As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key cybersecurity risk management topics with their leadership and implement cybersecurity best practices.

The best practices listed in this document have been compiled from lessons learned from incident response activities and managing cyber risk.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

• How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
• What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
• How can my business create long-term resiliency to minimize our cybersecurity risks?
• What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
• What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

• What is the threshold for notifying executive leadership about cybersecurity threats?
• What is the current level of cybersecurity risk for our company?
• What is the possible business impact to our company from our current level of cybersecurity risk?
• What is our plan to address identified risks?
• What cybersecurity training is available for our workforce?
• What measures do we employ to mitigate insider threats?
• How does our cybersecurity program apply industry standards and best practices?
• Are our cybersecurity program metrics measurable and meaningful? 
• How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?
• How often do we exercise our plans?
• Do our plans incorporate the whole company or are they limited to information technology (IT)?
• How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?

Recommended Organizational Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

• Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
• Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
• Evaluate and manage organization-specific cybersecurity risks.
• Ensure cybersecurity risk metrics are meaningful and measurable.
• Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
• Retain a quality workforce.
• Maintain situational awareness of cybersecurity threats.

Contact Rhyme IT for more recommendations on managing cybersecurity risks for small businesses.