Think Beyond IT When Assessing Cybersecurity Risks
Hackers don’t limit themselves to technical exploits—and neither should you.
Despite the implications of its name, cybersecurity is more than just an IT issue.
Some hackers are infamous for using technical wizardry to find and exploit vulnerabilities in business systems, but the vast majority use far more modest methods. Why go through the trouble of discovering and exploiting a brand-new vulnerability when you can get the job done with half the effort?
Most cybercriminals will avoid doing the hard technical work if there is an easy way to steal sensitive data or pilfer company funds. In fact, it turns out that hackers are lazier than the popular imagination makes them out to be.
Imagine a homeowner installing state of the art fingerprint scanners on the front door and then leaving the windows open overnight. If their home was then broken into, nobody would say the burglary was a “door problem.” And that’s exactly why business leaders shouldn’t wave away cybersecurity concerns as “IT problems.”
Security-minded business leaders have to take a step back and reassess their cyber defense strategy from a non-technical perspective. Many organizations inadequately protect themselves simply because they focus on the wrong types of attacks.
Cyberthreats Are Business Risks
One of the primary jobs of a CEO is managing business risk. Executives are used to dealing with such risks as changing customer preferences, new industry capabilities, or expanding competitors. Cyberthreats are simply another kind of business risk—one that executives need to play an active role mitigating.
The best way to do this is by identifying and assessing cyberthreat narratives. These offer examples of how cybercriminals can gain access to sensitive company data or customer accounts in four parts:
- The business activities that cyberthreats can impact
- The systems that enable those activities
- The types of attacks that can affect those systems
- And the people most likely to carry out those kinds of attacks
Different industries will place varying levels of importance on certain threat profiles. High-tech companies may find themselves under constant attack from sophisticated hackers. Brick-and-mortar retailers, on the other hand, might find themselves victimized by opportunists looking for an easy way in.
While your IT staff will definitely play an important role in qualifying and categorizing the different threat narratives you will come across, they will have to rely on other employees to play important roles as well. This is where having a holistic, non-technical understanding of your organization’s cyber risk profile is important.
Customer service employees share responsibility for securing the company’s telecommunications services. Engineers share responsibility for securing the company’s manufacturing equipment. Everyone has a role to play, and those roles often intersect with one another and with the world of IT.
Cyberdefense Often Falls on Employees’ Shoulders
The problem with treating cybersecurity as an “IT problem” is that it is not always the IT team whose failure exposes the business to danger. Target’s infamous 2013 data breach occurred because a single employee of the company’s refrigeration contractor failed to properly install the Malwarebytes security application that would have stopped the attack in its tracks.
Sometimes, hackers are able to infiltrate organizations without using any technical resources whatsoever. Social engineering attacks are a great example—a resourceful con artist can get an employee to give away the keys to a company’s kingdom using nothing but widely available public information, available through that company’s social media.
This is as true for ground-level employees as it is for C-suite executives. In today’s hyper-connected, mobile-first culture, everyone offers information about themselves to the world online. Capitalizing on that information is not technically demanding.
There are cyberattacks even the most sophisticated cybersecurity solutions on the market cannot stop. Consider your IT administrator, who enjoys practically unbridled access to all of your company systems, employee accounts, and customer data—what happens if someone peers over the admin’s shoulder and memorizes their password?
Don’t dismiss the possibility. Insider threats play a role in half of all data breaches. Disgruntled employees can represent a significant threat to organizations that do not take the time to regularly reassess employee permissions or change passwords.
Insider threats are a perfect example of a non-technical exploit against which very few, if any, technical solutions will work. Insiders don’t have to capitalize on some little-known bug to insert malicious code into the company system–they can simply log on using their password, delete every file they have access to, disable the disaster recovery system, and log off.
Comprehensive Cybersecurity Is a Team Effort
There are ways to protect your organization from the threats you have not yet considered. Understanding the very broad scope of where cyberthreat lies is the first step in preventing breaches of security for your business.
No single employee is going to be able to come up with every possible security contingency that an organization can fall prey to. It takes collaboration between key figures in every department. When your organization’s departmental leaders start identifying these threats together, they will be able to take meaningful steps towards mitigating them.
Learn more about how Dashlane helps makes security simple for organizations and their people on our business page.