What your C-Suite needs to know about cybersecurity


Preventing cybercriminals from exploiting vulnerabilities in IT systems is a constant battle for all organisations. So, what role does your C-suite play in reducing this risk and protecting you from a costly data breach?

This article explores the damaging effects of cyberattacks on organisations and provides practical solutions for protecting themselves in the future.

Why do organisations need cybersecurity?

Cybersecurity helps organisations and individuals reduce the risk of cyberattacks. It protects devices like laptops, smartphones, and tablets, from damage or theft and safeguards the online services we access. Cybersecurity also prevents vast amounts of personal and work-related data stored on our devices from falling into the hands of cybercriminals.

Why is this important to organisations? The problem is widespread as a data breach could cause long-lasting damage and result in devastating loss. In 2022, around 39% of UK businesses identified that they had been a victim of a cyberattack over the previous 12 months. Of these businesses, 83% experienced phishing attempts, while 21% reported more sophisticated attacks including ransomware, malware, and denial of service. It’s clear that businesses are a huge target for any cybercriminal, with rewards ranging from financial gain to blackmail.

The threat is greater in the UK than in any other European country. IBM’s X-Force Threat Intelligence Index 2023 report reveals that 43% of cyberattacks in Europe over the past 12 months occurred in the UK, with energy and financial sectors suffering the highest number of data breaches. Germany reported the second-highest number of attacks with 14%.

Data breaches can destroy the value of your brand and your share price, cause serious damage to your reputation, and negatively affect customer and vendor confidence in your company, forcing them to look elsewhere.

Data breaches can also result in fines, penalties, and lawsuits, and can lead to huge financial losses for any organisation of any size. Therefore, ensuring your organisation has the highest level of cyber protection is essential in the modern world where there is an ever-increasing reliance on technology both at work and in our personal lives.

Why is cybersecurity so important to the C-suite?

Cybersecurity is of utmost importance to the C-suite. In 2021, the Information Commissioner’s Office (ICO) – the UK body that prosecutes organisations for failing to safeguard data – set out clear guidelines to follow. These state that all staff and volunteers should be trained in cyber awareness from the outset and before they have access to client data. All other employees, including company officers and directors, should also receive ongoing training in line with General Data Protection Regulation (GDPR) requirements.

Technically, cyber training could look the same for all employees, but company officers and directors often require a deeper understanding due to the additional burden of responsibility they carry. After all, every director, trustee, and C-suiter has a shared responsibility and liability should the organisation face prosecution following a data breach. In response, specific cyber training for board members and C-suiters including board-certified workshops have been developed.

IT departments also require everyone within an organisation to follow safe cybersecurity practices and build a strong human firewall. Not only will this greatly reduce the risk of a cyberattack, but it will also ensure business continuity and avoid costly downtime.

So, while IT departments may be responsible for delivering cybersecurity within an organisation, they cannot do it alone. They need everyone within the organisation to fully participate and actively demonstrate what they have learnt from cyber training.

IT is likely to be the first to respond to a data breach or cyberattack, but the whole organisation from top to bottom will be negatively affected. The ability of employees across all departments to carry out their work could be severely disrupted, as could the company’s ability to serve and support its customers.

This is the point where cybersecurity becomes the remit of the C-suite.

The C-suite must be actively involved in an organisation’s all-encompassing security strategy including staff training from the boardroom to the shop floor. It is also essential the C-suite provides adequate funding for the organisation’s entire security strategy to keep it secure and protected from damaging cyberattacks. Failure to do this could leave an organisation vulnerable to an attack and the significant and sometimes crippling cost involved with repairing the damage.

IBM’s Cost of Data Breach Report 2022 looked at various statistics around data breaches, including company response times and costs incurred. It reveals the average cost of a data breach in 2021 was over $4.5 million. The cost to UK firms in 2022 was $4.67 million, a rise from $3.9 million the previous year and slightly above the national average of $4.24 million.

Global regions where companies lost the most to breaches included USA ($9.05 million), Middle East ($6.93 million), and Canada ($5.40 million). These startling figures further highlight the reason why company C-suites should adopt the most rigorous cyber security practices.

How seriously are C-suites taking cybersecurity?

The Cyber Security Breaches Survey 2022 shows that 82% of UK businesses say cybersecurity is a high priority at C-suite and senior management level, an increase from the previous year (77%). Meanwhile, 72% of charity trustees stated cyber security as a high priority.

However, it is clear organisations can do more to protect themselves and minimise risk. The same survey reveals almost 3 in 10 large UK businesses (250 employees or more) do not have a formal policy relating to cybersecurity risks, while this figure rises to almost 5 in 10 for small firms (10 to 49 employees).

