We often hear that technology, and especially information security, is regarded solely as an expense to your institution’s
bottom line, but it’s high time we change that perspective. The reality of today’s business world is that nearly all organizations of any scale in every industry rely so heavily on technology that without it, they’d largely be unable to do business long-term. If you rely on technology and the internet to perform your day-to-day operations and serve your customers, consider yourself a technology company.
Here are three ways that tech companies think differently about their organization and security:
- They understand the risk.
- They test their people, processes, and technology.
- Their cybersecurity program starts at the top.
Understand the Risk
Being able to truly mitigate your risk starts with how well you can understand and quantify risk. If you perform a risk
assessment and your results only state that you have “low” risk, how do you know that’s right? How do you know what you need to do next?
The primary job of a risk assessment is to help you make decisions. When it comes to IT or cybersecurity risk assessment, the output should provide you with a clear understanding of what you have and how important that stuff
is, how risky your stuff is, and where you should spend your next information security dollar to mitigate additional risk. Don’t just perform a risk assessment to check the box; really know and understand your risk so you can secure your organization more effectively.
Test People, Process, and Technology
There are three ways to protect your information: people, processes, and technology. Your organization must implement risk-mitigating controls to protect your networks and customer information from those three categories. In turn, you must test the effectiveness of those controls so that you are confident they are in place and working correctly. Testing your people involves social engineering assessments (phishing emails, physical impersonation, phone impersonation, dumpster diving, etc.). Testing your processes involves an external IT audit. And testing your technology typically involves technical scans around the inside (vulnerability assessment) and outside (penetration test) of your network.
When it comes to IT or cybersecurity risk assessment, the output should provide you with a clear understanding of what you have and how important that stuff is, how risky your stuff is, and where you should spend your next information security dollar to mitigate additional risk.
Finally, out of those three processes, people are the weakest link. It’s much easier to convince a human being to provide the information they’ve been trained (or asked) not to share than it is to convince a firewall, whose only job is to follow a programmed set of instructions, to break the rules it has been built to follow.
Knowing that your people are your greatest weakness means you should test this area of your organization MOST frequently, not least frequently.
Start at the Top
To truly ensure your organization is on-board in changing your view of cybersecurity to align more with a technology company, the message must be consistently portrayed from the top down. Cybersecurity conversations between employees, the steering committee, and the Board of Directors need to happen regularly, not just once yearly. The integrity and availability of technology and data pose a much greater risk to your organization than nearly anything else, including a bad loan. A data breach, loss of customer data, or significant electronic banking downtime could cause irreparable damage to a community bank whose reputation is its most important asset.
Starting at the top means sharing the technology-focused message and vision with the whole organization, then backing up the message with appropriate investment into the technology and resources needed, including the roles and responsibilities of the staff. A shift from treating technology as an expense to a critical business function means aligning
your actions with your message.
Training and education of not only your employees but also your customers is another critical component to building
a cybersecurity culture. It shows everyone that you mean what you say and that you’re committed to doing what’s best for your employees and customers.
On top of training, holding your people accountable for their actions is also essential. If you are testing your people’s cybersecurity awareness with regular phishing email tests, accountability must be built into the process for it to be effective. Phishing is the #1 attack vector used to compromise your network and steal customer information. Allowing employees to fail phishing assessments by clicking on links repeatedly sends a very loud message to the organization that cybersecurity doesn’t matter. The same goes for testing your employees but not your senior management or Directors. Everyone should be on an even playing field when it comes to testing. Attackers don’t discriminate between employees and Directors.
Changing Your View
By thinking of your organization as a technology company and acting accordingly, you will change your perspective on how you protect your networks and customer information and set yourself up for success in the future. Realizing that your organization’s very existence depends on the technology you deploy via the internet to serve your customers, your focus will shift from “it’s a necessary evil and an expense” to “we need to do our best to protect our networks and customer information because our very existence depends on it.” Once you make that shift and invest in cybersecurity, you dramatically reduce the likelihood of a cybersecurity attack that could close your business. Change your mentality today!
For more information, contact Robb Nielsen at 605-251-7375 or robb.nielsen@sbscyber.com. SBS helps business leaders identify and understand cybersecurity risks to make more informed and proactive business decisions. Learn more at sbscyber.com.
