A Non-Tech Founder’s Guide to CyberSecurity
What do Brian Chesky (Co-founder, Airbnb) and Walker Williams (Founder & CEO, Teespring) have in common?
Both of these entrepreneurs built multi-million to -billion dollar tech products with absolutely zero knowledge of coding or programming. Chesky started his career in Industrial Design post a Bachelor's in Fine Arts, and Williams as a cartoonist/writer.
But a non-tech founder or CEO’s job isn’t to write immaculate code anyway; they predominantly aim to “crack the code” to accelerate growth and revenue.
Nevertheless, in today’s volatile cybersecurity scenario, cybercriminals and “hacktivists” are always devising newer, more sophisticated forms of spear phishing, SQL injection, malware attacks, etc. to steal and sabotage. Thus, staying up-to-date with tech-related trends, news and insights is a demanding necessity for founders and C-level execs.
Common security challenges CEOs deal with
According to the C-Suite Challenge 2019 report, CEOs enlisted cybersecurity as their biggest “external concern”, further outranking the fear of recession and the increasing number of market competitors. Not surprising in today's security climate.
Non-tech founders and CEOs struggle with various everyday problems that comprise security due to various reasons. Here are three:
Remote working
As per IBM, organizations with 80-100% remotely working staff suffered an average cost of $5.54 million in data breach damages in 2020 alone.
As the COVID-19 pandemic forced companies worldwide to shift online, we saw an increased number of attackable networks, expanded attack surfaces, and greater dependence on cloud-based platforms - all in a hurry. Also considering how remote workers primarily use email to communicate, sophisticated phishing attacks are becoming more popular.
Glenn Nick (Assistant Director in Cybersecurity incident response, Guidehouse) highlights how the sudden shift, which pushed most employees to work from their laptops, smartphones, and public Wi-Fi (i.e. vulnerable and unsecured hardware and networks), further magnified the risks.
Software supply chain security
The Java-based Log4Shell fiasco in late 2021 was an alarming reminder of how software components also play a vital role in cybersecurity and how it can cause a domino effect.
The defect in the Log4j library paved the way for threat actors to take control of target systems by injecting code execution attacks. Security professionals neutralized this threat by simply updating their libraries. However, their partners and suppliers, and their associated partners and supply chains, also had to update theirs to reduce the attack vulnerability as a whole.
Inadequate security awareness
CEOs often underestimate employee awareness and often fall short in providing sufficient security awareness training. This inadvertently puts their customer trust, competitive advantage, and brand reputation at stake.
Improving your own knowledge and educating your employees are both equally important as finding good IT talent. The danger is inherent if the CISO is the only person who knows the vulnerabilities that your firm faces. Everyone from board members down to the junior marketer must be aware of risks and threats and how to manage them at a basic level.
Things to know as a non-tech founder or CEO
Tech or non-tech, proper knowledge of security trends and practices always stands beneficial in times of emergencies. Founders or CEOs can effectively manage risk exposures by following some of the best practices listed below:
Avoid relying on compliance standards
It’s imperative to comply with generic ISO and PCI standards, but is it enough ? We were still using the ISO 27001 framework as standard ten years after its publication. It was only in October 2022 that a new updated version had been released. Compliance standards seek to ensure an achievable minimum level of data protection unilaterally, but that "minimum level" shouldn't be the goal of our security efforts. Especially when threats and their vectors are evolving orders of magnitude faster than corresponding regulation.
Recent times have witnessed more complex ransomware like dynamic file integrity monitoring, which allows threat actors to constantly keep an eye on sensitive files and track any changes made within. Organizations need to supplement compliance certifications with other tools and practices to reduce cyber risks and maintain preparedness for the threats of tomorrow—not just the ones of today.
Evaluate your inner circles
It only takes one employee to unknowingly connect to a contaminated network, and your entire system could face a DDoS attack in seconds. Or it could be a phishing email.
Employee negligence is the #1 cybersecurity threat to modern businesses. It also comprises remote staff and third-party vendors. However, regular audit logs, session management, and Identity and Access management are protocols that help contain the threats existing within.
24x7 monitoring & response
Here’s why: around-the-clock monitoring optimizes your company’s mean-time-to-detect and mean-time-to-respond metrics with the right alerts, which lowers your chances of suffering a data breach. Furthermore, threat intelligence combined with 24x7 monitoring helps you detect threat actors precisely, understand how they operate, and their strategy to hack within your company system.
Prepare an incident response plan
Cyber attacks aren’t solely an IT department problem. Every wing must stay ever ready to respond to both entry-level and complex cybersecurity risk “incidents” under the leadership of C-level executives to stop any threatening situation from escalating.
CEOs should encourage the exercising of incident response, disaster recoup, and business continuity plans and processes to ensure that cyber criminals do not get the upper hand during an ongoing breach. Timely discussions of IR plans, bug bounty, pen testing frequencies, etc. with security and dev teams is just as important for a founder or CEO.
Employ security tools and software
Next, analyze and choose which security tools or software fits your business objectives precisely, and aligns with cybersecurity policies. For instance, don’t be too stuck on finding software vulnerabilities; security tools that save time by reducing false positives are also core criteria to follow. In some use cases, enterprise-level testing capabilities such as scan policies, trend reports, in-depth testing, etc. are also necessary.
Implement meaningful cybersecurity risk metrics
Strengthening a company’s security posture also involves establishing relevant, measurable security risk metrics. For instance, documenting the total time required to patch a critical software bug, which can be done with Application Security Posture Management tools. It also helps in prioritization of security remediation and resource allocation based on the business-criticality of risks.
Conclusion
Don't be one of the 95% who consider cybersecurity as a non-fundamental investment. By establishing a security-first, zero trust culture, you take the first strong step towards building strong defenses to protect any sensitive data and spare your business the sabotage.
Stay updated with all things cybersecurity-related with the Purple Book Community and optimize your security posture.