Why cybersecurity awareness at work is everyone’s business

Oct. 12, 2020

This paid piece is sponsored by Eide Bailly LLP.

The nature of cybersecurity is technical, so many companies leave it to their IT departments. While it’s true that your IT staff plays a vital and invaluable role in ensuring your company follows cybersecurity best practices, that doesn’t mean they should shoulder it on their own. In fact, they can’t. Awareness of and participation in cybersecurity best practices needs to go beyond IT and become part of your company’s culture. Only then will you be fortified against cyberattacks and vulnerabilities, protecting your business against the untold impacts of cybersecurity incidents.

Why cybersecurity awareness is important

Cybersecurity at your organization is everyone’s business, from staff to board members. Cybersecurity risks come from every direction and into every entry point, seeking even the smallest opportunities to breach your systems. And one single cybersecurity breach can affect the entire organization. If you identify the many ways a breach could occur and how it would impact your business, it will be clear that raising cybersecurity awareness is fundamental to the success of your organization.

Key concerns about cybersecurity include:

  • Unplanned downtime

When a cyberattack occurs, it can bring your operations to a halt. Commonly, large impacts like these happen when companies use older technology that is no longer supported with security updates. Such technology is an easy target for hackers who already know its vulnerabilities. Plus, IT staff will have to work to continually patch this outdated technology, and even these patching processes can have inadvertent effects.

However, the risk is not limited to old technology. You could see equally serious impacts from an attack through a successful — and simple — phishing scam. Such unplanned downtime affects the entire company, and it costs you time and money.

  • Loss of personal data and intellectual property

A primary reason organizations use cybersecurity measures is to protect sensitive information. This includes everything from credit cards to Social Security numbers, but it also includes any intellectual property your company possesses. Manufacturers, for instance, have trade secrets that are pertinent to their brand and offerings.

2020 IBM report found that it took an average of 280 days to detect and identify a data breach. This gives hackers an uncomfortable amount of time to collect sensitive information that is key to your organization’s operations and success.

  • Damaged reputation and trust

Here’s another reason cybersecurity threats need to be on every employee and board member’s radar: Your company image is on the line. Cybersecurity awareness can help prevent attacks that would otherwise damage your reputation and make your customers question their trust in you.

However, when it comes to this particular risk, awareness goes beyond prevention. You also must have a plan for dealing with disaster recovery, business continuity and reputation management if and when a breach does occur. How you handle it will mean the difference between losing your customers’ trust and keeping it. Play out how your customers will react to the news, how you will keep your company from stalling and what measures you’ll take to maintain a good reputation.

From these examples, it’s clear that cybersecurity risk is a business risk. And cybersecurity needs to be an organizationwide initiative with buy-in from all levels. Developing a risk-based approach and identifying the areas of most concern for your business will help your team understand that cybersecurity awareness isn’t just an IT problem — it’s everyone’s concern. It’s a shared responsibility, across all people, processes and technology controls, and everyone has a critical role to play, from the breakroom to the boardroom.

Creating a culture of cybersecurity at work: individual roles

Once you’ve started creating a culture of cybersecurity awareness at work, the next step is understanding the specific roles each individual must play and how you can equip them for success.

Boardroom roles

According to a report from Tanium and Nasdaq, only 10 percent of the board members felt that they were regularly updated on cybersecurity risks for their business. The list of risks and concerns for a board seems endless; however, it is important to understand the proper roles for a board in managing cybersecurity risk:

  • Prioritize: Direct management to give cybersecurity the appropriate attention, setting the tone for the entire organization.
  • Assess: Expect the organization to complete a formal assessment of cybersecurity risks, using outside experts and following guidance from a proven risk-assessment framework.
  • Monitor: Establish expectations that the board will be updated on cybersecurity risk management on a regular basis.

Executive roles

Executive management plays a critical role in setting day-to-day priorities for an organization’s cybersecurity efforts. Their initial objectives should be to establish cybersecurity as an essential function, develop a cybersecurity playbook and assign appropriate resources, both people and budget. From there, they should continue to monitor, train and adjust their efforts to maintain best practices. They should take responsibility for the following:

  • Organize: Assign responsibility for coordinating cybersecurity efforts and build security into day-to-day processes.
  • Communicate: Act as a champion for the organization’s cybersecurity efforts. When staff see that executive management has made cybersecurity a priority, it naturally will become a priority for everyone.
  • Prepare: Cybersecurity risk management programs are not complete if you don’t have plans to respond to an incident or breach in your environment. You must build an incident response team, which may include a third-party forensic accountant.

