Did you ever watch The Office and think about how ridiculous it would be to run such a dysfunctional company? Thank goodness you aren’t the CEO of that mess.
Then you get a phone call from your CIO about a major cyberattack and suddenly you’re channeling your inner Michael Scott.
Now you have to worry about how you’re going to maintain the company morale and deal with any PR nightmares. But luckily, you’ve always been able to rely on your CIO and IT department to take care of cybersecurity, so things should be fine, right?
Wrong. Times have changed. With the average total cost of a data breach at about $7 million, CEOs can’t afford to remain disconnected from cyber security.
The Cost of a Data Breach Could Be a CEO’s Job
Money isn’t the only thing at stake anymore when companies are dealing with security incidents. Consecutive record-setting years of data breaches have companies firing CEOs over attacks.
Two hallmark cases that show why CEOs must take cybersecurity more seriously are the 2013 Target hack and the 2014 Sony hack.
- Gregg Steinhafel Leaves Following 2013 Target Hack: When 40 million Target customers were impacted by the Target credit card hack, it wasn’t just a senior IT executive that was let go. Gregg Steinhafel, despite a 35-year tenure (6 as CEO) at the company, resigned in May 2014. In addition to the tech problems, the Target breach cost over a $1 billion due to loss of corporate data, legal payments, and lost business due to reputational damage.
- Amy Pascal Fired Following 2014 Sony Hack: While Pascal resigned publicly, she came out later and said that her departure from Sony wasn’t voluntary. Even though Pascal wasn’t directly responsible for any cybersecurity systems or processes, she was still held accountable (especially after her own emails were leaked).
These two incidents endured heavy public scrutiny, but they certainly aren’t the only times when a CEO lost his/her job due to a security incident—Walter Stephan of FACC, Dido Harding of TalkTalk, and Frank Blake of Home Depot also lost their jobs over data breaches.
If the leaders of such major brands can be blindsided by cyberattacks, couldn’t any CEO?
The answer is definitely. According to Small Business Trends, 43% of cyber attacks actually target small businesses. And, 60% of small businesses close up shop within 6 months of a cyber attack (The Denver Post).
Unfortunately, only a small percentage of small businesses consider their ability to mitigate cyber risks, vulnerabilities, and attacks as highly effective. CEOs should be focusing on these areas so that their companies (and ultimately, themselves) don’t become victims.
How Should CEOs be Involved in Cybersecurity?
Don’t worry CEOs—no one is asking you to become industry-leading experts on the Heartbleed Bug or Locky ransomware, but if you can find some spare time (insert wink emoji here), it certainly couldn’t hurt.
As CEOs, you should definitely be prepared to spend time each month to understand your security postures and evaluate your ability to keep up with the latest security trends. Even if you aren’t a technical expert, you still have to understand the following:
- Consequences of adopting new technology: You can’t adopt the latest-and-greatest SaaS application without thinking about security. Taking cybersecurity seriously means involving the CISO and IT department in all new tech purchases.
- Causes and costs of a data breach: Security incidents aren’t usually random. Attackers spend a lot of time researching and planning their data breaches. You have to understand the top causes of data breaches and know just how much your company stands to lose in the face of an incident.
- Details of your incident response plan: One of the main reasons CEOs lose jobs over cybersecurity isn’t the attack itself—it’s the crisis management process following the incident. You need a detailed plan responding to attacks that includes internal forensic processes as well as a PR strategy. Your response to a data breach could be the difference between customers remaining loyal or losing their trust for years to come.
When someone wants to talk to you about cybersecurity topics like these, don’t be like Michael Scott and hide out in your office until they go away. Be a proactive leader and get a handle on your company’s vulnerabilities.