Top Cybersecurity Myths: Cybersecurity Is Not My Problem
MYTH: Cybersecurity is an IT problem. It’s not my problem.
If we asked you who is responsible for information security at your organization, who would you say? Would you say the IT Manager? The entire IT department? An Information Security (InfoSec) Officer?
Many organizations share this sentiment — that the responsibility for cybersecurity is held by a few people. But let’s explore this misconception and why cybersecurity is actually the responsibility of every individual at an organization.
Cybersecurity is a business risk.
Cybersecurity is a business risk, not just an IT risk. If an incident occurs, an organization may experience fines, penalties, and legal fees. Organizations can also experience reputation damage as clients, donors, and other constituents lose faith in the organization’s ability to protect their sensitive information and donations.
These types of threats are damaging to the organization as a whole, not just the IT department. Organizations often struggle to recover from the short-term and long-term financial impact of a breach. And that affects all employees, not just the IT staff.
Response to breaches includes more than just the IT department.
When a breach occurs, IT staff are undoubtedly involved. However, appropriate breach response does not just include technical employees, and it must have input from numerous departments to be effective.
Your public relations and marketing staff should be involved to ensure your constituents and the media are updated appropriately. Legal counsel generally must be consulted to ensure all applicable laws and regulations are considered. Human resources, security, operations personnel, and other levels of management may also get involved, depending on the type of incident.
An end user can prove to be the weak link.
Even if your technical department puts every possible control in place, there will always be that one staff member who is in a rush, improperly trained, or just makes a mistake. These people will click on a phishing link that installs malware or will improperly authenticate a request and give out sensitive data. Good employees make mistakes all the time.
Your user base is one of your biggest assets and a significant aspect of your control framework. Cybersecurity is the responsibility of your entire user base, and this responsibility needs to be communicated, starting from the top down.
As you can see, cybersecurity affects the organization as a whole. It’s not the responsibility of just one person. Therefore, it’s imperative to take the following steps:
- Develop a culture of security that starts at the top level of your organization. Staff must see their management taking responsibility for cybersecurity. This can be established by having standing IT/InfoSec department updates at board meetings.
- Establish a cybersecurity training program to ensure staff members understand the threats that are out there and what they can do to help keep your organization secure.
- Develop an Incident Response Plan that includes input from applicable departments. Conduct tabletop testing where these individuals discuss various scenarios and how the plan would be enacted.
Here are some resources to help you make cybersecurity a priority for your entire organization:
How Weak IT Controls Can Affect Your Financial Statement Audit E-book
Cybersecurity in the Workplace is Everyone’s Business
Cybersecurity Training: Who, What, When, Where, and Why
Cybersecurity Benefits Everyone
The Role of Cybersecurity in Your Organization
Cybersecurity – IT Takes a Village
Please contact us at [email protected] with any questions.
Also in This Series:
Top Cybersecurity Myths: We Have a Great IT Department
Top Cybersecurity Myths: The Cost of Security Is Too High
Top Cybersecurity Myths: We Can Just Get Cyber Insurance
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.