I have the privilege of being a member of a great peer advisory board. We work hard to hold each other accountable and challenge our peers to strive for greatness. A few months ago, we delivered our annual strategic plans to the group. Each member summarizes their plans and then presents the details to the group. The group then offers feedback and asks questions in hopes to improve our plans.
As I sat in the room, listening to my peers, I was receiving texts from my team back at the office. We were in the midst of spearheading the resolution of a Ransomware event, thankfully with an organization that was appropriately prepared and protected. No matter how small however, a cyber event causes an impact, and those incidents require documentation and communication at the highest levels.
Bouncing from my texts back to my peers presentations, it dawned on me. None of them had a cyber security strategy documented for their organizations. Each member had thought out products and services, sales and marketing, finance, succession planning and acquisition but not one had a comprehensive security plan.
Our group is eclectic, we come from varying backgrounds, serving differing audiences with different products and services. There are large companies and small companies. Some are regulated and other are not. But all of them are vulnerable and none of them are fully prepared.
The reality is, no one is taking this seriously enough. You are not prepared.
It’s easy to scroll through your news feed and find a story about yet another breach. Cyber threats have been growing exponentially for many years and there is no end in sight. In fact, on the contrary, attacks are becoming sophisticated, targeted and affect all industries.
The impact of these attacks can be greater than business leaders imagine, costing many thousands of dollars, stopping production, creating distraction, and impacting reputation. The money spent, reputation eroded, time wasted, and trust diminished can signal the end for some and strike a major blow to others.
Despite the prevalence of this topic, we are not changing our behavior, we are just hoping or praying it won’t be us.
Maybe it’s because we haven’t felt the pain personally? I can assure you, having been called in many times to clean up the mess, the pain is real. Don’t wait until it is too late. Take cyber seriously.
What can you do to start taking this more seriously?
It starts with business leadership.
CEO’s, boards and other non-technical leaders often rely on their technical team to guide the organization’s cyber strategy and execution. However, when it comes to other areas of the business, those same CEO’s and leaders dive far deeper and often champion the charge. Cyber security requires the same diligence and passion from leadership. We suggest that you mirror the attention and involvement you have reviewing financial reports, sales figures and marketing concepts.
Protecting yourself from cyber threats, takes the whole organization. It takes a change in mindset and it takes constant vigilance. No organization can change that drastically, without the leader selling it!
Here are a few concrete ways leaders can up their cyber governance game.
Understand the threat
Take the time to understand the threats. Who is attacking you, why and how.
Know what you are protecting
Take the time to define what you hold, what is valuable. This can include data, intellectual property, employee information, and confidential client information.
You also must protect your assets, know what you have and how they are protected. Attackers often leverage your assets against you in a ransomware attack.
Build a strategy to protect
Find an internal employee or partner who can work with you to protect your assets and data from the most likely attackers. Work together to communicate using non-technical language to ensure the strategy is well understood by all stakeholders.
Buy the tools and insurance
Once you have your strategy, you will better be able to design the tools and services to appropriate to protect your organization. There is no one size fits all, you need to know where your risk lies and mitigate the best that you can. Then buy insurance, because you can never fully mitigate cyber risk.
Trust me when I tell you that while it will pain you to invest in tools that are not driving new business, you cannot afford not to have these tools. And, if done well, you can market your security stance and build trust among your customers.
There is no set it and forget security tools. You can’t protect yourself from every attack. In the same manner that you review monthly sales figures and understand the sales activity, so to should you manage cyber security. There are platforms that can help make this easy, picture a CRM for cyber.
But take the time monitor changes in your environment and externally to the threat landscape. Hold you team or partner accountable to modify your security program to grow and change with your organization and the ever-changing world.
Build the team
As much as we want to believe that there are fix all tools, or that we can move to the cloud and make security “their problem” that just isn’t the case. Managing cyber security, your clients and employees data is your responsibility. There is no one tool that can fully protect you. You need to arm a team of people with the right tools to fully protect your organization. You can build a team internally if that is economically viable or you can find great outsourced options which offer more affordability and scalability.
Plan to fail
You will fail. Cyber security is always a step behind the attackers. So make sure you know what to do when that occurs. You need to have an IT plan, but also an overall continuity plan for your business. Communications and PR will be critical. Do you have cyber insurance? What does it cover, how do you file a claim? If you role play and build plans now, then you will be better equipped when the attack comes. This will help you minimize the attacks impact.
I hope this helps you and your team get started.
As always, we are here to help. We can start with a risk assessment and security design. If you already have that completed, we are able to help implement and manage tools or you can look at our Goma tool as a great governance methodology.