Everything a CEO Needs to Know About Securing Their IT Systems (But Probably Doesn’t)


IT needs security direction from leadership

The biggest security failures are leadership failures, not technical failures.

What you should do

  • Define your risk tolerance in writing.
  • Consider how your business would be affected by IT systems downtime. 1 hour? 1 day? 1 week?
  • Identify which data you cannot afford to lose or leak.

Your weakest link is usually people, not the tech

What you need to know

  • Most security incidents start with credential theft or social engineering.
  • Leadership can help make security policy part of the business culture.

What you can implement

  • Make using password managers mandatory. This helps enforce strong, unique passwords automatically. Anything to prevent lazy or reused passwords.
  • Build systems that support safe automatic updates across all devices and servers.
  • No local admin rights for day-to-day work.
  • Perform regular phishing simulations.

Protect credentials

Most security guidelines emphasise the importance of firewalls to protect servers and services from attacks.

There is typically less focus on protecting credentials.

What you need to know

  • Most breaches start with compromised credentials.
  • Email accounts are high-value targets.
  • Compromised mailboxes, can result in sophisticated phishing attacks, and makes it easier for hackers to bypass email-based security systems.

What you should require

  • Phishing-resistant MFA (FIDO2 or passkeys where possible).
  • Avoid shared accounts.
  • Separate admin accounts from normal accounts.
  • Conditional access policies (location, device compliance, risk signals).

AI Is Making Attacks More Personal

AI lowers the cost of attack and increases hacking success rates.

What’s changing:

  • More convincing phishing attacks.
  • Attackers can personalise messages using public data.
  • Distributed attack infrastructure. Attacks come from many IPs, not one source. This makes IP address based security rules less effective.
  • Vulnerability scanning is faster at finding and exploiting vulnerabilities.

The same security principles that protect you from regular security incidents, also protect you from AI attacks.


Hosted Platforms Reduce Risk — But Shift Responsibility

Cloud and hosted platforms are safer than DIY servers. But they don’t remove responsibility.

What CEOs misunderstand

  • “We’re in the cloud” does not mean “we’re secure.”

What you should do

  • Understand your responsibilities: users, access, data, configuration.
  • For each vendor, confirm:
    • Patch and update policies
    • Logging access
    • Incident response SLAs
    • Data export and deletion controls

Third-Party SaaS Is a Major Risk Multiplier

You likely use:

  • CRM
  • Accounting
  • Marketing automation
  • HR systems
  • Support platforms

Each holds sensitive data.

What you should do

  • Maintain a SaaS inventory.
  • Remove unused services.
  • Reduce stored data to the minimum.
  • Set retention limits.
  • Require vendor security attestations.

Backups Are Useless If Not Tested

Most companies assume backups work. Few test them.

What you must require

  • Offline or immutable backups.
  • Restore testing (e.g. quarterly)
  • Defined recovery time (RTO).
  • Defined data loss tolerance (RPO).

Ask your team to restore something in front of you.


Regulation forces accountability upward.

Across the world:

  • Larger fines.
  • Mandatory breach notification.
  • Director-level responsibility.

Regulations make security a governance responsibility.


The CEO’s Security Checklist

Want to stay ahead of most small businesses?

  1. Enforce password managers company-wide.
  2. Enforce MFA everywhere.
  3. Configure disk encryption on all devices (so when it is fished out of a landfill its drives are of no use without login credentials)
  4. Remove standing admin rights.
  5. Maintain a SaaS inventory and purge unused data.
  6. Test backup restores.
  7. Run an incident tabletop exercise.
  8. Require monthly security reporting to leadership.


Leave a Reply