Despite frequently hearing words like “ransomware”, “phishing”, and “data breach” in the media—and possibly even at work—25% of technology leaders reported that their board members still do not identify cybersecurity as a major risk to their enterprise organization.

“With all the developments in technology, cybersecurity has both benefited and changed from the increased visibility and insights we gain from the enormous amounts of data we collect, store and analyze. The growth of the public cloud has offered huge amounts of economical store and compute, that can be brought online quickly and scale as needed.”
– Michael Wahl, Senior Director - Global IT and Cybersecurity at Tweddle Group

In this Fast Facts post, we’ll be covering three fundamental aspects of cybersecurity for enterprise companies. These cybersecurity principles, direct from experts and organizations in the IT security industry, could nudge board members to rethink their risk assessments for cyber threats.

“Cybersecurity” is an all-encompassing term that’s used to detail all the tools and methods used to prevent unauthorized digital access—and because it’s such a broad term, it can easily become overwhelming and frustrating to non-IT senior management. In fact, “cyber fatigue” has become more prevalent over the last few years, even for IT professionals. Unfortunately, as cyberattacks continue to evolve, it’s now more imperative than ever for leadership to go beyond simply meeting IT compliance requirements. Leaders must be actively involved in shielding their organization against malicious attacks.

Yes, protecting an enterprise organization against cyberattacks is an extremely complex practice, but a strong cyber defense strategy is built on three basic fundamentals: people, process, and technology.

‍#1: Educate people, because they could be your biggest IT risk 👨

“Employees can create some of the greatest risks to cybersecurity. However, when they are well informed they can also be an asset and a first line of defense. Oftentimes, cybercriminals will specifically target employees as an attack vector based on their lack of knowledge for security best practices.”

– CSO Online

Pro tips from CIOs and CISOs in the Pulse community:

• Communication from leadership to employee and vice versa is vital to establishing a “cyber threat aware” culture.
• Invest in ongoing employee training for best cyber defense practices.
• Join the Pulse community to discover how other enterprise technology leaders increased cybersecurity awareness and adoption at their company.

#2: Establish detailed business process(es) 📝

“To ensure continued operations with minimal [downtime], your organization should have an IT recovery plan as part of its overall business continuity approach. In this plan, your organization should identify critical data, applications, and processes and define how it will recover IT services that support business operations, products, and services.”

– Canadian Centre for Cyber Security

Pro tips from CIOs and CISOs in the Pulse community:

• Always have an incident response plan that provides associates with clear actions based on their role within the organization to minimize negative impacts on the business.
• Regularly sync with managers across the organization to ensure cybersecurity is top-of-mind and incorporated within their internal and external processes.
• Understand how well and how often threats are monitored, documented, researched, and responded to. This will bring any vulnerabilities to the forefront, help your organization adapt to new or evolving threats, and better protect the enterprise in the future.

What advice would you give to IT teams when they plan, respond to, document, and investigate cybersecurity risks?

“Make sure [you] really understand the full picture. [Go into the] system and asset inventories, control inventories, risk inventories, etc. Without a clear picture of what the universe looks like, the organization is by default accepting risks that they haven't measured. This is particularly true during an incident or response event when new things pop up that the team should have been well aware of.”
– Anthony Johnson, Founder and Managing Partner at Delve Risk

#3: Take advantage of tools and integrated technology ⚙️

“Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks.”

– Cybersecurity and Infrastructure Security Agency (CISA) and Stop.Think.Connect™

Pro tips from CIOs and CISOs in the Pulse community:

• Always have fail-safe and backup security plans, using a layered approach as part of your security strategy. Never rely on only one tool or one line of defense.
• Keep people and processes in mind when thinking about which tools and technologies to implement. Some technologies might be great for the IT department but frustrating for other employees to use on a daily basis.
• Take advantage of modern technology by automating tedious or manual operations.

Can I protect my organization against the latest cyber threats using older tools?

“Absolutely. Most of the cyber threats and breaches that [have and continue to occur] rely on older or fundamental security issues. Applying the fundamentals well and using older tools to solve core issues like visibility, completeness of patching, etc., are some of the best ways to really have a mature cyber program. Advanced techniques and tools are great, but only after the basics are done well.”
– Anthony Johnson, Founder and Managing Partner at Delve Risk

Implementing a multi-layered IT strategy that promotes educating people, improving business processes, and integrating technology cannot be done on a whim. It’s critical for everyone—including board members—to partake in risk management for enterprise organizations to minimize potentially detrimental digital attacks.