Not long ago, I stumbled upon an article in the Harvard Business Review written by Alex Blau. In it, he suggested that the leaders of organizations needed to change their perspective on the cybersecurity and focus more on risk management. I couldn’t agree more. Whether you are a leader inside of an IT department or you are the leader of an organization with an IT department, we all need to get on the same page regarding cybersecurity initiatives. Too often, the IT department and the leadership teams are head-to-head regarding funding, effectiveness, resources, and policies. This is not only counterproductive but it can be dangerous for your organization, your people and your customers.
Change Your Cybersecurity Viewpoint
There is no such thing as total protection! We must stop looking at cybersecurity as something that we can control. You cannot! You cannot control when or if someone else decides to attack your systems. Furthermore, your IT department shouldn’t be treated as though that were the case. Cyberattacks are going to happen and some will be successful, so I would also challenge you to not see breaches as “failures“.
It’s a drastic change in mindset for some but it’s a necessary one. Understand that the only time you really fail at cybersecurity is when you are not proactively and aggressively trying to stay one step ahead in regard to your cybersecurity initiatives. And if we are going to change the way we view cybersecurity, we must also change the way we look at our leadership roles and the way we approach the topic of cybersecurity as an organization. Cybersecurity threats are constantly evolving and we must evolve our thoughts and efforts accordingly.
Think of your cybersecurity team as your organization’s personal army. Your army is faced with protecting your organization and customers against attacks from other armies around the globe. Those other armies are constantly upgrading their arsenals and training up to conquer your army. If you allow your army to get stuck with outdated weapons and training, a defeat can and likely will occur. If you don’t want that, you need to empower your “generals” to acquire the necessary tools and skills to keep your organization ready. You also need to understand that even if your generals are fully equipped, the other side is continually trying to figure out ways win and could be empowered in ways that your generals are not. It’s a never-ending process and struggle and this is why we must change the way we view cybersecurity if we want to increase our odds of success.
The irony is that most organizations have already adopted appropriate mindsets in regard to other areas of their business. Shrink happens but it is managed via loss prevention or asset protection efforts. Accidents are inevitable but it is managed via education and training. Environmental risks are always there but they are managed by implementing measures to control harmful substances. Waste happens but it is managed by tracking the waste that is produced and implementing better practices to reduce it. Cybersecurity can be similar if we simply accept that it’s a threat that requires risk management and not an internal expense that can be skimped on.
Risk has a couple of definitions. Essentially, it’s the exposure of something valuable to danger, harm, or loss. I always encourage organizations to first explore what assets might be considered valuable. This can sometimes be a complicated task but when we realize the vast amount of information that is available through a computer, only then can we begin to manage the risk of exposure by exploring options, priorities, threats, and vulnerabilities.
Not only does tech have vulnerabilities but those vulnerabilities are likely connected to your network and pose serious security risks. The risk increases with each connected device. According to Cisco, 500 billion devices are expected to be connected by 2030 and some of these connected devices have numerous identified security vulnerabilities. Do the math! Of course, the part that scares me isn’t the vulnerabilities that we have identified. The part that scares me is the vulnerabilities that we haven’t.
What thoughts run through your head about an organization that has recently been hacked? Are you confident that your information is secure? Do you still trust that organization? Do you feel as though their reputation has been tarnished? What will happen to your organization if a breach occurs?
Now imagine the chaos that comes with damage control for an organization after a breach. They have to deal with PR issues, stock price issues, marketing efforts to inform the public that those things are better now and so on. It can be very costly. In many ways, an organization could have saved money, time and effort by taking some of that money used for damage control and placing it into their cybersecurity initiatives in the first place.
Again, it’s a change in mindset but it’s a necessary change. This is because the vast majority of organizations are simply not prepared for the problems that come with an under-equipped cybersecurity team. To give you a better example, in Look Who’s Watching: Surveillance, Treachery and Trust Online by Fen Osler Hampson and Eric Jardine, I saw a statistic stating that the vast majority of organizations that were attacked in 2014 had to be told that they were attacked by someone outside of the organization. The organization didn’t even know! Making it worse, it often took months to find out. That’s scary. We need to lead the way. We need to change the way we approach the problem and stop expecting attackers to conform to what we think a threat should be.
So What Can Leaders Do to Help?
No doubt that the topic of cybersecurity is a tough one. It’s also a costly one. It can be managed and it can be successful if you just take a few steps in the right direction. Here are some suggestions to help leaders navigate the issue.
- To begin with, leaders need to embrace the idea that their IT teams are probably going to know more about the problem and be willing to listen to them – even when leaders don’t like what is being said.
