When it comes to cybersecurity (cyber security) initiatives, the message needs to come straight from the leadership within any organization. This becomes difficult when each leader within an organization has their own priorities; however, for the sake of the organization and its clients, they must form a unified front that stages cybersecurity as the top priority .
Cybersecurity should be a significant concern for every Chief Financial Officer (CFO) and Chief Marketing Officer (CMO). For CFOs, cybercrime prevention aims to reduce potential costs that result from cyber attacks. For CMOs, the blows that cyber attacks deal with an organization’s reputation and brand image can ultimately destroy a company.
According to Cisco’s 2018 Security Capabilities Benchmark Study, “more than half (53%) of all attacks resulted in financial damages of more than $500,000” relating to lost customers, opportunities, revenue, and out-of-pocket costs, among others, with some costs extending beyond $5 million.
The number of cybersecurity threats increases every year and attacks are growing across all industries. There were 53,000 incidents and 2,216 confirmed data breaches that occurred in 2017, according to the Verizon Business 2018 Data Breach Investigations Report. Considering that 1,579 of the breaches that were reported to the Identity Theft Resource Center (ITRC) in 2017 resulted in nearly 180,000,000 exposed records, it shows just how much data and personal information is at stake.
While no business can prevent 100% of attacks, there are things that can be done to help improve cybersecurity protection.
Build and Nurture a “Cyber-Aware Culture”
The first step toward improving the cyber protection efforts of your organization is to create a culture that emphasizes the importance of cybersecurity. This means creating a culture that focuses on cybercrime prevention by approaching IT security from an organizational level.
This entails getting buy-in from the rest of the organization’s leadership and promoting it to the rest of the employees. It also leads to the creation and adoption of new policies and procedures that support your cyber protection initiatives.
Implement Plans & Policies to Protect Your Organization
To help support a cyber-aware culture, your organization needs to develop and implement some policies and plans to enforce protection initiatives and aid during recovery from a cyber attack. Some of these policies include:
- Acceptable Use Policy (AUP). This policy provides clear guidelines and rules for how data is handled, transmitted, and stored.
- Business Continuity (BC) Plan. This plan addresses regulation and compliance considerations and creates a strategy and processes for how to get an organization up and running again after disaster strikes.
- Computer Use Policy (CUP). This policy addresses actions and activities that are appropriate for use with a corporate device, as well as the types of content that can be accessed. This document also can contain other related policies, such as a mobile device (BYOD) policy.
- Disaster Recovery (DR) Plan. This plan, which goes hand-in-hand with data backup, is what will help to get your business up and running at 100% in the event that it takes a hit from a cyber attack. It also helps to minimize downtime. A data backup and disaster recovery (BDR) solution is an integral part of an effective BC plan.
- Email Policy. This kind of policy details guidelines for what is considered acceptable or unacceptable in terms of the use of an organization’s email system, as well as any repercussions for non-compliance. The goal is to help minimize email-related security threats and incidents.
- Network Use Policy (NUP). This type of policy places limitations on how much access employees have to the network and provides guidelines about what they can or cannot access from a workstation.
- Password Policy. You’ve likely picked up on the pattern of how self-explanatory many of these policies and plans are based on their names. A password policy aims to ensure that the integrity and security of an organization’s data and other resources remain protected. It outlines a set of rules pertaining to password security standards, such as the range of characters or types that can be included in a password, as well as how often it should be changed or updated.
- Policy of Least Privilege (POLP). This policy, essentially, offers only the minimum amount of rights necessary for users to access data and other resources. The goal is to minimize the risk of potential misuse while also ensuring that employees have adequate privileges and access that they need to complete their tasks.
Require Cybersecurity Awareness Training for EVERYONE
No matter whether it is the CEO or an intern, everyone from the top down should receive cybersecurity awareness training. Simply put, this training is one of the most effective means of reducing costs that can result from the mishandling of sensitive information and misuse of your network and computer resources.
Training can be conducted through a number of means and certain approaches are more effective than others:
- The Do-Nothing Approach. This is when an organization conducts no security awareness training, relying on automated systems to protect against phishing and malware.
- The Breakroom Approach. Employees are gathered during lunches or meetings and are told what to look out for in emails, while surfing the internet, etc.
- The One-Time Video Approach. Employees are shown a brief video that explains how to keep the organization safe and secure.
- The Phishing Test Approach. Without notification to specific employees, they are sent simulated phishing attacks. IT evaluates whether they fell prey to the attack; if so, those employees receive remedial training.
- The Human Firewall Approach. This is my preferred approach. It involves everyone in the organization being tested via simulated phishing attacks. The percentage of employees who are susceptible is determined, and then everyone is trained on major attack vectors. These simulated attacks are then sent to all employees on a regular basis and the resulting information is used to tweak protection cyber efforts and training.
Considering how little the average user seems to know about cybersecurity threats and best practices, cyber awareness training is an integral step toward creating the best protection for your organization.
To determine how your organization's security precautions stack up, please download our free Cyber Security Report Card.
What are your thoughts? What are some other ways that CFOs and CMOs can help to improve an organization’s quality of cyber protection? As always, please feel free to share your thoughts and experiences in the comments section below or send me an email if you'd like to chat about this or any other cyber-related issue more in-depth.