The fact is that as organisations increase their digital footprints through further developments in email, websites, apps, social media, and more, they also increase the likelihood of attack from sophisticated cybercriminals. This will almost certainly be followed by a growing involvement of C-suites in the cybersecurity process.

Source: Cyber Security Breaches Survey 2022

Are there Government requirements for C-suite cyber awareness?

People in a meeting presentation

Organisations must take responsibility for their own risk exposure, and this begins at C-suite level. The UK Government is considering the implementation of a mandate that will force large companies and organisations to rigorously assess the cyber risks they face and take appropriate action. The goal is to make the UK the safest place to live and work online, and ensure the UK continues to adapt and invest in digital to protect everyone’s interests in cyberspace.

The government has also taken the lead by adopting professional standards developed by the UK Cyber Security Council, the self-regulatory body for the cybersecurity industry which develops, promotes and monitors effective cyber hygiene. Cyber hygiene is the practice of taking steps to protect sensitive information, prevent data breaches and cyber attacks, and ensure the overall safety and reliability of digital systems. Nevertheless, cybercriminals will continue to exploit vulnerabilities in IT systems to steal data and sensitive information, which makes cybersecurity more important than it ever has been. Businesses that take a proactive approach to cybersecurity can nullify the threat of a cyber attack and avoid the significant expense of repair, downtime, and damage to reputation.

Examples of high-profile data breaches

There are multiple examples of high-profile organisations suffering data breaches in recent years.

In January, Royal Mail was targeted by a Russian ransomware gang, known as Lockbit, which forced the suspension of international postal deliveries and threatened to publish stolen data on the dark web. Lockbit has extorted around £82 million from previous victims which include children’s hospitals and UK car dealership Pendragon, according to reports.

In December 2020, US tech company SolarWinds suffered a major data breach which gave hackers access to around 18,000 companies and government offices that used its products, including the US Treasury. At the time, Microsoft President Brad Smith called it “the largest and most sophisticated attack the world has ever seen.” SolarWinds ended up paying $26 million to settle a shareholder lawsuit following the data breach.

Colonial Pipeline was forced to pay ransom of almost $5 million to hackers in 2021 following a devastating cyberattack that shut the largest fuel pipeline network in the US. It was later discovered hackers breached the company system by stealing a single password and using a Virtual Private Network (VPN) that did not have multifactor authentication. Multifactor authentication would have provided an additional layer of security beyond a username and password. It requires users to provide at least two forms of authentication, such as a password and fingerprint, or password and a security token, thus making it more difficult for hackers to access systems and data.

Why an organisation as large as Colonial Pipeline only used single-factor authentication is a stark example of why cybersecurity should remain at the very top of a C-suite’s agenda.

What can C-suites do to protect organisations from cyberattacks?

Cybersecurity starts at the top with your C-suite.

For too long cybersecurity has been viewed as the sole responsibility of IT. Admittedly, IT has a prominent role to play, but adopting a technology-only approach reduces the impact of your cybersecurity and leave gaps for criminals to exploit.

When your C-suite endorses and promotes your organisation’s approach to cybersecurity, it sends out a strong message to the rest of your team and sets clear expectations around compliance and cyber training.

Clear communication between IT and your C-suite will highlight potential weaknesses in cybersecurity that must be addressed and emphasise the true value of providing adequate financial support to maintain a robust cyber defence system.

A C-suite should actively participate in creating and funding an organisation’s security strategy, while IT should ensure all employees adopt cybersecurity best practices and actively participate in keeping a business secure.

While some organisations keep cybersecurity in-house, many prefer to outsource this function to trusted cybersecurity experts that offer the highest level of protection, provide real-time analysis of threats and vulnerabilities, and deliver the best cyber training available. This course of direction will provide C-suites with the key information they need for the major strategic decisions around cybersecurity investment.

5 reasons why C-suites should take cybersecurity seriously

Protects sensitive data

Prevents unauthorised access, theft, or damage to sensitive information and data.

Maintains business operations

Prevents disruption leading to lost productivity, revenue, and customer trust.

Meets professional standards

Follows cyberspace guidelines set out by the UK Cyber Security Council.

Protects customer trust

Maintains customer trust in the safe storage of their personal and financial information.

Prevents financial losses

Avoids theft, fraud, and lost revenue from downtime, lost productivity, and lawsuits.

Enhance your C-suite with ramsac’s board-certified cybersecurity training

ramsac offer two different board-certified cybersecurity workshops to help business leaders stay one step ahead of cybercriminals and reduce the risk of a data breach. Sign up here.

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?