Who is responsible for Cybersecurity in your business?
The answer to who is responsible for avoiding and mitigating cyberattacks may not be who you think…
The COVID-19 pandemic has played a key role in digital acceleration for many companies. As the digital landscape gets more and more complex, the threat of cyber attacks on critical business infrastructure is also growing rapidly. Hybrid working practices add to the situation by creating further risks to data and compliance, in addition to posing network security risks.
As businesses hurried to open up their networks to allow users to collaborate remotely, the risk of vulnerabilities increased. Think of it as rushing out of the house in an emergency and forgetting to close all the windows or lock all the doors. Many of those risks still haven’t been resolved and businesses are working with exposed networks or endpoints that run the risk of being targeted by a cyber attack.
So, what’s the best approach to mitigating such risks? The single answer to this is preparedness. The better prepared you are, the lesser the chances of a security breach.
Firstly, let’s answer the important question – who is responsible for Cybersecurity?
If you are pointing at the CIO or IT Manager of your company, you may be only partially correct. Despite the drastic surge in cybersecurity incidents in the past few years, many organisations have not progressed from the ‘culture of accountability’.
Although the CIO, or CISO, still carries primary responsibility for cybersecurity in 85% of organisations (1), it is the entire organisation and everyone working in the business who holds the secondary responsibility for it.
Cyberattacks can be targeted at anyone in the business. Over 90% of attacks are made via email, either through phishing for information, malicious links in the email, or compromised attachments. They are often targeted toward those who have the most access or seniority in the business and are more likely to provide beneficial outcomes to the hackers if they fall prey to an attack. For example, it would be common to target someone who has access to the payroll or the ability to sign off on expenditures.
So the responsibility for cybersecurity in your business sits with everybody. Business leaders and heads of departments need to change the culture and mindset of people. Making Cybersecurity a shared responsibility and equipping businesses to participate in active decision-making will ensure cybersecurity becomes a culture within the business.
“The influx of ransomware and supply chain attacks seen throughout 2021 should be a wake-up call that security is a business issue and not just another problem for IT to solve.”Paul Proctor, distinguished research Vice President at Gartner.
So how do you move towards making Cybersecurity a shared responsibility?
A detailed assessment of your current cybersecurity situation followed by a well-crafted implementation strategy for the future will prove beneficial. The first step is to have a plan, get buy-in from senior leadership or the Board and then focus on implementation. Being proactive and establishing a governance framework involving program leaders can also help.
Cyberattacks can be targeted at anyone in the business. Over 90% of attacks are made via email, either through phishing for information, malicious links in the email, or compromised attachments. They are often targeted toward those of have the most access or seniority in the business and are more likely to provide beneficial outcomes to the hackers if they fall prey to an attack. For example, it would be common to target someone who has access to the payroll or the ability to sign off on expenditures.
In short, here’s what you can do:
1. Sharing Cyber Security decisions
Discussing the pros and cons of a cybersecurity model, investment, and training process with the wider leadership team will help prepare them for shared responsibility.
2. Presenting cost vs value
Preparing a detailed risk assessment report with the cost of protection vs value for the business will help move towards a well-evaluated working model.
3. Choosing credibility and awareness over fear
Most cybersecurity awareness, education, and risk planning happen by creating fear. Choosing retainment of credibility and business reputation over fear will garner open communication and better collaboration.
4. Provide Cyber Security Training for Staff
People are the biggest target for cyber-attacks. Training your staff for being vigilant and identifying the threats is the key to remaining protected. This can be with training on email etiquette or what to do in the event they have been the target of a cyber attack.
5. Cyber Insurance
Cyber security insurance is designed to fill the gaps in traditional insurance policies. Should you fall prey to an attack it can help you respond to both your own losses and any liability you may have. This can be as simple as the loss of income from downtime or it can cover costs associated with investigating and resolving the problem or even cover the costs of extortion payments in the case of a ransomware attack. Make sure this is discussed with your insurance provider.
Choosing the right cyber security partner
Lastly, if you have been tasked with the responsibility of managing cybersecurity in your organisation, make sure you select a qualified partner to implement your goals. Do your research on their accreditations and spend some time talking to them about your business to make sure they understand your challenges. They should be able to demonstrate that not only do they have the expertise to be able to support your business but they also understand where your business is headed. This will allow them to develop a strategy for continued support and protection, and provide a detailed roadmap for the future.
Ricoh has a leading team of cybersecurity experts who help customers mitigate their cyber risks and prevent incidents by applying the right security measures in place. We can also help with end-user security training and ongoing testing to ensure employees don’t fall prey to email phishing and similar attacks.
No matter what part of the journey you are on, our team can guide you towards a highly secure infrastructure for your business, so you can rest easy.
Book our detailed 77-point Security Assessment Session. Stay protected.
(based on a Gartner View from the Board of Directors Survey 2022)