Prioritizing Your Cybersecurity Spend
As remote workers drive organizations to invest in the latest cybersecurity tools and technology, criminals appear unphased and attacks on business networks soar, with hackers taking aim at softer targets: people.
From basic prevention like antivirus, anti-malware and firewalls, to user training modules and more advanced cybersecurity like breach detection, penetration testing and vulnerability assessments, an organization can employ a variety of security tools.
Security as a Culture
While technology is vital, it can become costly and is likely ineffective when used in a vacuum. So how does a small or midsize business prioritize its cybersecurity investment, especially when so many are experiencing so much uncertainty? One answer lies in the company’s culture. Companies should embrace the idea of “Security as a Culture,” with consistent, top-down messaging that promotes the importance of cybersecurity and a “think before you move” mentality.
The concept is a mindset and an approach meant to slow folks down, while keeping businesses moving. Employee performance is often engineered for speed, and disruptions are the enemy of productivity; however, a company that values quickness and convenience over security is ignoring best practices and underestimating the risks of working online in the 21st century.
When companies take an overt position to secure privacy and harden their teams to the seriousness and threats they face, better business decisions are made. It’s possible to move quickly while remaining vigilant and alert, but corporate culture must be prioritized.
The following steps will create a culture of security so that cybersecurity is top of mind with every action a company’s staff executes:
- Frequent and consistent messaging from leaders and management to inform employee behavior and attitudes
- Documented and enforceable policies customized to the needs of the business
- Training during onboarding and as an ongoing process, with measurable analytics to reinforce and retrain when necessary
- Solutions that reflect the company’s specific privacy concerns and industry compliance requirements
Cybersecurity requires a layered approach, and technology is a critical component. Backup is critical. Patch updates are critical. Penetration tests, internal threat scans, breach detection, multifactor authentication and data loss prevention are all important and highly recommended. However, if 99 percent of cyberattacks rely on human intervention, people need to be an active part of the equation and employee awareness can’t be overlooked, according to the Proofpoint article, “Human Factor 2019.” Cybersecurity needs to be an everyday conversation, and staff should feel as though they are the first and last line of defense in a cyberattack, because in many ways they are.
Poor decisions open organizations up to bad actors, as well as the long arm of governance and corporate oversight. Steep fines punishing those who don’t secure their perimeter and protect Personally Identifiable Information (PII) could exceed the financial damage of the initial hack. Laws like California’s Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act are examples of nationwide trends and coming regulations written in the same vein as the EU’s General Data Protection Regulation (GDPR). The SHEILD Act, which took effect in March 2020, imposes penalties up to $5,000 per violation, with a maximum penalty of $250,000, for any organization that experiences a data breach compromising the private information of a New York resident.
Corporate leaders must understand the significance of privacy and security. More than ever, criminals are conning employees into making the wrong choices, and with our ever-expanding digital presence, theft will continue to rise. We must shape our businesses culture to prioritize security and increase vigilance.
This article appeared in the January/February 2021 issue of New Jersey CPA magazine. Read the full issue.