Public and private institutions around the world are facing the imminent risk of cyber assault, threatening business continuity. One cyber firm estimates global cybercrime costs will grow 15 percent year-over-year, reaching $10.5 trillion annually by 2025, underscoring the material risk for businesses that suffer a breach.
That is why it’s more important than ever for business leaders to be building cyber resilience as an urgent priority. “It’s never been more urgent due to the increasing opportunities for attackers to breach vulnerable systems, and incentives for them to do so as seen in the rise of ransomware and trade-secret theft,” says Scott Shackelford, professor of business law and ethics at the Indiana University Kelley School of Business.
He directs the Cybersecurity Management certificate program at Kelley — one of a growing number of executive education courses that are helping business leaders to gain skills in cybersecurity risk management, and best practices to better protect their organizations.
Cyber: now a strategic business issue
This has never been a more urgent priority for business executives to grasp, as the conversation around cyber risk has become a strategic business issue as opposed to just an operational one.
“Gone are the days in which conversations about cybersecurity were just happening among IT professionals,” Shackelford says. “We have seen C-suite executives and board members be held accountable for breaches, with increasing oversight from regulators — including from the SEC to require more robust disclosure of cybersecurity governance practices,” he says, referring to the US Securities and Exchange Commission.
The SEC’s new rule requires public companies to report breaches within four business days after discovery or face fines and other penalties. “Cybersecurity is essential to the functioning of any modern corporation, but for some it’s even becoming a competitive advantage, as well as a shared corporate social responsibility,” says Shackelford.
On Kelley’s executive course, participants learn about the technical, legal, and business dimensions of cybersecurity risk management, and how to communicate effectively about cyber risks across different industries and sectors.
So, what can businesses do to prepare for cyber assault, strengthen their protections, and protect against malware at this critical time?
Four steps to cyber resilience
In short: be cautious, proactive and informed, Shackelford says.
First, keep everything up to date. “Many breaches, including the 2017 one at the Equifax credit bureau that exposed the financial information of almost every American adult, boil down to someone leaving out-of-date software running,” he says.
Second, use strong, unique passwords — ones that are at least 14 characters long, with numbers, punctuation or symbols for added complexity.
Third, enable multi-factor authentication. “In many situations, websites are requiring users not only to provide a strong password but also to type in a separate code from an app, text message or email when logging in,” says Shackelford. You could also consider getting a physical digital key that can connect with your computer or smartphone.
Fourth, encrypt and back up your most important data. “If a hacker copies your files, all he’ll get is gibberish, rather than, for instance, your address book and financial records,” he says.
A wide array of executive courses
Shackelford’s course is far from the only option for leaders in business. MIT Sloan School of Management offers the Cybersecurity Governance for the Board of Directors program. There are multiple learning outcomes — including to address SEC requirements that boards, and senior executives understand and provide effective governance of their company's cybersecurity capabilities.
Keri Pearlson, executive director of cybersecurity at MIT Sloan, says that cyber resilience, instead of cyber protection, must be the key focus for organizations today. “We know that malicious actors are busy trying to find new and innovative ways to break into our organizations, steal our data and disrupt our businesses,” she says. “We cannot protect against every one of these kinds of attacks, in part because the bad guys are always coming up with new approaches. So the alternative is to build resilience.”
In the MIT course, the instructors share a basic framework for thinking about protection, detection, response and recovery so that board members have a way to structure their thinking about cybersecurity investments.
“We talk about regulations and responses, so board members understand what their regulatory entities expect,” Pearlson says. “We use case studies, tabletop exercises, lectures, and extensive discussions to expand each leader’s comfort level and current knowledge of cybersecurity, and to help create actionable insights so when they return to their organizations, they can take action immediately.”
MIT, and Kelley, are far from the only business schools offering cybersecurity programs for executives and board members. In the UK, the Oxford Cyber Security for Business Leaders Program gives participants a practical grounding in cyber security and its impact on organizations.
In Switzerland, IMD offers the Cybersecurity Risk and Strategy, on which participants learn to respond to new security threats and build a more cyber-resilient business. Meanwhile, New York’s Columbia Business School has launched a new course named Leading Cybersecurity in Your Organization. It has been designed for executives who want to better understand how to respond to the rapidly escalating risk of cyberattacks.
Such courses are likely to multiply in number as the frequency and severity of breaches increases, and business leaders are forced to respond.