Statistics indicate that a cyber attack is a potentially business-ending event, just like a flood or when someone throws a cigarette into a trash can and burns down a building. Building codes were created to protect people and businesses from catastrophic events such as fires and floods. Now, financial losses from cyber attacks are as big a threat as these legacy ones.
Business leaders need to take steps to lessen the risk of being victims of cybercrime and to prepare our organizations to recover from attacks when they do happen.
It is not necessarily difficult to protect your organization from cybercrime, but it is admittedly a new cost of business we are not used to. It’s similar to the increases in construction costs over time due to building codes put in place to reduce the risk from fire. And like a fire that threatens neighbors in the same and nearby structures, cyber attacks can have an impact on multiple parties, both internal and our cyber neighbors.
Cybersecurity has multiple stakeholders
Those cyber neighbors are strongly hinting at us to take threats from cybercrime more seriously, given broad evidence that we are not paying appropriate attention to it. There are external forces pressuring us to care about cybersecurity, regardless of our internal drivers.
- Customers may choose to go elsewhere if we cannot demonstrate basic cybersecurity hygiene.
- Government agencies may fine us or disqualify our firm from contract work.
- Insurance providers are fighting back with refusal to insure or demanding inflated premiums with conditions for insurability.
We may not be overly concerned about our cybersecurity risk, but increasingly, the market is. This is all evidence that, like other business risks, cybersecurity needs to be addressed in the C-suite.
Why cybersecurity belongs in the C-Suite
Charles Weaver, CEO of MSPAlliance, recently said that “Cyber attacks are certainly of concern for IT departments within organizations, but they also have real world consequences for the business and ‘C-Suite’ too. While IT may be charged with protecting the organization from a cyber attack, it is the C-suite that must set the tone for the entire company. The executive team must equip the company with the proper tools to defend against cyber attacks (including people, technologies, and process), as well as create rules for what happens in the event of a successful attack.
“Such post-attack rules might include incident response plans, public notifications, disaster recovery and business continuity planning, as well as documenting important policies such as whether the organization will pay ransom to get data back or prevent it from being leaked to the public. All of these are critical organizational decisions which can only be made at the executive level.”
True protection begins with treating cybersecurity as a necessary component in your overall risk management process. It requires commitment from the business leadership to address it, to make plans and policies around it, and to talk to your work force about cybersecurity being everybody’s business.
And while there are multiple cookbooks for security best practices, we encourage you to find an expert resource to ensure that your organization’s security needs are understood top-to-bottom and that your security program is meeting those business needs.
Editor’s note: Sara Christie is a Security Customer Relationship Manager with Mainstream Technologies. The opinions expressed are those of the author.