As the rate of cybersecurity breaches continues to increase, especially against mid-market organizations, companies are beginning to recognize that an important part of mitigating the risk of breaches is continued user education. Unfortunately, internal stakeholders (and even some vendors) believe that a solution to bridging the cybersecurity knowledge gap starts and ends with quarterly or (gulp) annual emails/newsletters that attempt to educate their employees on safe online conduct. The reason such exercises are largely ineffective is because leaders do not understand the underlying root cause of their users’ poor understanding; the lack of prioritization of cybersecurity at the board level and c-suite.
For far too many years, the widening knowledge gap has been used as an excuse (by the c-suite and IT professionals alike) for lackluster cybersecurity practices. The gap continues to grow with the increasing complexity of cybersecurity threats and solutions. Leaders preferred that people stick to their “day job” and master their own domains. In the rare instances that any form of cybersecurity and best practices education was given, it was typically superficial, acute, sporadic, and random. It was (and remains) often ignored at the senior levels. However, with the more than 50% of SMB’s that will experience a cyber attack in 2019, AND negligent employees being the #1 root cause behind data breaches across North America according to the latest Ponemon report, the mere existence of a cybersecurity knowledge gap is no longer an acceptable excuse for organizations who experience a data security breach.
For years, we at ActZero have been preaching to organizations that they ought to protect themselves despite their users’ ignorance. An entire sub-industry, named MDR, evolved to provide highly advanced threat detection and prevention to SMB organizations who are without resources afforded large enterprises.
However, security controls and services are worthless without the executive sponsorship of senior business leaders who must recognize that cybersecurity is a cultural problem, and not just a product or service. No business leader is going to deny that cybersecurity is important to their company’s brand (especially after a breach), yet few know how to even begin addressing this. The reason used to be ignorance of the problem, but is now largely due to mis-education (or lack of any education) about the risks to their organizations. And yet, for customers, board members, and partners (not to mention auditors), this excuse simply doesn’t hold! They don’t care what leadership knows about cybersecurity, they just want it dealt with. So, here are places to begin:
- Start in the Boardroom
Recognize that a department and even an organization is a reflection of its leader. Employees easily recognize what’s important to their bosses and what they value. By educating senior leaders about the importance of a risk-based approach to business, the tone is set at the top and trickles down. It also removes the technological considerations from solving the problem, which is the biggest part of the knowledge gap. Even a basic understanding will help your leaders to prioritize the initiatives you need to secure your business.
- Nominate a “CISO”
At least in function, if not title. A leader who is responsible for knowing the risks you’re facing, where the gaps are, and how you have progressed (are progressing) on your roadmap. When I say risks, I don’t mean specific threats – this is exactly the kind of misperception of the knowledge gap that has left security off your priority list. Your management team does not need to know about Ryuk or WannaCry or the difference between rogue-antispyware and adware. But they should understand which consequences your business could be facing, like risks to your operation, exposed client data, or stolen intellectual property.
- Protect Your People from Themselves
The reason that I’m advocating this in addition to the standard (and sometimes ineffective) user training, is that inevitably something will still get through. Even with the best, most frequent training, to the best, most engaged and aware audience… there can be an “even better” spoofed phishing email, that can fool enough of your team (it only takes one) to cause a problem!
Adopting a service like MDR provides an SMB with an experienced team that is regularly hunting for threats on the network and constantly testing the network for its cybersecurity effectiveness. That team detects when an employee is compromised and responds. This is a much more powerful approach than enlisting the services of a managed service provider, who will simply screen for alerts and shift the burden of security investigation back to you. An MDR service (at least the better ones), minimize or even eliminate false positives and provide an immediate and measurable improvement to an organization’s security stature.
At the risk of beating a dead horse, the knowledge gap at the senior level is no excuse to not prioritize cybersecurity. By starting at the top, with a risk-based approach, and getting a liaison to describe your progress, and allowing the effects to trickle-down culturally, your organization is way better off. And if we set aside that it’s not an excuse, acknowledging the cybersecurity knowledge gap one last time – doesn’t that just reaffirm that you should outsource to an MDR provider who can solve this problem for you?