At the recent 1Path cybersecurity summit, Brian Shield, CIO for the Boston Red Sox, and Eric Rosenbach, co-director of Harvard Kennedy School’s Belfar Center for Science and International Affairs and former Assistant Secretary of Defense for global security discussed how instilling a culture of cybersecurity is a leadership problem—not solely an IT problem. A notion that is echoed in a testimony by Elizabath Hyman, Executive Vice President of CompTIA, at the United States Senate Committee on Small Business and Entrepreneurship.
In the testimony, Hyman discusses how cybersecurity attacks have changed dramatically over the last 5 years and that small and mid-sized businesses have fewer resources to prepare for these kinds of sophisticated attacks. Not only has the variety of attacks grown significantly with the adoption of new technology models, but the scope of cybersecurity threats is still widely misunderstood.
According to the 2018 Verizon Data Breach Investigation Report, 58% of breach victims were characterized as small businesses, but according to CompTIA research, only 14% of businesses with less than 100 employees feel that their current cybersecurity strategy is completely satisfactory. In the past, many companies have relied on a limited set of defensive tools, such as firewall and antivirus. However, Hyman’s testimony points out that so much more is required from small and medium businesses to protect themselves effectively such as, improved technology, business processes, and employee education.
The final point made in the testimony is the imperative to incorporate a culture of cybersecurity in businesses of all sizes as outlined in the paper, “Building a Culture of Cybersecurity: A Guide for Executives and Board Members.”
Here are the 6 cybersecurity principles that SMB leaders can adopt on a scale appropriate for their business:
- Integrate Cybersecurity into Business Strategy – Senior executives and board members need to be directly involved with quantifying cybersecurity efforts across the business
- Reinforce a Culture of Cybersecurity through Corporate Structure – If cybersecurity is not built explicitly into an organization, leadership is sending a message that it is not truly committed to that goal.
- Know Your Employees Are Your Biggest Risks – Controlling access to sensitive data can significantly improve the chances of catching this behavior before it causes damage.
- Detect, Detect, Detect – The longer it takes to detect a data breach, the more expensive the beach becomes.
- Enforce Data Protection – Collect what is needed and share only what must be shared. Organization needs to have flexible and adaptable approaches to protect data.
- Develop Robust Contingency Plans (and test them) – Companies must create a formal incident response team to have an end-to-end cybersecurity strategy
For more information on how to create a culture of security in your organization, check out our blog.