Why Good Cybersecurity in Business Is Everyone’s Responsibility

How can corporate culture help deal with cybersecurity challenges? Image: REUTERS/Brian Snyder

Cybersecurity leaders are also business leaders, working to protect data without business interruption. But the complexities and magnitude of today’s cybersecurity challenges are daunting for many organizations and not every executive is a cybersecurity professional, nor do they necessarily need to be. What’s important is that those with the primary responsibility for cybersecurity in an organization communicate risk effectively among their colleagues and across the business.

The World Economic Forum’s recently-published Cybersecurity Guide for Leaders in Today’s Digital World provides a practical guide to dealing with cybersecurity challenges. Is it a full-proof defence against cyberattacks and security breaches? No, there are no silver bullets, but it does contain 10 basic tenets for business leaders to incorporate into their companies’ day-to-day operations. Diligent application of these tenets – and making them a part of your corporate culture – will go a long way toward reducing risk and increasing cyber-resilience.

Zurich Insurance Group uses a risk-based framework to achieve this. Its Integrated Information Security Baseline (IISB) unites security efforts across the global organization and helps business leaders – business unit CEOs, COOs, CFOs – to better understand and manage critical cyber-risks. Jointly managed by the first and second lines of defence, it is comprised of crucial risk indicators that touch on several of the tenets in the World Economic Forum’s guide. Its primary benefit is that it helps to achieve the 10th tenet: creating a culture of cybersecurity.

A strong cybersecurity culture is not about making everyone in an organization a technical expert on the latest cyberthreats, but rather about keeping these essentials in mind:

  • Nearly all individuals in an organization have access to information that is valuable to cybercriminals. This could be information with value in its own right, such as personally identifiable information that can be sold on the dark web; or information such as credentials that can be exploited and used to burrow into network systems and access other critical systems.
  • Many data breaches are enabled by unintentionally risky behaviours, such as selecting weak passwords or sharing account login credentials.
  • Most importantly, the bulk of today’s cyberthreats achieve their goal through humans and the targeting of individuals through phishing and social engineering.
Cyber attacks are a greater cause of concern for business than terrorism.

Organizations can make their cybersecurity culture more robust by:

  • Creating a framework for managing risk that can be understood across the organization, even by non-cybersecurity professionals. It doesn’t need to be a comprehensive measurement of all risks, but it should use risk indicators that are representative of the main risk areas so as to provide both an overall barometer of cybersecurity risk and to ensure its kept as part of the business conversation.
  • Making sure cyber is part of the dialogue at the highest levels of the organization. If the CEO talks about phishing awareness, there’s a good chance this will become a priority at all levels.
  • Creating a security instruction and awareness function and appointing a senior leader responsible for running security awareness campaigns and overseeing security training. This executive should be empowered to work with colleagues across various business functions to design programmes that address the needs of different employee specialities.
  • Creating incentive programmes to reward and reinforce positive security behaviour. For example, phishing simulation training could be made more enjoyable through gamification and small prizes for those who report the most phishes.
  • Many companies have a mandatory annual training requirement, but you can also find ways to make engaging, bite-sized security training available throughout the year. This can be delivered through fun quizzes, cartoons or security-focused webisodes.
  • Ensuring employees know the right channel to quickly report suspicious activity and make sure this information is easily recallable and accessible. Even better, provide multiple channels for communication: an IT help desk, a dedicated cyber-reporting phone line, email, or even SMS and social media messaging.
  • Communicate, communicate and communicate again. To keep cybersecurity top of mind, it needs to be communicated frequently and continually through multiple channels. Company newsletters, blogs, digital signage and posters are all good venues for promoting anything from a cybersecurity tip of the day or slogan, to an interview with a top company executive on the topic of cyber fraud.

In every company, in every organization, every person is a security champion. We all have a responsibility to remain educated and aware and to support the cybersecurity team in implementing best practices.

Paige H. Adams, Global Chief Information Security Officer, Zurich Insurance Group

5 Comments
  1. Its such as you read my mind! You seem to know so much approximately this, like you wrote the e book
    in it or something. I feel that you simply can do with
    a few p.c. to drive the message home a bit, however
    other than that, that is fantastic blog. An excellent read.

    I’ll definitely be back.

  2. I don’t know if it’s just me or if everybody else experiencing
    issues with your blog. It seems like some of the written text in your posts are running off the
    screen. Can someone else please comment and let me know
    if this is happening to them too? This may be a issue with my internet browser because I’ve had this happen previously.

    Thank you

  3. Definitely believe that which you said. Your favorite justification seemed to be on the internet the easiest thing to be aware of.
    I say to you, I certainly get irked while people consider worries
    that they just do not know about. You managed to hit the nail upon the top as well
    as defined out the whole thing without having side effect , people can take a signal.

    Will likely be back to get more. Thanks

  4. I love what you guys are usually up too.
    This kind of clever work and reporting! Keep up the good works guys
    I’ve added you guys to our blogroll.

Leave a Reply

Your email address will not be published.

©2020 Global Cyber Security Report. Use Our Intel. All Rights Reserved. Washington, D.C.