CEO’s and board members don’t need to be experts on cybersecurity, but they do need to have some knowledge in order to do their jobs effectively. Especially in today’s environment where there is a risk for financial loss from cyber attacks, these top executives should consider the potential losses and damage from a cybersecurity threat as they would any other financial matters. This starts by asking the right questions. Here are twelve cybersecurity questions that executives should be asking their security teams. The answers to these questions will allow executives to determine which risks exist within their organization and what they need to do to reduce potential exposure.
- Are any of our systems running out of date software with known vulnerabilities and exposures?
You want to be sure all of your operating systems, printers, IOT devices, and any other applications have up to date security software.
- Where is the data that is most important located and what is its value?
You need to start by determining which data is most important to your company. For example, if your business accepts credit and debit cards, this payment information is critical and should be adequately protected. Or perhaps your company houses personal financial information, patents, or trade secrets. One you identify the most critical data, find out specifically where it resides and how much your potential losses would be if this data were stolen.
- How do we backup critical data and where are the backups stored?
There is a wide range of backup data available to companies so determine how your data will be backed up and how often these backups occur. Furthermore, determine if your backups are encrypted to further enhance your security.
- How many different track paths are present on our network?
Each time there is a network path between two systems there is a potential risk for attack. You want to determine how many attack paths there are and if that number can and should be reduced.
- What are the layers of our defense plan and how do they work together?
A cyber defense plan should consist of multiple layers such as data, application, computer security, network security, physical security, identity and access management, and policies and governance. Your team should be able to explain the importance of each layer and how they work together to enhance your security.
- How do we monitor for suspicious activity?
Is suspicious activity being monitored by qualified personnel at all times? Are we performing risk assessments on a regular basis?
- What are the findings of our risk assessment?
You need to know exactly who many outstanding high, medium, and low-risk findings are detected in your audits. This gives you a clear picture of how many potential threats
- Do we have a cyber incident response team and what is their plan?
You need to be sure you have a qualified team in place that is prepared to handle incidents as they occur. Your team should have a detailed plan in place that includes the following:
- Business continuity plan
- Technical data and IT recovery plan
- Forensic analysis to determine the source of the attack
- Company reputation management plan
- Liability management plan to limit financial damage
- Are we vulnerable to third party applications hosted on our network?
Do our vendors follow the same security protocol as us? Are we monitoring vendor activity?
- What happens after an incident has been responded to and mitigated?
An experienced security team understands the need to perform a “lessons learned” exercise to ensure any gaps in security are identified and closed. They should be able to provide you with a detailed plan for how they will gather this information.
- What is our overall risk level?
Is your time gathering sufficient data in order to figure out whether the risk level is increasing or decreasing over time? Can they test their findings or are they only subjective? You need to have an idea of how well your security team is performing and they should be able to provide you with quantifiable information.
- What needs to be done to ensure proper security measures moving forward?
The cybersecurity landscape is constantly changing and cyber criminals are always looking for new ways to attack. Make sure your team is monitoring these new threats and are up to date on anything that might impact your business.