By now, it’s no secret that cybersecurity needs to be top of mind for every executive and board member in any company. Unfortunately, what tends to be more common than security-savvy executives and directors, are executives and directors who aren’t as on top of their cybersecurity game as they could be, making them vulnerable to cyberattacks. Here are five ways senior executives and board members can drive a culture of cybersecurity and resilience in their organizations from the top down.
Ask them, if their company data was held to ransom by criminals, how much would it cost? And, what about the damage to their reputation, with business partners, customers and throughout their supply chain? What if they suffered a data breach and confidential information was publicly released relating to their company or customers? As a senior executive or board member, they have a duty to set an example for the rest of their organization to follow, making clear that cyber security is a top priority. A single cyberattack or incident could destroy their company overnight.
Cybercrime is all-pervasive, and its big business. Ransomware, phishing, and business email compromise (BEC) are some of the most common forms of attack, targeting executives and employee inboxes. And often there is little or no risk for offenders if they are in a foreign jurisdiction for example.
Here are five simple tips for you to share and discuss with them.
1) Be aware of email security threats
Spear phishing, phishing, and business email compromise are fraudulent methods of obtaining sensitive and confidential information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details into a fake website whose look and feel are almost identical to the legitimate one. The term phish is derived from fishing: it’s like bait used to catch fish. You can find examples to share with them, of common phishing attacks on our blog.
2) Protect data from phishing attacks & ransomware
Hackers may try to scam them by posing as a legitimate organization, such as their bank or credit card company, or a major tech vendor like Microsoft or Drop Box. Phishing attacks are most commonly executed via email, with 90% of attacks delivered that way. Ensure that through prominent messaging and training of their frontline, that they don’t click links in emails that come from untrusted sources—no matter how good the emails look. Another common email threat is ransomware: when hackers encrypt important data on their company servers and devices, and demand payment to get it back. If their company is targeted with ransomware, they shouldn’t pay up; instead, they should reach out to you, their trusted email security partners and contact authorities immediately.
3) Back up data
Before they put their data at risk from a ransomware attack, make sure that it’s backed up. There are several ways to do so depending on their company’s size and budget. One of them is to outsource to cloud-based providers such as Amazon Web Services or Microsoft Azure, which offer data backup as a service. Another is to purchase software designed specifically for companies from vendors like MailGuard. Either option has pro’s and con’s — but in some cases it might be more expensive not to act. Hackers often demand payment within one or two days; if they don’t have multiple backups stored elsewhere, they could lose everything in a matter of hours. If they think it won’t happen to them, remind them that other companies like Kaseya, Toll Group and Garmin made the same mistake. It can happen to anyone.
4) Keep devices updated
You can never have too many security updates. Most cybersecurity breaches are due to vulnerabilities that could have been mitigated with proper software updates. Make sure your customer’s devices, including their computers, phones, and connected devices like printers and other peripherals, all receive regular updates to patch any vulnerabilities. All it takes is one mistake to land a device in a hacker’s hand — it’s better to be safe than sorry! Especially if those devices are networked, they can often represent an easy back door into their network for cybercriminals. Even something as innocent as a smart kettle or fridge might be an avenue into their network and data. They should use anti-virus: Even if all of their devices are updated, there’s still a chance that hackers will get through. Anti-virus software provides an extra layer of protection against viruses and spyware. Make sure they install anti-virus onto every single computer (desktop or laptop) or mobile device under their control.
5) Follow Industry Best Practices
The first step towards a culture of cybersecurity is to follow industry best practices in IT infrastructure and data management. Industry best practice starts with a zero-trust approach, assuming that their network has been breached and ensuring that they won't be able to get too far if a bad actor does gain access.
It’s also important to make sure that your customer’s organization has an incident response plan (IRP) in place, which is essentially a contract between their company and its users. If there is ever a data breach, it will be much easier to contain if they have an IRP in place. Likewise thorough business continuity planning (BCP) and disaster recovery planning (DRP) will make sure that they're ready if and when the real thing happens.
Ensure that they have strong password controls too. A weak password or too many passwords are what exposes all companies to cyberattacks. Passwords should never be shared; they should always be strong passwords and changed on at least a monthly basis. They should mandate that employees use two-factor authentication or MFA. Employees should use two-factor authentication wherever possible when logging into their accounts, which makes it more difficult for hackers to access sensitive corporate data. A password management software like LastPass or similar, are a good option to recommend, ensuring robust passwords, providing oversight of compliance, and delivering better control and peace of mind for company leadership.
So, What's Next?
The very first thing a senior executive or board member should do is make sure they’re being informed of security incidents as they happen. This can be done through best practice email security technology like MailGuard, to filter out malicious threats before they reach their teams' inbox and provide critical reporting and control for IT & infosec leaders. Their business will be instantly more secure. Whether your customer’s business is using Google Workspace, Microsoft 365, or another platform, a multi-layered approach to email security with a specialist vendor like MailGuard is vital.
Encourage them to embrace their IT and security partners and ensure that their internal teams understand that cybersecurity is a top priority and that they have their full support. They should get to know their IT admins and others on their front line and ensure that their executive team and board are regularly briefed on any security threats. Depending on the size and complexity of the organization, this may be best achieved with a risk management committee and framework to ensure visibility of their end-to-end exposure. With the right tech in place, alongside well thought out processes and procedures, and ultimately executed by good people, their organization will be well placed to repel and mitigate any cyber threats.
Your customers can stay ahead, and stay protected, by proactively pursuing preventative measures and advocating to their team before something happens. Encourage senior leaders to learn more about the threat landscape and vendors like MailGuard, by reaching out to my team at firstname.lastname@example.org. We’re here to support you and your customers.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 282 2
UK partners call 0 800 404 8993