Who should take responsibility for your cybersecurity strategy?

The move to hybrid working or even fully remote workforces has been the catalyst in the growth of ‘BYOD’ – Bring Your Own Device – policies. Now, it is thought around 70% of organisations allow their employees to use personal devices at work. However, this creates an opportunity for potentially unsecured, personal devices to access critical company data, making it a much more difficult task for IT teams to patch vulnerabilities and detect threats. This less secure environment has resulted in 84 percent of IT professionals seeing a rise in cyber threats.

So, whose responsibility is it to regain control of a business’ cybersecurity strategy? Is it the employee, who has effectively become their own compliance officer now that they work remotely? Or the IT team, that must find new solutions to protect internal networks from the vulnerabilities of employee smart devices? In fact, it is both – but ownership also belongs to C-suite leaders and business directors, which must lead by example and encourage training and investment to ensure a security-first mindset is prioritised across the organisation.

The individual employee

Now that many employees are siloed, and remote working is set to stay, each individual member of an organisation must take responsibility for the threat they pose to its cybersecurity posture. Vulnerabilities caused by human error can be one of the biggest threats to a business. These can include susceptibility to a phishing attack, accidental clicking of a malicious link, or simply an ignorance to the procedures that should follow being targeted, for example, reporting the threat to management. According to recent research, over half of UK organisations expect their remote workers to play a significant part in possible security breaches, with apathy a major problem and remote teams often lacking interest in their role within a company’s security strategy.

However, studies also show that the individual threat can be a proactive internal attack rather than just passive ignorance. 26% of Deloitte survey respondents stated that, due to the uncertainty of the current business and financial environment, they would be tempted to save valuable company data to use as leverage if ‘the worst comes to the worst’ and they were to lose their job. Therefore, whether malicious actions or complacent and un-educated reactions, it is clear that threats are far from solely external. It is essential for individuals to become cognisant to the vulnerabilities they are responsible for, and their significant role in bolstering – or weaking – a defence strategy.

The C-suite

While cybersecurity should be proactive, implementing better security processes often only occurs after an organisation has faced the detrimental results of previously leaving its vulnerabilities exposed. According to a recent IBM report, organisations spend an average of £2.9million to recover from a security incident. Yet, for a boardroom that has not yet dealt with this loss first-hand, deciding whether to invest in a protecting against potential threats when that budget could be spent elsewhere to drive sales and business growth can be difficult.

However, it is now a case of when, rather than if, a cyberattack occurs, and it is more important than ever that the C-suite embraces a security-first mindset. A ‘top-down’ approach is essential; business leaders should be driving cybersecurity decisions from the top, allowing them to filter down into each and every department. Without the CEO and CFO taking the lead and highlighting the importance of secure processes, employee apathy towards cybersecurity will only continue. Also, with more financial decision-makers part of the security strategy from the very start, it will be far easier for training opportunities and educational resources to be made readily available. One in five home workers in the UK has still received no cybersecurity training, yet this investment into better education is integral to protecting a company from attacks and it will only be made possible if signed off from the top.

The IT professionals

The ‘top-down’ approach is also important for IT teams working closely with their C-suite leaders. Despite often communicating in very different ways, IT experts and their business directors are working towards the same common goal – the optimisation of business processes. While IT teams do this by installing protective tools and technologies, business directors typically focus on the finances. The top-down approach allows a more collaborative working environment for these two parties interested in the same end result. It is the IT team’s responsibility to communicate across the organisation and make sure that the C-suite and the individual employee understands the technicalities of staying secure. By ensuring that every member of an organisation is updated with the latest threats and informed on best practices for staying protected, IT teams are ultimately making their own roles far easier.

If an organisation does not have an expert team – either internal or external – driving its cyber-strategy with protective tools, it is likely to fall vulnerable to an attack. However, if this same organisation does not have support from the boardroom, and business directors are not prepared to invest in technology and training, the IT team will be fighting a losing battle. Similarly, if each remote worker refuses to accept their part in protecting the organisation, a cybersecurity strategy will inevitably fail. The responsibility is now on everyone to protect and secure a company’s network and its reputation. If there is one weak link within this chain, a business becomes highly vulnerable to the ever-evolving threat of cybercrime.

Get in touch now to learn how DigitalXRAID can help protect your business.