We all benefit from the advantages of a connected world. Business, government, education, healthcare, and individuals have come to rely on the data at our fingertips and the ease of work and commerce that it affords. Most of us though, take those benefits for granted, leaving digital security to the IT department only or worse, not thinking of it at all until there’s a problem (which, despite the constant headlines of attacks and breaches, happens more often than you think!).
Who owns cybersecurity? Everyone. During October’s national cybersecurity awareness month, here are three ways that organizations can ensure everyone has a role in the shared responsibility of reducing cyber risk.
- Understand what cybersecurity really means. There are countless data security tools and technologies to prevent and detect cyber intrusions. However, a single-minded approach to IT security elevates the role of these sensors at the expense of other considerations, such as the importance of instituting a mature cyber security culture, a panoramic threat analysis across the enterprise of how cyber infection can metastasize, and understanding what it means to be resilient and get back to business as quickly as possible if a cyber event does occur.
- Establish a proactive cybersecurity strategy. Seems crazy to have to mention this still, but never assume that your organization won’t or hasn’t already been a target. It is still amazing to hear risk managers and other enterprise security leaders that we encounter in the market and on the speaking circuit who deny their victimhood or think they are not “important” enough to even be targeted in the first place. Sixty per cent of attacks in 2014 were against small-and medium-sized organizations, according to the Symantec 2015 Internet Security Threat Report. Advanced attackers targeted five out of six large companies. Don’t wait.
- Start by creating a data classification policy. Review and categorize data and intellectual assets by degree of sensitivity and value to the organization.
- Assess risk. Identify the most serious threats to your data by considering how and where your organization operates, your supply chain, and what risk controls are currently in place.
- Plan for the worst. Do you have a crisis management plan in place to quickly respond to a cyber attack? Multiple studies have shown that financial losses from a single cyber attack can exceed $50,000 for small businesses, and well over $1 million for large organizations. Having a quickly executable plan that includes clear responsibilities and lines of communication will help minimize the damage.
- Consider cyber insurance as a final safeguard of an overall risk management plan that prioritizes security assessment, holistic cyber risk solutions, and an organizational focus on security. In September, Sarah Bloom Raskin, Deputy Secretary of the Treasury Department, described cyber insurance as “a game changer” because the underwriting process that businesses undergo to apply for cyber insurance can help determine weaknesses and encourage best practices. Cybersecurity then “becomes part of an organization’s DNA,” she said.
- Create a cybersecurity culture. Cybersecurity is a shared responsibility. Each person in an organization should understand this and be accountable. And unfortunately, it starts with the not-so-exciting task of ensuring processes are in place to provide the backbone governing necessary security-related activities – from processes covering controls such as vendor access management, to firewall configuration, to remote wipe capability procedures within an enterprise BYOD deployment. Culture starts with process, and process is implemented through effective policies and procedures that are matured through equal application, enforcement, and management.
Cyber attacks happen every day. The cyber threat is evolving and growing. Knowing these facts, it’s time for organizations large and small to put cybersecurity in the hands of the whole team.
