What Executives Need to Know About Cybersecurity: Lessons from Stanton Chase Stuttgart’s 14th SCI Leadership Dialogue

Executives and boards are faced with a new and growing challenge: cybersecurity and cyber resilience. 

By 2025, the global data pool will surge to 175 zettabytes, encompassing everything from streaming content to medical records. Companies will bear the brunt of ensuring this data’s security, a monumental task given the rising trend in cyber-attacks. For perspective, in 2022, there were almost 500 million ransomware attacks and compromised credentials caused data breaches costing an average of €4.22 million each in 2023.  

Stanton Chase Stuttgart recently held its 14^th SCI Leadership Dialogue on “Cyber-attacks and Legal Implications for Operational and Supervisory Management”. During this dialogue, Axel Petri, Deputy Chief Security Officer of Deutsche Telekom AG, discussed the history, motivations, and modus operandi of cybercriminals, along with preventive measures. 

The consensus was clear: it is not about if a company will be attacked, but when. Organizations need to prepare for the eventuality that cyber criminals will try to exploit weak spots in their cybersecurity. 

After a cyber-attack, the onus is on an organization’s leadership not only to resolve technical issues but also to identify those responsible. Dr. Thomas A. Degen, a specialist lawyer for IT law and partner at the Stuttgart-based Jordan & Wagner Rechtsanwaltsgesellschaft, emphasized that top management is liable for cyber-attacks, and cannot absolve themselves by passing on the responsibility. The violation of their duty can result in personal liability, not covered by Directors and Officers (D&O) insurance.  

The event, which was hosted at Galerie von Braunbehrens in Stuttgart, concluded with a question and answer (Q&A) session followed by group discussions, all while participants enjoyed local gourmet food and wine. 

From left: Dr. Thomas A. Degen (Partner at the Stuttgart-based Jordan & Wagner Rechtsanwaltsgesellschaft), Axel Petri (Deputy Chief Security Officer of Deutsche Telekom AG), and Helmut R. Haug (Managing Partner at Stanton Chase Stuttgart). 

Axel Petri, Deputy Chief Security Officer of Deutsche Telekom AG. 

Dr. Thomas A. Degen, Partner at the Stuttgart-based Jordan & Wagner Rechtsanwaltsgesellschaft. 

Where Does the Cyber Threat Come From? 

Often, businesses picture cyber-attack culprits as distant threats, but reality is closer to home. Homebred, often youthful, cyber felons have caused millions of Euros in damage in recent years. 

In 2016, Mirai malware, initially developed for a Minecraft protection-racket scheme, was employed in large-scale network attacks, impacting OVH Cloud Computing Services and DNS provider Dyn, resulting in service disruptions for users of GitHub, Twitter, Netflix, Reddit, Airbnb, and others. Mirai also caused connectivity issues for around 900,000 Deutsche Telekom routers. The open-source sharing of Mirai’s code led to the creation of new variants like Okiru, Masuta, PureMasuta, and OMG, with OMG specifically targeting vulnerable Internet of Things (IoT) devices. 

The mastermind behind the original Mirai? A 22-year-old Rutgers University student, Paras Jha. 

In 2010, 20-year-old Christopher Weatherhead caused PayPal a loss of more than four million Euros by bringing down its system for 10 days, all while living at his parents’ home. 

These instances highlight that cyber threats often stem from ordinary, self-taught coders in our own locales. This reality makes cybersecurity all the more daunting, as threats can arise from anywhere. 

How Can Executives Enhance Cybersecurity in Their Organizations?

During Stanton Chase Stuttgart’s 14th SCI Leadership Dialogue, it was underscored that executives and board members must prioritize cybersecurity to avoid potential legal liability. This holds true both in Germany and on the international stage. 

If your business lacks a cybersecurity policy (and a contingency plan for a digital breach or assault), you’re already lagging. Moreover, you’re at risk of being implicated in legal proceedings if your company falls victim to a cyber-attack. 

