Is your company set up to handle today’s most serious cybersecurity risks? Can you say that every byte of customer data is locked away, and well out of the reaches of fraudsters? Are phishers always going to come away empty-handed when targeting your staff?
Even if you think that your systems are secure, they probably aren’t. As the Ponemon Institute reported in 2019, 66% of global small and medium-sized businesses suffered a cyber-attack in 2018-19. And Dell has found that 63% of US companies experienced data breaches during the same period.
The truth is that employees are putting the business at risk every day, whether they know it or not. Because of this, companies need to know which roles should focus on cybersecurity and how they should do so. So let’s run through some core positions and explain how they fit into the digital security picture.
Chief Executive Officers (CEOs)
Although they might not like to admit it, CEOs are often the weakest part of a company’s security procedures. Why? It’s all about psychology and the hierarchical structures which divided power in modern corporations.
CEOs tend to see themselves as dealing with “big picture” issues such as corporate strategy and branding. And with specialist roles underneath them, they often feel happy to delegate the problems like security to others. At the same time, complacency creeps in. CEOs fail to train adequately to understand cybersecurity threats and start to adopt risky behaviors. That’s when catastrophe can strike.
Sophisticated phishers are skilled practitioners of a tactic called “whaling,” which directly targets high-value positions – with CEOs chief among them. By posing as senior colleagues or trusted contacts, whalers can persuade CEOs to divulge sensitive data or provide access to privileged databases.
Sometimes, this can have serious personal consequences. Just ask Walter Stephan, the ex-CEO of Austrian flight parts manufacturer FACC. After a whaling attack in 2016, he was forced out, having lost around $50 million to cyber-criminals. So all leaders need to know how whaling works and the right practices to adopt – and they need to take personal security seriously.
Chief Security Officers (CSOs)
The other key cybersecurity role is pretty apparent: CSOs. Chief Security Officers are responsible for maintaining software and hardware infrastructure to ward off digital threats and set the overall direction of corporate cybersecurity strategies. If something goes wrong and data is lost or ransomware strikes, the CSO should be first in the firing line.
CSOs also work with external partners such as anti-virus software manufacturers or security investigators to assess the type of threats posed to companies – acting as a forward intelligence officer to plan how to use security resources. They deal with regulator compliance on the cybersecurity front and also have to think about how to manage local security systems to keep them manageable and efficient.
Add all of that together, and you’ve got a role that forms the pivot around which everything else functions. Without a CSO and a team that is in total control, companies will always be vulnerable.
Chief Operations Officers (COOs)
COOs are not dedicated to cybersecurity, but it still needs to be part of their expertise and everyday functions.
The primary role of a COO is to plan and direct the business operations of a particular company, which encompasses anything from rolling out new retail locations or eCommerce platforms, to adding payment methods, streamlining complaints procedures, and running marketing campaigns. But everything in that list has some relationship to cybersecurity – or at least it should.
One of the core roles of a COO is to plan for business disruptions (business continuity), and nowadays, cybersecurity threats have to be part of this planning. Malware can take down networks, while data leaks can paralyze businesses as they assess the damage. Knowing how these threats work, and what to do about them, is a non-negotiable part of being a modern COO.
And on a smaller scale, operations, like managing payments and creating online portals all, have to take security into account. Cybersecurity reaches into every aspect of business operations – a fundamental truth that all COOs need to take on board.
Chief Human Resources Officers (CHROs)
CHROs deal with hiring and firing, as well as performance assessments, disciplinaries, employee happiness (or discontent), and also, come up with more extensive strategies to ensure that companies have access to the talent and skills they need. As such, their day-to-day activities can seem remote from cybersecurity concerns. But that’s a dangerous illusion.
In reality, “insider threats” to digital infrastructure and data are just as critical as malware or data theft. And criminals can often work both on the inside and the outside of companies to carry out attacks. Without proper assessment and vetting of employees, companies can end up comprised of rogue agents.
