It’s a common misconception across business and industry that cybersecurity is a function performed exclusively by security or IT people. In actuality, virtually all members of staff, including non-technical staff, form part of your cybersecurity protective barrier.
Cybersecurity happens when department heads remind their staff to use strong passwords, to use multi-factor authentication, when team members download the latest security update now instead of waiting, or when staff participate in safety awareness training. All of these are good cybersecurity practices and they are all important.
So why don’t these cybersecurity actions get the same recognition as other safety measures we take in the workplace? We all see the ‘Safety First!’ poster in the lunchroom. We have to read and sign the employee handbook. We do fire safety training and participate in fire drills.
In fact, we generally will designate an office fire ‘marshal’--ready to jump into action if someone smells smoke. They will remind people not to panic during a fire alarm, and remind them to take the stairs and not the elevator. You don't need a separate budget for this—it's just part of best practices to keep people safe.
We probably don’t think twice about the logic and importance of following these organizational directives, yet for some reason, the all-staff responsibility for cybersecurity doesn’t have the same level of acceptance.
But the diligence you need to respond to a fire is the same diligence you need during incident response, and it is similarly an all-hands-on-deck effort to keep your systems, your business and your employees, safe.
Because you need help during incident response to raise the alarm, coordinate a call tree to get the right people in the room, to order pizza when response (or, hopefully, remediation) extends beyond working hours, and to document what happened. Security can be collaborative and everyone has an obligation (and, most often, the ability) to participate at some level.
While there may never be enough budget until after a problem happens, at a minimum, with increased participation, you can help harden your systems and better respond to incidents without any additional investment, by cultivating a collaborative approach to cybersecurity.
Here are several key functions that you can access, as somebody in security, IT, or leadership function to expand your cybersecurity posture through people and participation.
Demand participation from people in your organization who are responsible for sensitive data.
HR has access to personnel and salary info, SSNs, and SINs that need to be protected. Sales deals with credit card numbers and payment info. Finance will hold sensitive information like payroll and banking information. Development teams, your builders and makers, will have detailed information about the internal workings of your systems.
Your legal department can help you determine which data is deemed sensitive and how and when you’re obligated to disclose a breach that compromised such data. Knowing whether you're in violation of compliance regulations can help avoid fines and penalties you might incur if you don't handle things a certain way.
Everyone in your organization needs to mitigate and remediate, but those who are closer to specific data have a greater opportunity to protect and secure it.
Enforcers and System Owners
Recruit people who drive compliance in a department, area, or organization.
Sometimes that person will be an IT leader or on a help desk. They might be the person who reminds everyone “Time to change your password!” Other times, they will be ‘system owners,’ like the folks in Marketing who own the CRM and are in charge of looking after software updates and password changes for that system (yes - shadow IT is still a thing at some organizations…).
Depending on the size of your organization, this leadership might come from a centralized authority, like Compliance or Operations. Ops folks are good at coordinating groups of people and dividing responsibilities, holding people accountable, making them aware of dependencies, and ensuring the flow of information.
Get people on board to build awareness, ideally before but even during incident response.
These teachers are people with high-level communications and training skillsets who have access to specialized information. They could be drawn from the ranks of HR, organizational development (OD), or Sales Operations.
HR teams are especially sensitive to personal and confidential data about your employees. They can help your staff navigate stress that could stem from an incident, and help identify those who are working or available at given off-hours.
You need people to test your systems to ensure they are secure.
There’s the so-called ‘chaos monkey’ strategy used by companies like Netflix and Google (we speak about cybersecurity applications of it here). In this scenario, whole data centers are simply turned off to ensure redundancies and resiliencies play out as expected - or, see what happens if they don’t. This kind of drastic test will let you see where things fall down and gauge just how disaster-resistant your backups truly are.
A less intensive test is to recruit the help of your Marketing team and use their marketing automation tools to help you send test phishing emails to internal staff. You’ll want to know how many people report suspicious emails versus who just deletes them and who actually clicks the link. This will help you plan accordingly for staff training on how to spot a suspicious email and what to do about it.
If you’re the lone security person on staff and you’re trying to work with IT to harden things on your own, you need help. Same thing for an IT lead who has been “tasked with” security functions. Fundamentally, you need others who are as invested in hardened systems as you are.
Getting other functional areas to articulate their security requirements and the negative consequences for them if there’s an incident can help unlock the budget you need and gain support throughout the organization.
Remember that you have some naturally-aligned functions within your organization. Finance people, for instance, are risk-sensitive, familiar with confidential information like financial data, understand fraud methods (Finance is often a fraud target, after all) and are familiar with validation tactics before providing access to sensitive information. This department can easily explain the negative consequences if servers housing their ADP information fall victim to ransomware.
Likewise, HR can help you explain what happens if personally identifiable, or otherwise sensitive, information (PII) of company employees is compromised. Such a breach has consequences not just for HR functions, but for the company as a whole. There are million-dollar fines, for example, under the terms of the CCPA for losing private data in California.
Emergency Team & Emergency Responders: Who are you gonna call?
Make sure you have someone to contact in emergencies. Who that depends on your organization and its size. You may be the only person on staff who can respond, or you might be at a company that outsources.
Seeking outside help is likely the best solution if the budget allows, like those other functions we talked about above likely won’t be available to help on a weekend, a holiday, or at 2 a.m.--which is when many security incidents happen. We have an evaluation package to help you decide who, with criteria to evaluate cybersecurity vendors.
Doing Everything with Nothing
Having no cybersecurity budget is tough, especially if you’re someone with no staff who is tasked with working magic with no tools.
IT would obviously own some of the functions you’ll rely on, such as configuring devices for security, identifying and remediating vulnerabilities, and quarantining infected systems. But taking the additional collaborative steps outlined above will help you harden your systems even without tons of resources or technical knowledge.
Remember: you don’t need to be a security expert to get useful participation from your colleagues that improves your overall cybersecurity.
The collaborative approach we’ve discussed here is useful even if you do have a developed and budgeted security function. To learn more, see our white paper, The Collaborative Approach to Cyber Security.