Your Company is a Castle. Are You Prepared to Protect It From Invaders?
Grow Your Business, Not Your Inbox
As the CEO of a national information technology consulting firm, I have asked hundreds of clients, "What keeps you up at night?” While I get a lot of answers, most of these answers can be summed up in four words: fear of the unknown. I often joke to my staff that I get paid to be paranoid, whether it’s losing a sales deal, anticipating competitor movements or even dealing with politics within my clients. In business, I see paranoia as a strength, allowing me to acknowledge that there are many unknowns that can affect a situation and force me into thinking through multiple scenarios for planning. Much like chess, thinking many steps ahead helps my team anticipate and plan for clients shifting priorities, competitor moves or staff changes.
One area in particular that I continue to be very paranoid in is cybersecurity. My business works with many Fortune 500 companies and Department of Defense agencies that take cybersecurity very seriously, and this seriousness flows down to us. With almost every client, we have contracts and agreements to adhere to our clients’ cybersecurity policies. As the CEO, it's my responsibility to ensure we meet these standards and agreements to protect my clients’ information. In addition, it's my responsibility to protect the personal data of the employees that they have entrusted to us.
A security breach can have devastating effects on our business and the trust we hold with our clients and employees. Perhaps a company like Equifax can survive getting 148 million client records hacked, but losing the trust of my clients and employees could put us out of business.
Protecting the data of our clients and employees can be a daunting task, especially with 150 employees and contractors interacting with our clients on a daily basis. On a day-to-day basis, I am responsible for protecting all this data. However, I have no idea what information is being accessed, downloaded or emailed in and out of our company.
Who has the keys to the castle?
When talking to my staff about cybersecurity, I compare the company to a castle with lots of doors and entry points. Our job is to ensure that all the entry points are protected to keep unwanted intruders out. But it's equally as important to ensure no information gets out, either accidentally or maliciously. This includes information in the digital and physical space.
Once an army crosses the moat, all bets are off. And, as Game of Thrones has taught us, an insider letting in an invader through some secret entrance subverts all the precautions. Never underestimate the threat humans have in your cybersecurity strategy. A chain is only as strong as its weakest link, and people are the weakest link.
As you think about your strategy for cybersecurity, focus on the three Fs: find, fund and fix. And this is where paranoia comes in handy. Think of all the scenarios that can come about. Be prepared, because this can be a dark exercise. Some basic scenarios to think about are:
What if someone loses their laptop or phone?
What if someone compromises their password?
What if an employee downloads unauthorized data?
What if an employee intentionally tries to forward data to a third party?
Once you pull the thread on these questions, there are all kinds of bad scenarios that surface. And, you’ll probably start realizing there are way too many open doors to your castle.
Another key strategy to find your cybersecurity gaps is to compare your security tools, also known as your security stack, to standards published by the National Institute of Standards and Technology or the International Organization for Standardization. This process can be laborious, but if you Google “tools rationalization,” you can find some companies that can automate this for you.
Ignorance is a liability
As a CEO, you don’t have to be an expert in cybersecurity, but the risks and impact of breaches are too great to not become educated. Start understanding the terms like social engineering, phishing, ransomware, and Distributed Denial of Service (DDoS). You need to understand the risks of the third-party applications you rely on and your new cloud computing initiatives. You also need to know solutions that you may be asked to fund, such as Single Sign-On (SSO), Multi-factor Authentication (MFA), Mobile Device Management (MDM), and Cloud Access Security Broker (CASB).
Ultimately, the decisions on these investments fall on the company leadership, many of whom will never understand the technical details of cybersecurity technology, risks, frameworks, etc. The key is to relate the cybersecurity risks to business objectives, like customer experience, financial management, supply chain, reputation and brand protection so they can understand where to make the best investments based on their business objectives.
When it comes to cybersecurity, paranoia is a good thing. It keeps you on your toes and you can use it to find your risk blind spots. Once you uncover your vulnerabilities, you can take action on them.