The c-suite and cyber security: taking the blame and taking action

Across every industry, every country and every size of business, one thing is certain: the threat from cyber attacks is growing every day. In tandem, the amount that businesses are spending on security is also growing, with global spending on track to reach $133 billion in 2022 according to IDC. This cannot continue, but as security teams and leaders alike scramble to find solutions, there is one prominent party who may not understand that they’re at the centre of the storm – the C-suite.

What is the threat?

Firstly, it’s good to go back to basics. Bad actors are usually attempting to accomplish one of two things: stealing information or extorting money. Understanding how each of these could play out is crucial to curtailing the threat.

Information theft generally entails either the acquisition of personal (e.g. banking data) or competitive data (e.g. patents or product designs). In these breaches, bad actors often gain access to a network and quietly acquire data over months, by hijacking emails and downloading huge amounts of data.

It’s no surprise that the companies most at risk of information theft are those who store large amounts of competitive or personal data – with medical and financial data being the most in demand. But many companies don’t understand, or fail to acknowledge, the risk they face, even from storing something as commonplace as employee passwords.

The second form of attack, extorting money, has become synonymous with Russian hacker groups, wherein attackers gain access to the network, encrypt operational data like app servers and file servers, and, if they can, delete all backups. This is followed by the customary ransom request, which, more often than not, businesses comply with. These days, it’s rare to find a business that does not run on a foundation of software applications, so the risk from this type of attack spans almost every business across every industry or location.

How ransomware continues to target businesses – and what to do about it

Ransomware is hitting firms of all sizes. How can it be avoided? Read here

Turning awareness into action

Awareness is the first step in countering the threat. Companies and their leaders must acknowledge that they’re at risk, and that everyone who works at a company is a potential target and way in for hackers. But aside from educating staff on threats, and sharing new ways to authenticate logins, spotting phishing emails and the like, there is another key risk that must be addressed.

Many executives think of cyber risk more in terms of technological vulnerabilities – but we know that it is usually the human dimension that leads to breaches. Most at fault for security flaws, partially because they’re also the most targeted, are one particular group: the C-suite themselves.

To reduce the risk of security incidents, the C-suite, particularly CEOs, should first ensure that their businesses are prescribing – and adopting – basic cyber security hygiene. This includes multi-factor authentication (MFA), ongoing phishing training, and strict adherence to patching. Both simple and inexpensive, these solutions make up some of the most important actions for businesses to protect themselves. One major hurdle, however, is overcoming solutions like MFA being a nuisance to time-poor employees – unfortunately, partial adoption is not adequate protection.

Taking it to the next level

Fortunately, the tools available to drive these security deterrents have continued to improve, making them less onerous to both administrator and user. For example, a number of phishing training businesses have emerged that can automatically increase the level of sophistication of simulated attacks each month, which in turn progressively raises the level of organisations’ maturity levels.

Beyond basic hygiene, there are a deeper set of practices and tools firms should implement, from annual pen tests and monitoring tools to scan systems for breaches, to table-top exercises to prepare for incident response and external vulnerability scans to identify at-risk technologies.

To make this a reality, it’s best to employ a named, dedicated Chief Security Officer (CSO) who brings together in-house and third-party resources and service providers. This means companies can benefit from the expertise of specialists while keeping a good amount of ownership inside the business.

Graph technology — a powerful addition to the chief security officer’s arsenal

Neo4j’s Emil Eifrem outlines how graph database technology is helping major institutions better deal with money laundering. Read here

A cyber-aware culture

But no matter the right staffing model, solutions and tools, one thing bears repeating: people, not technology, are almost always at the heart of breaches. Solving this problem once and for all comes down to culture – firms who either fail to take risks seriously or act as if cyber security is solely IT’s responsibility are the biggest roadblocks.

Culture is shaped by executive action. Cyber security should not only be included in the dialogue of C-suite executives, but in their actions too. Only then can they ensure employees understand that security is a top priority.

Written by Andrew Duncan, partner and UK practice head at Infosys Consulting

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at