Cynthia James is a Vistage speaker and a high-tech career professional with over 20 years of experience in the industry. She has spent over a decade working for a top global cybersecurity firm and founded her own firm, Cyberus Security, in 2017. With her wealth of knowledge in the field and her passion to help executives address cybercrime, we sat down to discuss how leaders can safeguard their organizations from emerging cyberthreats.
TEC Canada: What role do executives play in cybersecurity?
Cynthia James: The number one thing is setting the tone; more than 20 years of research shows that the best way to get employees to comply with policy, is for the senior executives to support it. If you could take just 3 minutes to discuss security at your next offsite meeting, that’ll make a huge difference. Tone is also important when you communicate with your IT people and let them know you want to be notified of anything deemed critical. If a breech happens at 3 a.m. and IT knows you’ll react poorly or consider it a bother, they may be hesitant to call you up.
Resource allocation is another role executives play in their cybersecurity. The executive should ask him or herself, “what resources would it take to get to the next level?” It’s often less than you think, and sometimes it’s just a matter of a few extra IT hours of turning on certain protections and explaining them to users or it’s a matter of setting up a guest wifi, adding alerts for bad behavior etc. If you work with your IT department and involve them, you can determine these costs.
TC: What common misconceptions do executives have in cybersecurity?
– Misconception: IT and cybersecurity are the same (I even know salespeople in our industry that believe that). Think about IT – it’s all about enablement, improving productivity, giving people access to what they need etc. Cybersecurity is 100% in the opposite direction – it’s trying to make access difficult to make sure we are really dealing with you and not a hacker. When I talk with CEOs I say, “If you don’t see tension in your organization in those two conflicting objectives, then there is something wrong with the way you are dealing with cyber-risk.”
– Misconception: As a CEO, I need to get into the technical weeds to solve cyber-risk. Over 80% of CEOs are not technical but they think because they don’t have that expertise they are unable to discuss solutions. Cyber-risk can be discussed at a strategic level without ever getting into technical details.
– Misconception: Cyber-risk is not as critical as legal or financial risk. Cyber-risk can bankrupt you overnight and yet CEOs are not availing themselves of cyber expertise the way they do with lawyers and accountants.
TC: Why are small businesses more susceptible to cyber risk?
CJ: Smaller businesses are under-protected because the CEO doesn’t understand cyber-risk – usually from a strategic level. There’s a huge lack of cybersecurity expertise which is just getting bigger every month. So that is expensive talent to hire or keep. Also, it’s expensive to stay on the leading edge of technology when cybercriminal behavior morphs into ever-more successful tactics on a daily basis. They sometimes rely on solutions which aren’t sized correctly for the threats against them. It’s helpful to understand, for your “threat profile” in this case, your industry and company size and public relations profile.
Generally smaller organizations – under 25 people – will do better if they outsource their IT. Larger organizations will benefit from outsourcing key components of their IT.
TC: What risks do you see companies facing as we approach the 2020s?
CJ: More and more regions are becoming savvy in cybercrime, particularly ones we used to not see. Since 2016, there’s been a huge spike in cybercrime out of Western Africa and the more dollars they bring in through cybercrime, the more sophisticated they become in their methods. CEOs may think they can look away and the government will solve it, but these problems cannot be addressed unless leaders get on board with managing it.
Also, there are more cheap and easy-to-get tools that help hackers; for example, auto-reconnaissance tools. They can get your name and number and can scrape all your social media and professional websites to get as much data about you as possible; once all this info comes together it makes it really easy to *spear-phish you.
*Spear-phishing is the practice of phishing (sending an electronic communication posing as a known or trusted sender in order for the victim to reveal confidential information) but in a way that targets an individual who is known to have high level access to data. CEOs and key executives are top targets for spear-phishing. The goal is often for targeted individuals to click on a link that will download malware on their computer.
TC: What can leaders do to protect themselves and their organizations from cybercrime?
CJ: Prepare and educate employees and executives against phishing attempts. 90% of successful breeches are caused by employee error, so you need to have some sort of training in place. Don’t forget how easily unhappy employees can be turned against the company. Finally, ask your IT what could be done to improve security, they always have some ideas (whether insourced or outsourced).
Cynthia has spent the last 14 years exclusively focused in the area of cybersecurity with over a decade spent with the top global cybersecurity firm Kaspersky Lab. She possesses one of the world’s most rigorous security certifications, the CISSP (Certified Information Systems Security Professional) which requires knowledge of (and continuing education on) best security practices within ten different areas, including physical security, software development and encryption. She also holds its companion credential, the Certified Cloud Security Professional (2019) and a Master of Cybersecurity Strategy and Information Management degree (2016) from George Washington University. She founded Cyberus Security in 2017 and recently sold the majority of the IP to a company which provides Security Operations Center (SOC)-as-a-Service called Arctic Wolf, which she subsequently joined. Cynthia speaks and writes extensively about cybercrime. In 2013 she published a book called Stop Cybercrime from Ruining YOUR Life! Sixty Secrets to Keep You Safe. She plans to bring her Cybersecurity Essentials for CEOs talk to TEC groups in Toronto in March 2020.