In the world of business there will always be obstacles to overcome, including threats such as cybersecurity. The issue of cybersecurity has appeared in the news frequently over the past few years. Such examples include:
• Accusations of data breaches in both the recent U.S. and French presidential elections
• The WannaCry ransom attack, which infected over 300,000 computers in 150 countries and brought Britain’s National Health Service to a standstill
• The Sony Pictures hack of 2014, which released emails, salary data and personal information of employees at all levels
• The Target data breach of 2013, where hackers stole up to 40 million credit and debit card records
Future business leaders should recognize the prevalence of these hacks as a call to action. They should take the initiative and plan to put themselves at the forefront of cybersecurity within their companies. In doing so, they can ensure their businesses are better protected from data breaches. With the knowledge from an online EMBA program, future executives can learn from recent hacking scandals and position their companies to prevail in the event of a cyberattack.
As a result of the ongoing attacks, here are two key lessons for executives:
Lesson 1: Understand the different types of cyber security attacks
The election hacks, WannaCry and the leaks at Sony and Target all point to a single undeniable truth: Cyberattacks must be taken seriously. It’s important for executives to understand the real risk they pose to their businesses.
First, leaders need to know the different types of security attacks. The first type, and the one executives are perhaps most familiar with, is a data breach. A data breach occurs when sensitive information is accessed, stolen or copied and subsequently sold or leaked. The data often involves details like customer payment information, which is what was stolen from Target in 2013. Cybersecurity software provider Symantec logged 1,209 breaches in 2016, 10 of which left over 10 million identities exposed. These sheer numbers should alert all business leaders to the major threat data breaches pose.
The next type of attack is ransomware, a subcategory of malware. Instead of stealing information, attackers install a program on their target’s computer that encrypts data. The malware is commonly delivered as a link or attachment within an email, and the information is held hostage until a ransom is paid, usually in a digital currency known as bitcoin. According to Symantec’s annual Internet Security Threat Report, the average ransom increased nearly $300 from 2015 to 2016, reaching $1,077.
Finally, company employees must look out for phishing scams where hackers try to coerce targets into unwittingly handing over login credentials. Most of these phishing attacks are conducted via email, where hackers have infiltrated. An employee will click on a link to what they think is a legitimate website—for example, the company’s online portal—and input their username and password. The hacker takes this information and uses it to log into the online portal, gaining access to all the data within.
Other common cyberattacks include:
• Denial-of-Service: Attackers disrupt service to a network by sending large amounts of traffic at once. A Distributed Denial-of-Service attack uses multiple hijacked computers to disrupt a network.
• Man in the Middle: Hackers impersonate the endpoint of an online connection. For example, an online customer sends payment data to what he or she thinks is Amazon.com but is actually a hacker. That hacker then interacts with Amazon pretending to be the customer and collects data from both parties.
Cyberattacks do more than put information at risk—they can also cause irreparable harm to a business. KnowBe4, a security training company, estimated ransomware cost companies over $1 billion last year. Furthermore, data breaches decrease public trust. As a result, consumers feel like their private information is vulnerable with a hacked business and will likely switch to a competitor.
There are many types of cyberattacks that threaten businesses.
Lesson 2: Be prepared and lead the effort
Since the potential effects of a cyberattack can be severe, leaders must understand their role in regards to prevention and protection. Senior managers and executives should be the ones to spearhead cybersecurity campaigns and best practices within their organizations. In fact, after surveying executives from over 200 organizations, McKinsey discovered that attention from senior management was the biggest factor in the strength of a business’s ability to manage cybersecurity risks.
Executives who implement cybersecurity best practices model behavior for other employees to follow. They set the standards, and the rest of the company knows what is expected of them. By adopting a security-first mindset where protecting company data is a main priority, executives can create policies that effectively reduce risk.
Organizations with dedicated leadership are usually best equipped to fight cybersecurity attacks.
In a conversation with ThinkProgress, Alex Rice, chief technology officer at security firm HackerOne, summed up the idea perfectly: No business is immune to the possibility of a cyberattack.
“Policy has to be crafted and constructed in a way that the assumption that data breaches like this are in the realm of possibility,” Rice told the publication.
Not every business needs the exact same security measures, but experts agree every business should adopt a proactive approach when it comes to the threat of hacking. Such strategies can include tactics similar to the ones listed below:
• Continuously updating company software: WannaCry mostly affected computers using older versions of Windows XP, Windows 7 and Windows Server 2008. Executives, especially Chief Information Officers, should make sure their information technology departments routinely check for and install software updates.
• Communicating responsibilities: According to a Clearswift survey of over 500 IT personnel and 4,000 employees, 22 %of respondents don’t feel they are obligated to safeguard their employer’s data. Executives should ensure every employee feels responsible for cybersecurity. They can relay this information through company-wide meetings or incorporate the importance of cybersecurity into their new hire onboarding programs.
• Educating employees on how to spot fraudulent emails and links: Executives must take the lead in establishing training programs to help employees spot possible hacking attempts. Phishing campaigns, for example, try to imitate legitimate senders, but there are almost always subtle differences that a trained eye can identify.
• Limiting communication between work and personal devices: An employee can accidentally forward an infected email from his phone to his work address. Executives should instruct their staff not to mix work and personal communications if possible. If employees must use their personal devices for work, executives should instruct them to adopt security best practices at home so they do not accidentally spread malware to work.
• Consistently testing internal security measures: Executives should instruct their IT departments to routinely test and provide reports of their security efforts. If a weak point is found, executives should research and approve methods to fix it. Hacker techniques are constantly improving, and routine testing helps businesses remain up to date.
Executives also have greater control over the company budget. They can invest in measures like firewalls, encryption services and top-tier information security teams, all of which provide a stronger defense against cyberattacks.
Preparing for future leadership at The Carson College of Business
Cybersecurity deserves to be a major focus of tomorrow’s business leaders, and aspiring students can obtain the tools they need to make these and other critical decisions with The Carson College of Business. Our online Executive Master’s of Business Administration program curriculum was designed to empower future leaders to make the right types of decisions for their businesses.
Why every business leader should care about cybersecurity