- Leaders must embrace the idea that cybersecurity is not the department to ignore or under-fund simply because the ROI is difficult to track.
- Leaders must be ready for the attack and anticipate new security threats. Leaders must work with their IT and cybersecurity teams to build robust cyber incident response plans and take a proactive approach in preparing for the INEVITABLE attack.
- Leaders need to appreciate the sophistication of the opposition. These attacks are not coming from some kid in the basement of his mother’s house. In recent years, we have seen attacks from national governments like the Russians, Chinese and North Koreans (and more), terrorist groups, industrial spies, organized crime, hackers, business competitors and so on and so forth. Belittling what IT really does only helps to undermine what it should or could do.
- Leaders need to understand that cyber-threats are not just spyware, malware, Trojans and phishing anymore. Your teams are now faced with protecting your organization against botnets, ransomware, wiper attacks, distributed denial of service attacks, various types of theft, data manipulation, rogue software and more.
- Leaders must ensure that their IT teams have a robust knowledge of network security methodologies, risk management processes, vulnerabilities, application vulnerabilities and know the difference between an attack and relationship, and so on.
- Leaders must communicate with their IT teams. Ensure an open dialog and be prepared to hear “we need more”. Of course, they do! Understand that what you currently have will never be enough because things are always evolving. This expense doesn’t go away.
- Leaders need to empower their cybersecurity teams and allow them to be a bigger part of the organization. Cybersecurity is not just an IT problem; it’s an organizational initiative and your teams need to be armed accordingly.
- Business leadership and technology leaders must work together. It will take both to discover potential risks, to formulate protection plans and to determine what will be done when and after the attack occurs.
- Leaders need to support their IT and Cybersecurity teams in regard to acquiring better network security measures and help them to implement solid policies and procedures to aid in that mission. This should include the necessary devices and programs needed to minimize threats to the network. They should also work together to solidify rules for employees in regard to passwords, email and website usage.
- Leaders need to keep their cybersecurity teams trained up. New techniques, new equipment, and new programs are being developed all of the time. Leaders must ensure that their teams are on the cutting edge and help to ensure that organizational policies reflect the advancements and implementation of the newer tools and tactics.
- Leaders should be aware of cyber competitions and perhaps even encourage their teams to participate in them. These are a great way to get practice and practical knowledge. In the coming years, these will become more popular and the chances are good that there are already some in your region.
- Leaders must help develop and maintain an organizational culture of security and education. Security awareness is simply not enough. A Keeper Security analysis of 10 million passwords revealed by data breaches in 2016 found that nearly 17 percent of accounts were protected by the password “123456”. That’s just silly. Now factor in advanced tactics like “Social Engineering” that manipulate individuals into divulging confidential information willingly.
It’s a lot, I know. I’m sure some of this seems overwhelming. The sad part is that there is even more to it but I have chosen not to get into it in this article. However, if all of this seems like too much for your organization to handle, then I would suggest that you simply outsource your efforts to an organization that can effectively handle all of this for you. Doing so could be a cost-effective way to ensure your organization’s security without having to spend the money to continually chase technology and training. There are several organizations out there dedicated to this mission and their pricing models are actually quite affordable. Organizations like Ember Technologies LLC come to mind.
Of course, for some organizations and leaders, either having an IT department or their cybersecurity efforts outsourced is still not an option. That’s okay. There are still a few steps that you can take to protect yourself and your organization. While definitely not robust or comprehensive, the following are some basic suggestions that can go a very long way towards helping you step-up security.
- Educate employees (again and again) about security protocols and what is considered risky behavior.
- Use proper passwords. Passwords that are at least 15 characters long, consisting of meaningless words, numbers, and random symbols are best.
- Don’t click on unfamiliar links. This is security 101. If you don’t recognize the sender, if you recognize the sender but it’s not something the sender would normally send or if you feel that anything is even remotely “off” – DON’T CLICK THE LINK!
- Get antivirus programs and firewalls and keep them up-to-date. Updates are usually provided when new ways of protecting the system have been discovered. Use them and ensure you are always current.
- Protect devices with authentication. You wouldn’t give your house key to everyone in your organization and you shouldn’t be giving out keys to your devices. Ensure that the people on your devices are supposed to be. Give everyone his or her own access credentials.
- Backup your information and keep that backed-up information off your main network.
Hopefully, these tools and recommendations can help you achieve the security levels your organization and customers deserve. If you have any questions about this, be sure to talk with an IT professional. Threats, attacks, prevention measures, and solutions will differ from organization to organization so you want to ensure that your protocols are right for you.
Did you enjoy this article? You might also like my article “Performing a Risk Analysis.”