C-suite leaders should aim to: 

1. Foster a Cybersecurity Conscious Culture 

When all individuals within your organization, from entry-level staff to board members, prioritize cybersecurity, you significantly reduce the risk of being a cyber-attack target. Employee errors account for 85% of data breach incidents. Once all employees understand the potential repercussions of a cyber-attack on the company, you’re one step closer to a safer organization. 

Cultivating a cybersecurity-aware culture should include offering training and development opportunities to employees, making them the custodians of your organization’s digital defenses. Employees should also be trained to exercise caution when using personal software applications and social media platforms on company devices. In 2022’s first quarter, 52% of phishing attacks were instigated via LinkedIn. Unaware employees might unknowingly click on phishing links and become victims.  

Plus, 80% of all hacking-related data breaches in 2019 were due to compromised passwords, causing substantial financial damage to businesses and consumers. That’s why maintaining password policies, regular password updates, and multi-factor authentication (MFA) usage is crucial. 

2. Combat Digital Threats with Advanced Security Technologies

Currently, 4.1 million websites worldwide are infected with malware. Unless they have the technology to detect this, the organizations owning and using these websites remain oblivious. That’s why it’s crucial to dedicate resources to implement and maintain robust cybersecurity technologies, including firewalls, intrusion detection systems, encryption tools, and endpoint protection software. Regular system updates and patches are needed to address potential vulnerabilities.  

Although the initial financial investment in cybersecurity technology might be daunting, businesses with fully deployed cybersecurity AI and automation experienced breaches that were €2.89 million less expensive than those without such setups—a substantial saving.  

3. Conduct Risk Assessments and Penetration Testing

About 29% of organizations that endure a data breach will experience a repeated incursion within three years. The reason these organizations fall prey again is that their cybersecurity protocols don’t involve investigating how breaches and attacks transpire—merely handling attacks and breaches as they occur. This highlights the need for risk assessments and penetration testing.  
 
While everyone is familiar with risk assessments, few organizations invest in penetration testing. Risk assessments can greatly reduce the risk of data breaches, but when it comes to distributed denial-of-service (DDoS) attacks, malware, and ransomware, penetration testing can be a lifesaver. Penetration testing, often referred to as “pen testing,” is a proactive and authorized simulated cyberattack on a computer system, application, network, or organization to identify security weaknesses and vulnerabilities. The objective of penetration testing is to assess the security of the target environment and assist organizations in understanding their potential risks and areas for improvement in their cybersecurity defenses. 

4. Hire Cybersecurity Experts

Yes, enlisting a cybersecurity specialist or outsourcing this function might be costly, but not as much as a cyber breach. Eighty-three percent of corporate boards advise beefing up IT security personnel. This is a logical move, considering that a business may need up to 8 months to bounce back from a cyber-attack. During this period, the firm’s reputation may take a hit, and clients might seek alternatives. It is therefore prudent for companies to appoint Chief Information Security Officers (CISOs) or Chief Security Officers (CSOs) in their executive ranks, individuals with a rich background in cybersecurity and skills in curbing cyber threats.  

Eighty-three percent of corporate boards advise beefing up IT security personnel.

Regrettably, sourcing for cybersecurity experts can prove challenging. There’s a global shortfall of 3.4 million cybersecurity professionals, an issue that is even more glaring in the C-suite. This is when a global executive search firm experienced in cybersecurity leadership like Stanton Chase becomes invaluable. We are poised to assist you in identifying the cybersecurity executives necessary to shield your organization. Click here to contact one of our consultants. 
 

About the Author 

Helmut R. Haug is a Managing Partner at Stanton Chase Stuttgart. He began his professional career in the FMCG industry as a project manager for business process reorganization. He then spent several years working in business consulting and management positions in the aerospace and retail industries, which provided him with a broad understanding of the business world and insight into the cultures of both large organizations and small-to-medium-sized businesses. 

Since 1996, Helmut has been involved in management consulting, specializing in personnel matters such as executive search and executive assessment. In April 2000, he acquired a reputed executive search company and joined a leading global network. In early 2001, he founded another executive search firm in Stuttgart. In July 2008, he merged the Stuttgart office with Frankfurt and Düsseldorf to form Stanton Chase in Germany. Today he is Managing Director of Stanton Chase Stuttgart.