There is no escaping. You can not turn on the news or open your phone without hearing about another cyber-attack. From meat suppliers to pipelines our nation's resources are being threatened at unprecedented levels, and the scariest part is that every single business regardless of size is at risk. In fact, 88% of all organizations have been the target of an attack and that number continues to rise [1].
With the average cost of a breach costing companies nearly $4 million how is your business prepared to manage such a massive risk? Unfortunately, the most common method I have found is placing it in the hands of their IT provider. On the surface, this seems like a well-informed decision. Why not have the technology team who deal with ‘this stuff’ every day be the ones keeping an eye on it? I am here to tell you this couldn’t be further from the truth.
Organizations that place cybersecurity risk management in the hands of their IT department are doomed to fail.
Now I am not here to belittle the work of IT professionals. Whether they are in-house or managed by a third party, IT is a critical component to any business’ success. We have an excellent systems admin on our staff, and I have worked with countless other IT personnel over the years who excel at their jobs. The problem comes with the nature of cybersecurity and the specialization that goes into it. To better understand let’s use a medical world example.
Why is having your IT department handle your cybersecurity a bad idea?
Cyber Cardiologist vs General Practitioner
Regular check-ups with your general practitioner to review your health are highly encouraged. Usually, you trust your doctor and listen to their advice. They are someone you can depend on to be there when you need it. However, if something serious happens regarding your heart then you likely will need to see a cardiologist. This doesn’t mean your general practitioner is not good at what he does, but this ailment requires someone who specializes to help you fight the problem.
Cybersecurity follows this exact same path. Your IT team is your general practitioner, working with you to fix day-to-day issues and keep the operation healthy. Cyber risk is the heart disease. An over-encompassing issue to the health of your organization that goes beyond just your IT team. They will play an important role in keeping the disease in check, but the diagnosis and plan of action should be coming from ownership and executives working hand in hand with a team that specializes in cybersecurity.
True Cyber Risk Management Demands Executive Buy-In
“My IT guy says we are good” is not enough in 2021 to protect yourself from the onslaught of phishing attempts, malware, ransomware, and social engineering that plagues organizations of all sizes. A holistic approach to managing your cyber risk involves ownership and executives viewing numerous aspects of their organization to get a better understanding of where they stand and what needs to change.
Some questions they can ask themselves to get in the right mindset are:
- Who is accountable for cybersecurity compliance?
- What kind of policies and procedures do we have in place for both before and after a hack?
- What is our data backup and recovery plan? Have we ever tested recovering from backups?
- What are the hard costs associated with machines going down?
- Do we have two-factor authentication in place?
- Are we able to show how our firewall is detecting attempted hacks?
- Do we understand what type of regulatory requirements we are required to meet?
- What kind of security training do we have in place?
- Are we currently assessing and improving our security measures?
Cybersecurity is a business problem that requires a commitment from executive leaders to drive true change in the organization. If your organization is unable to or unsure how to answer these questions it is a good sign that you likely are at a high risk for a data breach or attack. Putting together a comprehensive plan to better understand and begin to truly manage your cyber risk can be a tough process, but it is absolutely vital for continued company growth.
