As cyber threats continue to evolve and the attack surface continues to expand, the risk of a breach becomes a matter of if not when. With migration to the cloud accelerating along with a shift to hybrid work and a surge of new IoT devices at play in every industry, it’s time for organizations to shift the way they view cybersecurity.
It is no longer enough to play defense, hoping you can thwart an attack and contain the damage when it comes. The leadership team at every organization — the C-suite — need to focus their efforts on proactive protection with 24×7 monitoring, detection, and response.
The trouble is, members of an organization’s C-suite gained their positions by being experts in their particular field, and that field is rarely security and risk management. As a result, most C-suites are ill-equipped to transform their security culture and strengthen their posture. Truthfully, many don’t even know what questions to ask to begin the process.
The good news? The process can be kick-started by asking just nine key questions.
9 Foundational Cybersecurity Questions for Executives
1. What Is the Biggest Cybersecurity Threat We’re Facing Right Now?
Arctic Wolf’s 20223 Trends Report revealed that 48% of organizations rank ransomware as their number one concern for 2023. In the media, ransomware grabs all the headlines, and for good reason. There’s been a 435% increase in ransomware attacks since 2020, according to the World Economic Forum.
Ransomware is a type of malware that freezes a system or data, preventing users from accessing them. The idea behind the attack is to hold the systems or assets for ransom — promising to only decrypt them once a certain amount has been paid. Recent innovations in Ransomware-as-a-service (RaaS) — which allows the developers of a ransomware variant to recruit affiliates that exclusively use their ransomware in targeted attacks on organization — has helped fuel even more exponential growth in this kind of cybercrime. While the rise of cryptocurrencies, like Bitcoin, has made obtaining a ransom easier and all-but-untraceable.
Ransomware is often spread through external exposure and user action. Most attacks have vulnerability exploits as their root point-of-compromise, however user action, such as falling for social engineering tactics, is still a common cause of ransomware.
Once a bad actor has access to a system, network, or access point, they utilize malware to take over the system and then hold it for ransom. They make every attempt to encrypt during off-hours and target backup mechanisms to make recovery without paying the ransom very difficult. As a result, 74% of the time someone, either the victim themselves or a representing body such as an insurance company, chooses to pay some percentage of the ransom to get their data back.
2. What Are Our Compliance Obligations Regarding Sensitive Data?
Knowing which requirements to follow can become an arduous task, since compliance is dictated by different aspects of an organization’s business, which can result in the need to follow the guidance of multiple sets of standards or security frameworks.
67% of organizations follow between one to three sets of guidelines, with 6% required to follow six or more sets of compliance and framework standards. Increasing the number of compliance standards also increases the difficulty of meeting all their requirements.
To add further complexity to this is the way competing standards may have varying degrees of rigor to achieve compliance. When faced with this challenge, organizations are urged to follow the most detailed and strict requirements from each standard to ensure compliance is met.
Staffing Cybersecurity Questions Executives Should Ask
3. Do We Have Security Experts on Call 24×7?
For most organizations, the answer to this question will be “no.” The cost to obtain and retain an adequate in-house security team is simply out of reach for many. 56% of organizations believe they would need to hire five or more full-time staff members to adequately staff their security operations center (SOC), while 48% need 10 or more full-time dedicated cybersecurity experts to provide the around-the-clock monitoring, detection, and response required in today’s evolving threat landscape.
Even if an organization can afford to staff an in-house SOC, the experts needed to fill the roles are in drastically short supply. 32% of global organizations have difficulty hiring and retaining staff and 36% of organizations feel their current staff lacks the necessary expertise.
This is why many organizations are turning to managed security operations solutions like managed detection and response (MDR) to overcome their operational hurdles and gain the needed expertise required to proactively protect their environments.
4. Does Our C-Suite Need a CISO?
CISO stands for Chief Information Security Officer. The role first appeared in the mid-1990s and, as the rate and risk of cyber attacks have surged, countless companies have added CISOs to their ranks.
The CISO carries the security of the entire organization on their shoulders. They set company security policies, procedures, and standards, and are accountable for securing data, minimizing threats, and managing not only business requirements and compliance, but also the training and education of their organization’s people.
Any organization that uses, generates, or stores data (basically every business, organization, or entity currently operating) can benefit from giving security a seat at the C-suite table, where the CISO can bend the ear and influence the decisions of the CEO and other key leaders.
