Small Biz: CEO Role



The dramatic rise in cybercrime makes it hard to keep up with the various threat tactics in play, and small businesses often suffer the most, since they are without the systems, processes and people bigger companies rely on. Nonetheless, experts point out that when the leaders of SMBs tune in to cybersecurity, they can have a big impact.


No Sitting On The Sidelines

The U.S. Small Business Administration (SBA) observes that business owners have good reason to become a bit like deer in the headlights when pondering cybersecurity: “Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses…..Many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or they don’t know where to begin.” However, as the Cybersecurity & Infrastructure Security Agency (CISA), (aka “America’s Cyber Defense Agency”) reminds us, it is critical for the leaders of SMBs to take an active role in driving cybersecurity efforts across the business, and not merely delegate it out as a task for “the tech folks.” For starters, experts urge us to stay up to date, noting, “ As a small business owner, you have likely come across security advice that is out of date or that does not help prevent the most common compromises. For example, odds are that you have heard advice to never shop online using a coffee shop’s wi-fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.”


Although CISA points out that tuning into cybersecurity is not a “guarantee you will never have a security incident,” leaning in is certainly better than sitting on the sidelines. In fact, the leaders of small businesses have a critical role to play in making cybersecurity part of the company culture. Experts remind us: “Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated.” Specific to the CEO role in cybersecurity, two of CISA’s  recommendations are:


Establish a culture of security. Make it a point to talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals…include meaningful security objectives that are aligned with business goals. Security must be an “everyday” activity, not an occasional one. For example, set goals to improve security of your data and accounts through the adoption of multi-factor authentication (MFA)…the number of systems you have fully patched, and the number of systems that you backup.


Select and support a “Security Program Manager.” This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program. The manager should report on progress and roadblocks to you and other senior executives at least monthly, or more often in the beginning.


Another way in which business leaders can demonstrate commitment to a culture of cybersecurity is by championing the use of MFA (aka Multi-factor authentication) “from the top.” As defense experts observe:


There are places where the support of the CEO is critical, especially where the security program needs the help of every staff member. Take ownership of certain efforts instead of asking IT to do so. For example, do not rely on the IT team to persuade busy staff that they must enable a second way to sign-in to their email by enabling MFA. Instead, make the MFA announcement to the staff yourself and keep track of the progress. Personally follow up with people who have not enabled MFA. Doing so creates a culture of security from the top.


Ensure Response Readiness

To prevent cyber incidents from turning into disasters, CEOs must also ensure that the business has a solid response plan in place. Again, it’s best practice for employees from across the organization (not just IT) to be involved in preparations and protocols for cyber breaches—and to practice implementing the response plan “in peacetime,” as well as after “near misses” and “false alarms.” When pondering the response readiness of your business, don’t forget, Colonial Surety is here to help with affordable and easy to obtain basic cyber liability insurance. Our coverage is specifically designed to arm SMBs with a “one-two” punch:

  1. A timely and expert-led response to data breaches
  2. Protection from lawsuits and regulatory actions related to the breach.

Armed with Colonial’s Cyber Liability Insurance, in the event of a cyber breach, your business will receive support at every stage of incident investigation and breach response. You’ll have experts helping you through the legally mandated steps required in a timely manner following a cyber breach. Legal services, computer experts, call center services, customer notifications, and more, are included to mitigate the damage to your business and customers in the event of a breach. Of course our Cyber Liability Insurance also indemnifies you for losses from covered lawsuits or regulatory actions related to the breach. Don’t go it alone: obtain cyber liability insurance now.


Employers who sponsor company retirement plans have even greater reason to worry about cybersecurity: even relatively small breaches can quickly spiral into allegations of fiduciary failure. Stay up to speed on the Department of Labor’s Cybersecurity Guidance–and secure protection via Colonial’s affordable Cyber+Fiduciary Liability Insurance package. Along with defense costs and penalty limits up to $1,000,000, our liability insurance package for plan sponsors includes:

  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring

Protect yourself, your business and the plan, efficiently and affordably today:

Cyber+Fiduciary Liability Insurance HERE


Pension Plan Professional?

Colonial already ensures your plan sponsor clients have the coverage they need. Let us help you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liability Insurance–and more, we’re HERE with the coverages pension professionals need to keep their businesses going—and growing.

Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.