IT Security Leaders: It’s time for a Bigger Seat at the Table
IT teams must have a bigger seat, and budget, at the boardroom table, while embedding their cybersecurity efforts across business functions.
The cyber threat continues to grow and evolve, with the number of attacks increasing year-on-year. As cunning hackers take advantage of the ongoing pandemic by targeting remote workforces, businesses are forced to contend not only with this increased security risk, but also furloughed staff, social distancing restrictions and a turbulent economic market.
But while in survival mode, cybersecurity can often slip down businesses’ priority lists. The last twelve months have arguably been the most challenging times for businesses of all sizes, but efforts invested to keep the business afloat will be useless if the back door to their network is left open for cyber criminals. To combat this, IT teams must have a bigger seat, and budget, at the boardroom table, while embedding their cybersecurity efforts across all departments of the business.
Cybersecurity must remain a priority at all times for businesses, even in challenging times, despite COVID-19 stretching many organizations’ IT and/or cybersecurity teams to the maximum. However, managing and surviving throughout the pandemic alone has remained the prime concern, as 84% of businesses and 80% of charities revealed that COVID-19 has made no changes to the importance they place on cybersecurity. That businesses still aren’t prioritizing cybersecurity despite increased cyber threat level and more sophisticated hacking incidents taking place is surprising.
The main hurdle the majority of businesses are facing at the moment is losses in revenue, meaning they may not have the budget to invest more heavily in cybersecurity – which is supported by a recent survey that found that 79% of organisations expect cybersecurity budgets to be impacted in the next six months, if not sooner. Yet, in order to succeed in the post-COVID-19 era, security must be at the top of the business agenda, not only to keep business data safe, but also to maintain business continuity and protect against emerging cyber threats.
We’ve all sent an email to the wrong person, but this mistake has the potential to put the whole company at risk. Whether it is sharing the incorrect attachment, or adding the wrong recipient to an email thread, once an employee clicks send, it is often out of the business’ control to know whether this information will end up in the wrong hands without specific DLP rules, policies or tools in place.
With so much communication reliant upon email, human error is the main cause of data breaches. Humans make mistakes, and with additional pressures from the ongoing pandemic such as working from home, surrounded by potential distractions, these errors are now even more likely to occur. But this is also due to a lack of awareness and training, and with the number of cyber attacks not slowing down, giving IT teams a bigger seat at the table, and a slice of the budget, will help to increase employee awareness and improve email culture throughout an organization, at a time when mistakes can so easily be made.
Many organisations have not yet taken the essential steps to properly integrate cybersecurity into their general operations – despite a rising number of cyber attacks across all businesses, with 88% of UK companies having suffered a breach in the last 12 months. A cybersecurity strategy is most effective when it has multiple layers and is deployed consistently from the beginning, not as a once-a-year tick box review or training exercise. By deploying a multi-layered, security-first and awareness-first defence strategy, including the basic foundations of email, endpoint and web security alongside the emerging necessities of security awareness training, remote working zero-trust network access tools and other user-first solutions, businesses can secure their operations both internally and externally.
Technology plays a crucial role in ensuring business data is kept safe, but so do educating and alerting employees for potential threats in real-time. Implementing innovative solutions that prompt employees to double-check emails before they send them can help reduce the risk of sharing the wrong information with the wrong individual, while enabling users to make more informed decisions and reinforcing compliance credentials.
In order to create an effective cybersecurity strategy, the ‘us vs. them’ mentality must be shifted. It is not just the IT department’s duty to keep the organization secure. Instead, this issue must be prioritized in every department across the business – as every end user and team have something valuable at stake. All employees are responsible for playing a part in keeping business data safe and they should be actively recruited into this role from the beginning – the stakes are too high for businesses to not take advantage of all available resources and personnel.
Business collaboration plays a vital part in this approach. In addition to educating employees and ingraining ‘cybersecurity first’ as part of the culture, the IT defence strategy must be embedded across all areas of the business, including HR, customer service and finance, for example. The potential consequences of a data breach must be explained, such as the financial repercussions, loss of customers and tarnished business reputation – real, revenue-impacting consequences. By having a workforce that is mindful and understands the responsibilities they have on the front line of defence, companies can ensure that everything they do is underpinned by both user education, and a robust and secure IT security infrastructure.
The final decision to click the link, send the sensitive information or download the file, lies with the user. But by ensuring that a strong and secure cybersecurity culture is instilled from the top of the business to the bottom, company assets can be kept safe, and the risk of successful cyber attacks can be reduced.
IT teams are the foundation of creating and deploying the right cyber defence strategy, but unless they are given a priority seat at the table during these crucial times, the value of their approach might go unheeded. The responsibility of keeping information safe applies to all levels, from CEO to apprentice, but until a business has the basics right and takes on a ‘security-first’ approach, the risk still remains. Yet, the difference between a trained and an uneducated workforce could mean the difference between an organization surviving a cyber attack, or suffering the devastating consequences.
(The author Andrea Babbs is General Manager Vipre Security UK and Ireland and the views expressed in this article are his own)