Your cybersecurity strategy is one of the most crucial parts of your business. Regardless of your business size or sector, you need to have stringent protocols in place to protect your data from ever-changing cyber threats.
But who is responsible for the implementation and maintenance of your cybersecurity plans?
You might be surprised to learn that cybersecurity isn’t just an IT problem – it’s also a senior leadership, HR, compliance and legal issue.
As Ipswich’s leading cybersecurity experts, a core part of our work goes beyond installing technical defences. We take the time to educate your team (from your senior leadership personnel to your junior staff) to explain what you need to do to remain safe online, how to minimise risks and what the potential outcomes could be if you fail to prioritise cyber defences.
We believe that once local businesses across Suffolk understand why cybersecurity needs to be considered outside of the confines of their IT infrastructure, it becomes much easier to implement multi-layered defence mechanisms.
Does your business size and structure impact who needs to take responsibility for cybersecurity strategies?
Cybersecurity is a continuous journey. Regardless of your business size or sector, there will always be something more that you can do to add another layer of protection to your business.
Large companies may rely on their Chief Information Security Officer (CISO) to drive their strategic plans. In contrast, smaller businesses may depend on their CEO or in-house IT department to take responsibility. Others may prefer to outsource the technical aspects of their cybersecurity defences to us, trusting our team to install effective cybersecurity defences throughout their technical infrastructure.
Our cybersecurity expert, Karl Wilkinson, says,
“Realistically, the size and structure of your business will naturally impact who is responsible for your cyber plans, along with your business sector. That is because, these days, every single department within your business will rely on a wealth of confidential customer data to make informed decisions. Different teams may be relying on third-party apps, plugins or software solutions, so those departments must be involved in the conversation to understand how they can safeguard every single piece of data that they receive. Individual teams may have their own regulatory frameworks that they need to adhere to, which is why cybersecurity needs to be viewed as a business issue, not a technical issue.”
“We all know that the vast majority of cyberattacks start from human error, so it’s no longer good enough to be seen as an IT problem – it’s an ‘everybody’ problem.”
What are the risks of only thinking about cybersecurity as a technical IT issue?
When properly managed, a cybersecurity plan will protect your business from significant harm.
Not only will your cybersecurity defences protect your data and limit the risks of any internal compromises, but by preventing any malicious intent, your business will remain fully operational, enhance customer trust, protect you from legal or compliance issues and contribute towards stronger reputations.
In our view, now more than ever, cybersecurity should have shared ownership – to do this effectively, it’s essential to explain why different departments need to get involved.
Senior leadership teams need to understand what cyber protections are in place.
Has your senior leadership team asked you to compile a report showcasing how effective your cybersecurity operations are? If they have done, are you sure that they’ve understood and interpreted your data and insights correctly?
There remains a huge problem: not enough Boards of Directors are inviting CISOs or IT managers to the table. This means that cybersecurity isn’t being seen as a board-level priority. Considering that cybersecurity remains one of the most significant risks that any company faces (regardless of its size or any sector), failing to consider the technical safety of your business could be putting your business at significant risk.
In a 2023 article published on forbes.com, Brian Walker wrote – ”
“Up to 90% of all Russell 3000 boards lack even a single director with credible cybersecurity expertise…
… There’s a common perception that CISOs are overly technical; that they aren’t necessarily suited to transition from a largely operational focus on minute details to broad, strategic concepts. But, given the breathtaking shortage of boards with even a single director with true cybersecurity expertise, company leaders should seriously consider CISOs for the job. CISOs can bring the technical expertise and knowledge that boards need to successfully steer companies in the right direction, technology-wise.”
It’s time for senior leadership teams to understand that cybersecurity must become an overwhelming priority. Investing in defences such as Cyber Essentials or Cyber Essentials Plus shouldn’t be seen as a luxury. Instead, it should be the minimum that you are doing to ensure the longevity and safeguarding of your business.
HR teams need to educate employees and ensure IT policies are adhered to
HR teams also need to get involved in cybersecurity conversations because employee education and awareness are vital to maintaining cyber defences.
According to the government’s Cyber security breaches survey 2024, phishing emails remain the most common type of data breach or cyberattack. While we can install effective email protection software (such as Barracuda), there needs to be further training and awareness from HR teams about the role that individuals have to play in tackling cybercrime.
We recently published a helpful guide which explains what you should do if you think you’ve been hacked. Although we offer regular training and education for our clients, it is crucial for HR teams to continuously remind employees that IT policies need to be adhered to at all times – particularly those working from home or those who make the most of hybrid working.
Compliance and legal teams require cybersecurity for regulatory governance.
Whatever sector you work in, your compliance processes will almost certainly require sophisticated cybersecurity settings. You will need to document what steps you are taking to protect your data and minimise your risk levels. In fact, having a Cyber Essentials certificate is a requirement for being able to work on any public sector contract, so investing in cybersecurity could provide you with many more business opportunities.
As Karl Wilkinson says,
“We all know that protecting data is essential, so it’s not just about investing in encryption or disaster recovery planning. It’s about having the documentation and paper trail in place to show exactly what you are doing to keep yourself safe. If you can show that you’ve taken appropriate steps, you’ll minimise any potential fine or punishment if something does go wrong.”
“As standard, your compliance and legal teams should be aware of what processes you have put in place and ensure that those steps are exceeding the minimum requirements set out in your regulatory practices. After all, you can never put too many defence layers in place.”
Communications teams need to be ready-prepared to deal with any reputational damage.
If your business is affected by a cyberattack or data breach, it’s not just the technical issues you need to deal with – it’s also the reputational fallout.
Customers will almost certainly question how and why a situation occurred and will want to know whether their personal data was affected by any breach. The quicker you can respond and communicate those concerns, the more you can retain the trust of our stakeholders.
As part of your contingency planning scenarios, your cybersecurity plans should be regularly shared with your marketing and communications professionals. That way, mitigations can be put into place if disaster strikes.
For instance, if your customer payment details were accessed or confidential health data was leaked, your communications team will need to implement rapid crisis communications plans. They will need to have ready-made comments available explaining the situation along with any remedial action.
Failing to keep them updated before any issue arises means that crucial time will be lost as your comms team tries to prepare statements and understand those technical details from scratch. The last thing you want to be dealing with while in the midst of technical repairs and data recovery is liaising with comms teams to explain what you are doing – so providing clear education and communications beforehand could save your stress levels – and theirs.
The reputational impact of your cybersecurity hack could be far more costly to your business than the breach itself, so you need to review and update your communications strategy regularly so your team know what to do, what to say and who to liaise with at any time. We recommend building reputational damage into your disaster planning scenarios – that way, you can be prepared for any eventuality.
Taking ownership of your cybersecurity strategy requires collaboration and communication.
As you can see, cybersecurity strategies are not just about the technical aspects of your defence. The best thing you can do is to encourage a shared ownership responsibility, where all departments work closely together to prioritise safe and secure working practices.
As your external IT cybersecurity team, we can install multi-layers of cybersecurity defences but also explain clearly what we’ve done and why. In our opinion, part of the reason why cybersecurity is seen as an IT-led responsibility is that data reporting is often far too technical. Too many misunderstandings can arise because individuals haven’t understood that preventing problems from escalating is far more important than responding to reactive incidents.
Senior leadership teams, HR managers, compliance and legal representatives, and comms teams need to be crystal clear on how their efforts can contribute to any safeguarding processes. Therefore, the more that discussions are jointly held and understood, the easier it will become to work together far more effectively to create a shared ownership responsibility.
