If you've worked for an enterprise organization, you know they take cybersecurity seriously. They might have a team of 50 or more dedicated to managing cybersecurity operations and GRC (governance, risk and compliancy). Many even have a Chief Information Security Officer (CISO) to lead the overall strategy. One-quarter of enterprises spend at least 10 percent of their total IT budgets on cybersecurity initiatives.
Your company may be working on a smaller scale than a billion-dollar enterprise, but that doesn't make cybersecurity any less important. In fact, small businesses are no less of a target than larger organizations: 50 percent of all cyberattacks target small businesses, a number that is expected to keep climbing.
A recent Better Business Bureau report found that the majority of small businesses have invested in antivirus software and firewall protection (81 and 76 percent, respectively), but less than half (47 percent) focused on employee education, and 20 percent or less took steps to provide ongoing monitoring of cybersecurity intelligence or threat assessments. In fact, 11 percent said that they had no cybersecurity measures in place at all.
Small businesses are risking the livelihood of their companies by failing to adequately understand cybersecurity risk or put measures in place to safeguard against data breaches.
As a business owner or operator, you share a significant portion of the responsibility, and it's up to you to take ownership over many components of cybersecurity. But some parts of cybersecurity, especially the tech-heavy ones, often fall outside of the realm of business management and into the world of IT.
It's essential that you give your IT team – whether that's only one or two people, a large team or an external IT provider – the authority, flexibility and resources to protect your company with a strong program of comprehensive, ongoing cybersecurity. The IT role goes far beyond simply setting up firewalls and installing antivirus software – for example, here are some areas where your IT team is a valuable asset in strengthening your organization's cybersecurity posture.
1. Vulnerability scanning. Your IT teams needs a way to continually scan your network for known vulnerabilities. A vulnerability scanning solution or partner should provide recommendations for patches and countermeasures, which your IT team will prioritize and handle responsibility for managing.
2. Third-party penetration testing. Penetration testing, or "ethical hacking," refers to active attempts to breach a network security system or environment to test its strength. In other words, hiring someone to try and break in and get to the crown jewels, then providing a report on how they did it and what security measures to consider putting in place. This can include external testing (i.e., publicly available assets, such as a web application itself or company website) and internal testing (simulating an attack by a credentialed user). This critical activity should be completed at least once per year, if not more. And just like your CFO can't audit the books, this effort requires a third-party.
3. Phishing simulations. Beyond analyzing the network, your IT team should also look at how well employees are following cybersecurity protocols – a company's security is only as strong as its weakest link. They often coordinate regular phishing simulations (i.e., sending fake phishing emails to the team to see who might click through) to users throughout the company and provide up-to-date reporting on results in order to monitor effectiveness and track improvement.
4. Ongoing training. In an industry and landscape that changes almost daily, a one-time cybersecurity training session just isn't enough; cybersecurity awareness should be an ongoing part of companywide training initiatives. IT can help select, set up and report on these training modules, and may handle troubleshooting and questions from employees. Both videos and classroom style training can be useful in enabling a comprehensive cybersecurity program in the workplace.
5. Overall strategy development and management. Finally, managing cybersecurity isn't possible if you don't have an effective strategy in place and someone leading the way. Your IT team (in-house or third-party provider) plays a critical role in setting and monitoring your security goals, and managing the efforts and tools behind them. They will have insights and recommendations as you work together to develop, execute, and evolve the right holistic approach.
Does this sound like a lot to ask of an IT team? It is – especially when it comes on top of all of the traditional IT concerns, such as managing your company's equipment, infrastructure and technology stack. It's no surprise that a lot of this work doesn't receive enough attention in small businesses when it's difficult enough just to keep everything up and running, and they often lack the resources to dedicate time and budget to cybersecurity.
As we move into 2019, take some time to reassess the role of your IT team and the critical importance of cybersecurity. IT shouldn't be asked to do more with less; give them the resources, support and guidance needed to move your company in the right direction with its cybersecurity initiative. That doesn't mean IT needs to shift the focus away from their current jobs – it means enabling IT to leverage tools and solutions to complement their team and existing programs.