aktuální

3 steps for better cybersecurity (1/2): Board directors are responsible

Aktuální

3 steps for better cybersecurity (2/2): What follows the initial discussion