Cybersecurity, one among the most important buzzwords and global technology challenges, is often defined as “the protection of data systems from theft or damage to the hardware, the software, and to the knowledge on them, also as from disruption or misdirection of the services they supply.” Cybersecurity threats and risks are everywhere and businesses all want to be secure, from the C-level and Board of Directors down through battlefront employees. Recent ruptures that have made front-page news collides fear into the hearts of everyone. Larger organizations like Target and Sony have the assets to weather the fallout of a cybersecurity event, but a breach or hack could destroy the reputation and brand of a smaller company. A breach might be especially impactful to a corporation that survives month to month or does the bulk of its business during a specific season.
One would think that with all of the risks related to cybersecurity, companies would do “whatever it takes” to make sure security. In speaking with industry peers at conferences and technology events, I'm surprised to listen to that a lot of business leaders don't want to form the sacrifices to be secure. I prefer to match cybersecurity to weight loss; being secure is like eager to lose 10 pounds. Everyone (myself included) wants to lose 10 pounds, but doing the diligence to lose those 10 pounds takes effort and sacrifice, and only a couple of can really do what it takes to form that happen. I prefer to use that analogy to cybersecurity. Everyone wants to be secure, but few truly put forth the trouble to be secure. It’s our job as Information Technology (IT) leaders to form the strong case to the business and “close the deal” to make sure that the right funding and resources are obtained, and most significantly that the business truly buys in. this is often an enormous challenge for little to midsized organizations that aren't familiar with strong controls. Larger organizations have controls in situ.
“The goal of cybersecurity isn't to vary the way the business functions, but to form things more secure"
I definitely hear about resistance to doing things a replacement way and securely from peers all the time. The avoidance of change itself is usually the basis explanation for anxiety and not the particular cybersecurity initiative. the subsequent are a couple of samples of business resistance to cybersecurity initiatives seen industry-wide.
• Blocking Third-Party Email–This is how data leaves the corporate and viruses to get in–bypassing email filtering and controls.
• Blocking External Media like USB and CD-ROM-This too is how data leaves the corporate and viruses get in–bypassing controls.
• Blocking Non-Corporate Wireless–Again, a back door in and out of the company environment.
• Rogue Offices–Offices that don't have the right controls are an enormous corporate security risk.
• User Accounts with Admin Rights–This may be a big one. Many employees want local admin rights to perform tasks requiring elevated system rights. Malware and viruses can easily propagate through the machine and therefore the network using an account with elevated rights.
• Blocking Non-Corporate Application Installs–Nobody needs WeatherBug. Sorry. Application white-listing helps prevent malware from being installed.
• Secure Mobile Devices–If you would like to urge an email on a phone, data must be encrypted and therefore the device must be password protected.
• Strong Passwords–abc123 isn't a robust password.
• Folder Restrictions–Ensuring employees have rights to only what they have helps prevent the spread of ransomware.
• Managing Social Media –Policies that outline what can and can’t be posted by employees. No, you shouldn’t post a photograph from your Game of Thrones script on Snapchat.
• Managing Physical Security–Lock the doors! Follow a clean-desk policy.
• Web Filtering–No, you can’t gamble online using the organization's resources.
How to “Make the Sale” and obtain Buy-In
Our job is to make its leaders to develop services that will enable the business while increasing security. When one application or process is deemed insecure, it’s the work to make and build a replacement way of doing that job or function and “sell” it to the business. It’s best to start out at the highest.
Start at the highest. Inform your Board of the risks related to cybersecurity, the way to mitigate those risks and make a road map and business case for security initiatives. Everything starts at the highest, and board approval will help drive security initiatives. Boards of Directors are very focused on cybersecurity and compliance and can gladly support initiatives that keep the negative publicity away.
Cybersecurity and Compliance
Cybersecurity concerns aren't only technology-related but also bridge the gap with compliance. “Nobody” cares about cybersecurity until a crack has occurred or until examiners and regulators are onsite doing their audit and exam. Compliance and cybersecurity go hand-in-hand and a robust relationship with compliance helps drive the business acceptance of the latest policies and procedures.
Policies and Procedures
Board-approved policies and procedures that detail the crucial “do’s and don’ts” is the cornerstone of any cybersecurity program. It should be built on industry standards like NIST or ISO 27001 to call two. It’s always great to ask the policy when a questionable request comes into IT. Policies are often used as a “bully pulpit”.
Formal employee training goes an extended way towards allowing staff to know the risks. Training helps explain the “why’s” to employees who aren't tech-savvy or just don’t understand why we can’t do things the old way. Our employees are our greatest strength and maybe our greatest weakness. When an employee does something wrong, it’s undue to malicious intent, but due to not knowing. Employee signature of the latest policies allows for the enforcement of the latest policies.
Gradual implementation of the latest policies will allow employees to ease into a replacement way of doing things. Culture change may be a gradual process that improves over time.
To conclude, the goal of cybersecurity isn't to vary the way the business functions but to form things safer. Company resources belong to the corporate and are tools for the business to function. As technology leaders, we'd like to urge buy-in from our Board of Directors and make a culture change that's security-centric. If a process or tool is eliminated as being insecure, a safer method must replace it. At the top of the day, cybersecurity isn't just an IT concern, it’s an “everyone” concern, and that we all got to work together to embrace security.