The Security Journey: Questions to Strengthen Your Cybersecurity Posture
5. Do We Allocate Cybersecurity Efficiently and Effectively?
Some organizations believe the solution to cybersecurity is more and more (and more) tools. Organizations utilize, on average, 45 different tools in their security stack, with 19 of them required to respond to a single alert. Let’s face it: If tools could solve the problem, they would have by now.
What these organizations have neglected is the human element. For cybersecurity to truly be effective, you need experts. Without a properly staffed IT team adequately trained in tuning the tools in your tech stack, sections of your environment go ignored. And you can’t ignore parts of your environment without increasing your risk of cyber attack.
Rather than buying more and more tools, proactive organizations harden their security posture by allocating their budget toward solutions that integrate the latest technology with 24×7 access to security experts.
6. Do We Need Cybersecurity Insurance? / Is Our Current Policy Adequate?
The cyber insurance industry is still in a nascent stage. Globally, by an almost 2:1 ratio, respondents to a recent survey said they have had their policies for one year or less compared with those who have had policies for up to two years. But, as threat actor innovations make cyber attacks more likely to occur and more damaging when they do, more and more organizations have begun to seek out cyber insurance policies, only to find them much more difficult to obtain.
In response to the exponentially increasing losses associated with cyber attacks, particularly ransomware attacks, a growing number of insurance companies have faced mounting losses related to their cyber insurance policies and abandoned the sector. In contrast, others reduced coverage, increased premiums, or amended policies to be less attractive.
All of this can leave the C-suite wondering, is it worth it to try and obtain a cyber insurance policy that meets our coverage needs? The answer to this question is almost certainly yes. Small to mid-size businesses can face profit-erasing or bankruptcy-inducing financial fallout from cyber attacks, as the average ransom seen by Arctic Wolf Incident Response is $450,000. And the larger the organization, the larger the ransom is likely to be. Also, nasty new techniques like double (or even triple) extortion take hold across the cybercrime industry, the reputational and operational damage from not paying up can be even greater than giving in to the threat actor’s demands.
And ransomware is only one type of threat organizations need to be wary of. Vulnerability exploits can cripple systems, social engineering scams can siphon large sums of money, and compromised credentials can expose both your organization’s data and your employees’ personal information.
A cyber insurance policy, then, is a pillar of a comprehensive cybersecurity strategy — right alongside proactive vulnerability management, 24×7 monitoring and detection, effective security awareness training, and a robust incident response plan.
7. Do We Know Where Our Data Is and How it Is Protected?
Ultimately, an information security program is concerned with the confidentiality, integrity, and availability of the data and services that utilize, store, transmit, and process that data. Knowing the nature of that data, how sensitive it is in terms of compliance obligations, where it lives, where it is transmitted, where it is used, who has access to it, and how long it should be kept is vital. For many organizations that data is core to their business. Just like an auto repair shop must keep track of and care for their tools, an organization must practice proper data lifecycle management, keeping track of where their data is, what it is, and how it is classified.
8. Are Our Employees Being Appropriately Trained?
The goal of a security awareness training program is to change behavior through education. These programs help employees identify risky habits and replace them with secure ones, as well as instruct users on how to both recognize the signs of an attack and how to react to an attack. The most effective security awareness training programs are long-term and utilize a variety of teaching methods to meet compliance and legal requirements of your industry as well as permanently change user behavior.
Security awareness is one of few programs that regularly interacts with employees, so proper implementation is crucial. Clearly defining and communicating security awareness goals and initiatives should be the lifeline of any program. Training that doesn’t engage with employees or doesn’t connect with the unique culture of a company will quickly fail.
That’s why, when it comes to security awareness training, content is king. Microlearning — a holistic, skills-based approach that incorporates short-session learning techniques — is the key to delivering high-quality, updated content to employees in small, manageable chunks at a greater frequency, which can improve reaction time, boost engagement and increase retention by 200%.
9. Do We Know How to Respond in a Cybersecurity Emergency?
When cyber attacks turn into major incidents, organizations need a proven partner to help them fully eradicate the threat and restore normal business operations. But it’s not enough to simply delete the threat. Instead, finding the root point of compromise, documenting what happened, and restoring business operations to pre-incident conditions are vital in every response scenario to get the organization back online and prevent future incidents.
Arctic Wolf® Incident Response is a trusted leader in incident response (IR), leveraging an elastic framework that enables rapid remediation to any cyber emergency at scale. Valued for breadth of IR capabilities, technical depth of incident investigators, and exceptional service provided throughout IR engagements, Arctic Wolf Incident Response is a preferred partner of cyber insurance carriers.