Good morning,

Many of our Kellogg experts have led fascinating past lives. Take, for example, Michael Rogers, a retired four-star admiral and former National Security Agency director, who also served as the commander of the United States Cyber Command.

So who better to talk with about cyberattacks, which are a growing concern for leaders at organizations big and small? He’s featured in our two-part podcast series on cybersecurity, and we’ll focus today on Part 1, where Rogers helps us understand how businesses can protect themselves from attacks. (If you’re interested in something more tied to current events, you can check out the interview we recently posted with him about what the war in Ukraine means for cybersecurity.)

And if you’re worried that you’re not an IT expert and this topic isn’t for you, Rogers encourages you to think about it in the context of risk.

“Cyber is just one element of the broader dimensions of risk that, as an organization, we deal with every day,” he says.

How to Protect Your Organization from a Cyberattack

Rogers, who is a senior fellow and adjunct professor in the Kellogg Executive Leadership Institute, starts by rattling off a list of security measures that you’re probably already doing. (And if you’re not, start now!) “Strong encryption, good virus protection, strong password-changing policy,” he says.

But truly protecting your organizations’ network—especially in an era of remote work where work computers are doubling as home computers—requires more. Here is some of Rogers’s advice:

Limit access: “A lot of organizations, quite frankly, give way too much access to way too many people beyond what they really need to do their jobs,” Rogers says. Yes, this wide access may make it easier for certain people to do their jobs. But it also opens up more doors for hackers to sneak through. He recommends you assess who truly needs broad administrative access to your network, and scale back where possible.

Reward the rule followers: Many organizations routinely test employees with emails that look (kinda) like they’re legit and try to get people to click on a link or reveal sensitive information. If an employee falls for it, they get admonished. Rogers would like to see the opposite happen, too. “We have got to incentivize and reward positive behavior. … When they don’t click on the link, why aren’t we, for example, recognizing them? Putting out a nice email that says, ‘Hey, the following 10 employees did perfect on the last update test for software that we did.’ Or ‘Hey, we’re going to do a drawing this week, and out of the 100 people that we did a spear phishing test with, we’re going to do two gift cards for a restaurant.’”

Try to hack yourself: To put your cybersecurity to the test, Rogers suggests trying to attack yourself, or hiring a company to do so. “You pretend you’re an outside entity, you’re a criminal or a nation state, and you actually try to attack your own network,” he says. Another option: hire a company to “grade” your cybersecurity. These groups will give you a number grade on how secure your network is and tell you how that compares with other organizations your size.

You can listen to the full podcast with Rogers here. We’ll focus on Part 2 in the series, which explores what to do if you’ve been hacked, in a future newsletter.

What Do You Want to Know?

The Insightful Leader wants to help you think through difficult questions or transitions in your career. Let us know what you’re struggling with or thinking about, and we’ll try to find a professor or piece of research that can answer your questions. Email us at insight@kellogg.northwestern.edu.