Staff roles

The list of cybersecurity threats targeting vulnerabilities in people, as opposed to technology, is growing. Everyone in an organization needs to do his or her part to reduce the risks against phishing emails, spyware, ransomware and other threats to an organization’s critical information assets. Key strategies for reducing social engineering and staff-related risks across your organization include:

  • Training: Attend all available staff training events on acceptable use of company computers and resources.
  • Awareness: Pay attention to news stories about cybercrime. Often, simply knowing about the latest attack methods can change an individual’s behavior and reduce risk.
  • Confirm: Think before opening attachments or clicking on links in emails, especially when they are from unsolicited sources.

As you can see, everyone in an organization plays a critical role in the cybersecurity risk management strategy. The best risk management programs take into account the right roles and responsibilities for everyone in your organization.

Cybersecurity awareness as intention — not suggestion

As you implement these responsibilities, you may find it difficult to get past the complacency barrier. If this isn’t part of your team’s daily routine, it will take effort to make it stick. Even in organizations where cybersecurity awareness is frequently mentioned, it can be vague and easy to dismiss.

Being aware means being present and paying attention to what is going on around you. This sounds simple enough, but consider many individuals’ lack of physical awareness because of their use of cellphones or headphones. Awareness is a conscious effort. Encouraging individuals to be more aware at all levels is key and helps improve cybersecurity awareness. The goal isn’t to convince people to be negative or pessimistic, just slightly less trusting.

For example, if you received an email from a trusted executive to process a transaction, would you automatically do it? Would you hesitate if it was out of the ordinary, included misspellings or involved an account you didn’t recognize? Though it could be a valid request, it’s also a technique hackers use to get recipients to quickly transfer funds without questioning the request. Later, it’s discovered that the email didn’t originate from within the organization, and the money is gone.

A scenario like this doesn’t involve IT and is not overly complicated. And yet, according to recent estimates, $2.3 billion has been lost over the past three years with this technique. A simple solution would be to request a two-step approval process or confirmation from the actual executive before sending payment. It may seem like common sense, but it does require all individuals to be aware. If it weren’t effective, the “bad guys” wouldn’t keep using the technique.

Thus, to truly implement a culture of cybersecurity awareness, you must make it a daily intention rather than a hopeful suggestion. It begins with education: sharing examples, educating employees, building awareness and making the topic engaging and prominent.

How the unknown savings of cybersecurity awareness add up

It’s difficult to calculate the savings that result from cybersecurity awareness. If you have this companywide awareness, you may never know how many attacks you’ve avoided, what types they would have been and how much damage they would have done. The best way to measure how cybersecurity awareness could save your business is by looking at the statistics.

According to IBM:

  • The average cost of a single data breach was $3.86 million in 2020.
  • Each record lost cost an average of $150.
  • The cost of lost business after a data breach averaged $1.52 million.
  • Having a cybersecurity incident response team and a tested incident response plan can reduce the average total cost of a data breach by $2 million.

As you can see, though it’s difficult to quantify how much you’ve saved through your cybersecurity measures, the actual costs of successful cyberattacks and data breaches offer insightful clues into the losses you’ve likely avoided.

Cybersecurity best practices: next steps

If you make sure that cybersecurity in the workplace is everyone’s business, develop preventative protocols and an incident response plan, provide training and education around the topic and remain vigilant, you can save your business from detrimental cybersecurity incidents that otherwise would cost your organization time, money and possibly your reputation.

On average, organizations lost $1.52 million in business costs because of a data breach. The truth is not many organizations could survive that.

Make sure you’re protected. Schedule a consultation today.

 

Want to stay in the know?

Get our free business news delivered to your inbox.



Why cybersecurity awareness at work is everyone’s business

Cybersecurity is everyone’s business: How to make sure your leaders, staff and even board members are helping create the right cyber culture in your organization.

News Tip

Have a business news item to share with us?

Scroll to top