Cyber Crime & Forensic Cyber Safety Daily News Threat Detection & Defense

The Alarming Truth About CEOs and Cyber Attacks

Izzat Najmi Abdullah May 30, 2023

4 minutes read

Today’s cyber attacks have evolved beyond mere data theft and can encompass more sinister tactics, such as taking control of entire systems or extorting companies for ransom. With cybercriminals becoming more sophisticated and nefarious in their tactics, it is no wonder that businesses are growing increasingly concerned about their cybersecurity.

One interesting study by ISTARI and Oxford University sought to find out how CEOs, as leaders of their companies, manage cybersecurity risk and whether they are doing enough to safeguard their companies against the increasing frequency and severity of cyber attacks.

Dr Manuel Hepfer, Head of Knowledge and Insights at ISTARI, and his team carried out a comprehensive analysis involving 37 CEOs from various industries. The CEOs collectively oversaw a staggering 1.3 million employees, with the companies interviewed averaging a remarkable revenue of USD $12 billion. Furthermore, their combined experience as CEOs amounted to an impressive 325 years.

Interestingly, when speaking to Cybersecurity Asean, Dr Hepfer shared that an important lesson to be taken from it all was that many CEOs found that they were focused too narrowly on cybersecurity protection, which he said “is defined by most people as the protection of the confidentiality, integrity and availability of the data in systems”.

As a result, despite investing heavily in cybersecurity protection, most organisations were not adequately prepared for a major cyber attack. The ensuing “CEO Report on Cyber Resilience” published by ISTARI and Oxford University highlighted the need for CEOs to shift their focus from just protecting data to building an organisation that is resilient to cyber threats.

The CEO Accountability Paradox

The report’s findings also reveal an interesting paradox regarding the accountability of CEOs for cybersecurity. On the one hand, the research indicates that CEOs feel a high level of responsibility for cybersecurity in their organisations. However, on the other hand, the same CEOs reported feeling uncomfortable when it comes to making decisions about cybersecurity. This disconnect suggests that while CEOs recognise the importance of cybersecurity, they lack the confidence and knowledge necessary to make informed decisions about it. This highlights the need for organisations to provide their leaders with the tools, resources, and support required to build cyber resilience.

Dr Hepfer’s said the fact that 72% of CEOs do not feel comfortable making decisions about cybersecurity is significant. It suggests that there is a critical gap that needs to be addressed. To address this gap, organisations need to invest in cybersecurity education and training for their leaders. They must provide executives with a clear understanding of the risks and threats facing their organisations, as well as the measures that can be taken to mitigate these risks. Additionally, companies must create a culture of cybersecurity that emphasises the importance of risk management and empower all employees to be responsible for protecting the organisation.

The Shift to Cyber Resilience – The Need for a Proactive Approach and a Culture of Security

As mentioned earlier, many companies are investing heavily in “preventative” controls, such as firewalls and antivirus software, but are neglecting responsive and reactive controls. As Dr Hepfer notes, “80% of cybersecurity controls are focused on prevention, leaving only 20% for responding and recovering from cyber attacks.” This suggests that companies need to re-evaluate their approach to cybersecurity and shift their focus to building resilience. A comprehensive approach to cybersecurity should include measures such as incident response planning, employee training programs, and cyber insurance. By investing in responsive and reactive controls, companies can increase their ability to detect and respond to cyber attacks, minimising the impact of a potential breach.

Based on the findings, Dr Hepfer suggests that cybersecurity measures should not just focus on protecting the data, but also on building a resilient organisation that can withstand cyber attacks. Quoting him, “They threw so much money into the protection of the data systems and data. And then when things went wrong during the attack, they realised they hadn’t invested enough in the overall resilience of the enterprise.”

The traditional approach of solely investing in cybersecurity protection is no longer adequate in today’s rapidly evolving cyber threat landscape. Companies need to adopt a more proactive approach that goes beyond simply fortifying their defences. They should create a culture of security that involves every employee, ensuring that they are all aware of the potential cyber threats and are equipped with the necessary knowledge and skills to respond effectively in case of an attack. This will enable companies to be more resilient, not only to cyber threats but also to other unexpected events that could disrupt their operations. In other words, companies should move from being purely security-focused to being security-resilient.

Taking the First Step Towards Building Cyber Resilience

The report outlines two ways in which CEOs can contribute to building cyber resilience. The first is by changing their mindset. As Dr Hepfer states, “All of them are scared. They know that it’s important. It’s on the top end of the risk registries, everybody’s talking about cyber, but still, they don’t know what to do about it. They feel uncomfortable making decisions.” CEOs need to become more comfortable with making decisions about cybersecurity, and the report outlines actionable insights that can help them do so.

The second way CEOs can contribute to building cyber resilience is by implementing a playbook. The playbook outlines a set of actions that companies can take to build resilience to cyber attacks. These actions include things like implementing incident response plans, developing employee training programs, and investing in cyber insurance.

Cybersecurity is no longer just a buzzword; it’s a critical business priority that requires a proactive approach to ensure resilience against cyber threats. As the “CEO Report on Cyber Resilience” highlights, many companies are investing heavily in cybersecurity protection but are neglecting responsive and reactive controls. This is where a shift towards building cyber resilience comes in. To achieve this, companies need to create a culture of security that involves every employee and goes beyond just protecting data.

It is time to move from a purely security-focused approach to a security-resilient one, and CEOs play a crucial role in making this shift. With the right mindset and playbook, they can empower their organisations to withstand cyber attacks and other unexpected events that threaten business continuity. The future of cybersecurity lies in building resilience, and it starts with CEOs leading the charge.