Key Points in This Article
No matter the size of a business or its industry, cybersecurity must be a top priority in the year ahead. It can no longer be just a priority of the CIO and not the CEO. Nor can it be a goal merely on paper, without leadership and organizational buy-in and resources behind it. Today’s executives must approach, treat, and support cybersecurity as if their business depended on it.
Because with cybercrime rising as entire governments and financial systems become more dependent on digital technologies, their business almost certainly does.
Gone are the days when news of cyberattacks was consigned to IT publications. Not a week goes without a headline appearing in a major mainstream publication about a significant cyberattack here or abroad. Criminals have exploited all vulnerabilities to penetrate corporate networks, stealing and using or selling financial data. They’ve also used malware known as ransomware to encrypt sensitive data or systems, holding businesses hostage until they pay a ransom for release. And even once the ransom is paid, a business may not be free and clear. Often, criminals will target the same company again, sometimes even exploiting the same vulnerability and using the same malware if the company does not respond appropriately to the initial breach.
Not only are criminals and the tools they use growing more sophisticated with each passing day. But the reliance of nation-state actors on cyber warfare, often directed at private sector entities, in regional conflicts and espionage has come more into view. While larger countries have long used cyber warfare as a weapon for years, smaller nations and non-state actors have begun using sophisticated hacking tools and schemes for ideological reasons, geopolitical advantage, or financial gain.
Moreover, cybersecurity-related laws and regulations are not comprehensive in most nations. Nor do countries devote adequate financial and other resources to law enforcement entities to prevent cybercrime and apprehend the criminals who commit them. And given that data breaches can result in significant liability for the affected company, many business leaders avoid reporting incidents to law enforcement. While this may mitigate a company’s legal risk, it emboldens criminals and makes threat prevention more difficult for law enforcement and the broader cybersecurity community.
While many companies have heeded the lessons of infamous breaches, such as the 2013 breaches of Yahoo and Medicentres or, more recently, the 2019 data breach of Desjardins, many have not. Some business leaders still believe their companies are too small to be of interest or else have buried cybersecurity beneath the other priorities on their desks. Others have delegated management and oversight of cybersecurity to in-house staff or third parties to such an extent that they have no way of knowing whether their security measures are adequate, working, or even in place.
But businesses of all sizes and industries must prioritize cybersecurity or risk catastrophe. And businesses are not the only entities that must be on guard. Hackers and criminals have gone after nonprofits, government agencies, military departments, hospitals, schools, colleges, and other public sector organizations. Truly, no private or public sector entity is immune from an attempted attack. However, prioritization of cybersecurity, along with the appropriate deployment of personnel, technical, financial, and other resources, keeps an attempt from becoming a disaster.
Just as the days of cyberattacks being relegated to trade publications are long gone, so are the days when responsibility for organizational cybersecurity can rest solely in the hands of one department. Some of the biggest data breaches have occurred because an employee fell for a phasing scam or misplaced their unsecured laptop. And in some cases, businesses with high turnover found themselves compromised by failing to secure loaned devices or not conducting proper due diligence on incoming employees.
Penetrating a corporate network is not just a matter of exploiting software applications. Criminals have devised many sophisticated schemes to dupe employees into providing access credentials. When appropriate technical controls aren’t in place, criminals can wreak considerable havoc when they’ve gained a foothold. But many breaches today start with employees, whether through a lack of cyber awareness, they miss what should be glaring red flags, negligence, or malicious intent. So effective cybersecurity must encompass not just every device and application but every employee.
Moreover, while threat response should be driven by IT, it cannot be limited to that department. The non-technical toll on a breached business is often made significantly worse because departments operate in silos, not in tandem. When PR departments are saying one thing to the public, in-house counsel is advising another, and rank-and-file have not been advised what’s going on, businesses can quickly find themselves in a quagmire of reputational damage, legal liability, and unnecessary errors.
While effective cybersecurity is an organization-wide endeavor, it must be driven by its IT department and leadership. But too often, businesses, especially small and emerging ones, rely on overworked teams of IT generalists who lack the practical experience and resources necessary to contend with today’s dynamic and complex threat environment. Businesses need cybersecurity professionals at the helm. But talent comes with a price, and many businesses cannot build an in-house team of experienced professionals, given the premium salaries they’d command.
Instead, businesses can and should take advantage of co-managed IT or managed IT services. Offered by managed service providers (MSPs) and managed security service providers (MSSPs), managed IT services allow a business to outsource their cybersecurity operations to experts with the resources and experience to safeguard their business. Managed IT leaves cybersecurity to professionals so your IT staff can help you leverage your digital assets to earn revenue.
With co-managed IT, your IT staff will work with a reputable MSP or MSSP to secure your business. And with either managed IT or co-managed IT services, you’ll spend much less than you would to build a comparable round-the-clock cybersecurity unit in-house. With an MSP or MSSP partner, you can evaluate your existing infrastructure for vulnerabilities and remediate them. You can also develop new or refine existing cybersecurity, governance, backup and disaster recovery, and/or business continuity plans, then implement them.
When you work with a trusted provider, you’ll have dedicated staff constantly monitoring your network for suspicious activity, ready to investigate and respond. And you’ll have the peace of mind that comes with knowing you have clear and secure safeguards to protect your business when criminals target it.