For instance, in 2016, the UK accounts software vendor Sage was hit by an insider attack when an employee stole confidential records relating to 280 business clients. This breach included corporate bank account details and addresses of important contacts – all potentially beneficial for digital fraudsters, and all very embarrassing for Sage itself.
CHROs also have a pivotal role to play in ensuring that staff takes appropriate training courses in subjects like safe remote working, password security, and anti-phishing. They often can track vulnerabilities, such as staff who aren’t keeping up to date with security training. So they need to be up to speed themselves with every aspect of cybersecurity.
Chief Communications Officers (CCOs)/Public Relations Officers (PROs)
On the face of things, CCOs/PROs can also be away from the cybersecurity battlefront. However, as with CHROs and other positions, this is a dangerous stance to take. Corporate communications and cybersecurity should work hand-in-glove, and the consequences of not doing so can be fatal.
Communications Officers have the responsibility to coordinate external public relations strategies, as well as internal communications systems, to reach every staff member. As such, they need to notified immediately to send the appropriate message to both internal and external stakeholders.
In 2016, EY’s Global Information Security Report found that 42% of major global companies lacked a communications strategy to handle data breaches. A year later, Equifax showed why this is such a dangerous position to hold.
When the credit rating company leaked 147 million customer records, it cost over $700 million in legal payouts. That was bad, but its failed communications strategy was worse. As data visualization experts Quid have found, while Equifax was far from the worst breach of its kind, its poor communications meant that its consequences rumbled on for years.
By waiting for weeks to announce the breach, it fed rumors and dented trust. It failed to offer ways for customers to contact Equifax staff directly with their concerns. And executives sold stock soon after they learned about the hack – even though affected customers were not informed.
Cases like these show that Chief Communications Officers should be informed immediately to send the appropriate message. Otherwise, hard-won corporate reputations can disappear in a cloud of smoke.
Chief Data Officers (CDOs)
These days, data is on the tongues of almost every executive and business commentator, and with good reason. Between us, we create 2.5 quintillion bytes of data every day, and the so-called “Big Data” sector has emerged as a way to capture, analyze, and use that data for corporate benefit.
But as data flows have increased exponentially, so has the potential for malicious attacks that seek to divert and exploit that data. At the same time, regulations like the EU’s GDPR have been passed to govern how user data can be used and secured. Between them, these two phenomena result in an ever-increasing workload for CDOs.
CDOs are in charge of data storage, collection, and analysis. They are the ones who sign off on third-party cloud storage solutions or bring in external expertise to run cutting edge tracking cookie analysis. So they need to be razor-sharp when assessing which contractors are trustworthy.
They also need to know how to create fail-safe perimeters around storage facilities, both on a physical level and in the digital realm. Creating corporate VPN usage strategies, implementing real-time threat analysis, and making sure only authorized staff can access databases are all part of the everyday work of cybersecurity-aware CDOs.
Make cybersecurity a core function of every role.
The roles we’ve covered tend to be reasonably senior. Still, before we conclude, it’s important to note that every single employee has a role to play in ensuring watertight cybersecurity from the security and retail staff to information analysts, marketers. Customer support, every department confronts digital threats. And every staff member needs to know how to work safely.
That’s why the core aim of all security-conscious companies is the same: creating a culture of knowledge and awareness around digital threats. You can’t eliminate phishing or malware risks, but with a switched-on, conscientious workforce, you’ll keep the risks much lower.
ATS for Small Business
If you are not a Recruiteze customer, Recruiteze is a modern ATS for small businesses. With Recruiteze, you can post and publish your jobs to various job boards like Indeed, ZipRecruiter, Google Jobs, Facebook Jobs, and various other job boards. You can manage your career portal, applications, candidates, notes, and communication in a simple, easy to use interface. Recruiteze is cloud-based; it is available anywhere you have an internet connection. Try Recruiteze free today.