Cybersecurity attacks and data breaches can be very costly for organizations, both monetarily and in terms of damaged reputation among consumers. It is important for organizations to realize that cybersecurity is not just an IT issue – it is a crucial business concern.
In 2016, the Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) released a two-part research report on the current state of cybersecurity as seen by the professionals in that field. Once the data was compiled, ESG/ISSA drew five major conclusions to guide the decisions and priorities of people working in cybersecurity. Read on to learn what you should do to improve your company’s cybersecurity today.
1. Take Proactive and Reactive Measures
A cybersecurity attack will eventually happen to almost every organization, and may occur repeatedly. Among the respondents to the ESG/ISSA survey, 54% admitted they had experienced an incident within the past year and another 26% said “maybe,” “not sure,” or declined to answer the question. Clearly, organizations of all sizes need to develop a formal plan for how to respond when it occurs. The time to make these decisions and formulate a plan is before an attack happens, so your organization is not left scrambling in the aftermath.
Depending on the type of incident, you may need input and involvement from corporate executives, legal counsel, human resources, and public relations. The U.S. Department of Commerce’s National Institute of Standards and Technology issued a Computer Incident Handling Guide, which provides some standard recommendations for a company’s response.
2. Consider the Skills Shortage
There is an ongoing global shortage of professionals with cybersecurity skills. Data from the Bureau of Labor Statistics suggests that demand for cybersecurity positions will grow 53% between 2016 and 2018. This shortage creates problems for existing workers with cybersecurity skills because they experience an increased workload, which affects their ability to maintain training and implement their security measures effectively.
Of the cybersecurity professionals interviewed for the ESG/ISSA report, 29% said the skill shortage had a significant impact on their organization. Every organization needs to take this into account when making decisions about investing in new cybersecurity tools, and must evaluate realistically whether their staff can implement and maintain those measures fully. No matter how advanced the tools may be, they are a poor investment if the staff is unable to use them effectively.
Some of this strain may be relieved by purchasing security tools that are easy to use and automating manual processes when possible. This allows the cybersecurity staff to focus on tasks that cannot be automated. Many companies also help alleviate the workload by outsourcing security functions such as risk assessment, network monitoring and access management, and the repair of systems that have been compromised.
3. Educate Business Executives
In the ESG/ISSA report, 21% of respondents said that the management of their organizations viewed cybersecurity as a low priority. Given how detrimental cybersecurity attacks and data breaches can be, executives need to understand the true severity of the threat, and what is required to protect their organization’s interests. The report shows that 40% of respondents believe cybersecurity goals should be added as company metrics for success. Reviewing the data and conclusions in the ESG/ISSA report could be a helpful starting point for a dialogue between business, IT, and security management.
When presenting information about cybersecurity to various members of management, remember to tailor your presentation so it addresses the specific concerns of their role. For example, management is less likely to be interested in detailed technical aspects. What they probably want to hear is how it affects the organization’s finances and future growth.
4. Push for More Training
Many organizations do not provide adequate training for cybersecurity professionals to stay up-to-date with the most current information, which creates a security risk. But training is needed outside the IT department as well. A lack of training for non-technical employees is a major contributor to cybersecurity incidents.
Cybersecurity may not be at the forefront of many workers’ minds, so they need to know how to avoid phishing attempts, password attacks, and more. Training all your employees will likely cost far less than a major attack or data breach.
5. Lobby Government Legislators
The overwhelming majority of cybersecurity professionals surveyed believe their country’s critical infrastructure is vulnerable to a serious cyber-attack, and that governments should be more involved in cybersecurity strategy and defense. To change this, cybersecurity professionals will need to get organized and engage legislators to explain their concerns and educate them on the potential risks.
Are you concerned about the state of cybersecurity in your organization? Contact us so we can help!