So just who is responsible for cyber security? Earlier this week we re-tweeted a great article from the Cyber Skills Centre about who is to blame for the current issues and challenges with cyber security in organisations.
Controversially the author, Stuart Wilkes, suggested that responsibility resides with the IT Director and not the software provider or the Criminal. Reading the article, his argument was logical and well structured. As Business Leaders, the IT Director have the responsibility for ensuring security is included in the design of systems, that they communicate with the Board / their Clients, on trends within the industry, that they are responsible for recommending changes in process and practice in the organisation and so on.
The article created much discussion at Risk Evolves HQ.
Should the IT Manager shoulder 100% of the cyber security blame?
Absolutely not! We’d like to suggest that we go one step further and suggest that as Employers and employees we have a major responsibility as well. Let me explain.
We were out and about the other week and stopped to use a ‘free Wi-Fi’ service at a coffee shop (we drink far too much coffee!). In order to gain access (mindful of the advice provided by GetSafeOnline), you had to share some details :
- Email id
- House number
- Telephone number
- Date of Birth
Wow – just for ‘free’ Wi-Fi ! According to the small print, the data would only be used for ‘marketing purposes’ and you could of course un-subscribe at any time. But as consumers, would you really give this data away ? Who has it ? Where is it being kept ? Think about what it could be used for in the wrong hands ? Would you walk up to a stranger and give them a piece of paper with this information on ? Perfect for id fraud. All the information required to apply for credit cards or a bank account. Needless to say, we didn’t share our information – but would you ?
Reducing the risk of cyber crime is MUCH MORE THAN JUST AN IT CHALLENGE.
So what do you need in order to take full responsibility of cyber security?
In addition to IT, you need robust processes and educated people.
Some people would laugh at giving away so much data, others would happily add their details without a moments thought. Your staff could easily sit either side of the fence.
People are your front line. Can your employees spot that phishing email that comes in? Do they challenge the request to transfer money to a different bank account? They are responsible for informing the IT department when someone leaves an organisation. Ultimately they make decisions as to who has access to the data that forms the crown jewels of your organisation – the CRM database, your accounts, your blueprints, your component list and so on.
Employees need to understand why data has value, and what the impact of losing that data could be on your organisation, your reputation and ultimately their jobs. What should they do if they suspect something is wrong?
This is in addition to the usual data hygiene of changing passwords on a regular basis, applying patches etc. On-going and up to date education is key, delivered at all levels of the organisation, by all departments of your organisation. It should be part of the starter process, it could be email communications, newsletters, posters, test emails. Easy, affordable and cost effective.
Next time you read of a data breach in an organisation, think again about who has responsibility in the organisation and ask the question. Could you do more to prevent a breach ?
For a no obligation discussion and free 30 minute leadership briefing on ‘Why Cyber Security is more than an IT Problem’, contact us at firstname.lastname@example.org or telephone 01926 800710