The blame game starts as soon as the breach is detected.
Do you blame the employee who clicked the phishing email link that launched the malware and implanted a rootkit? Do you blame the IT department at large or the CIO for not having the necessary security tools in place to prevent it? Do you blame the CEO or the corporate board of directors for not making cybersecurity a priority for the business?
According to a study by the Ponemon Institute, 45% of CISOs worry that they would lose their jobs following a cyberattack on their organization. No surprise given intense media spotlight on breaches such as Equifax, Uber and Target — it is no wonder that company executives are worried about their jobs.
The IT department is easy to blame, but internal IT is restricted to the tools they have at hand. Additionally, IT can’t hold the hand of each employee that feels tempted to click an embedded link in a phishing email.
Employees can’t be blamed for clicking on a phishing email or falling for an email scam if they have not been educated about cybersecurity awareness and phishing and if they don’t understand the role they play in cybersecurity risk management.
Cybersecurity is everyone’s responsibility, but accountability starts at the top
Accountability starts in the C-suite — cybersecurity is a shared responsibility across every function and level of an organization. All teams have an interest in protecting the company’s data and network. It is not only up to the IT team to plan and manage cybersecurity. It is especially important that a team work tother to perform a risk assessment and determine their acceptable elver of risk.
While company leadership is accountable for the damages resulting from a breach, a combination of tools, training and a culture of security consciousness will help avert any one individual for taking the blame for a breach. Because each organization is different and each business defines risk differently, company leadership must determine how they proceed when it comes to risk.
Some key questions to answer in this assessment are:
- What sensitive, personal information do we host within our organization?
- How sensitive is that information and what consequences would transpire if it was compromised?
- What penalties and costs would our company be liable for if this data were breached?
Once a risk assessment is complete, you can then formalize a plan to mitigate the risks and prioritize efforts to combat those risks. This ensures transparency and consensus on security protocols. It defines as an organization what was the approach and level of risk, plus the proper documentation on the process. In the event of a breach, these are the considerations every company should have, not only for litigation purposes, but for improvements for better controls.
When everyone is accountable, no one is to blame.
ACE IT Solutions performs risk assessments to help businesses like yours understand their cybersecurity posture and define best practices and policies that meet compliance guidelines. We offer a comprehensive suite of customizable cybersecurity services to meet your organization’s specific risk profile and compliance needs. Contact ACE IT Solutions at 646.558.5575 to set up a cybersecurity consultation.