Cybersecurity isn’t just for the IT team to manage
5 reasons why cybersecurity should be everyone’s job
Digital transformation has changed how we all do business.
Companies are realizing the benefits of Internet of Things (IoT) and the cloud, exploring new software-defined networking (SDN) solutions, and building data analytics capabilities to help drive business decisions. The way we use information has changed, but too many organizations have been slow to change the way they handle security.
This year’s annual AT&T Cybersecurity Insights report is based on interviews with 15 cybersecurity experts, both from within AT&T as well as external thought leaders. The recommendations in this report are a roadmap for collaborating on and achieving shared cybersecurity goals.
The result? IT departments have been trying to get the word out, but few of us have heard their call.
Cybersecurity is no longer just an IT issue; it also involves business operations, finance, leadership, and even your vendors and supply chain. Anyone who touches any part of your network ecosystem could be susceptible to attackers.
According to our latest report, here's why cybersecurity requires attention from more than just your IT department.
Cybersecurity is no longer just an IT issue; it also involves business operations, finance, leadership, and even your vendors and supply chain.Share this quote
1. Attacks don’t always come through the front door anymore
For a long time, great security came down to protecting a single access point that everyone used. All the important information was safe inside the house, and as long as you controlled who walked in, everything would be fine. IT departments were good at handling this kind of security; they built strong front doors with reinforced locks and pointed cameras at the sidewalk.
Now, the single strong access point has vanished. It has been replaced by an assortment of mobile devices running an infinite variety of apps and software options. IoT has turned tools like printers and energy monitors into potential avenues of attack on business networks. We’re still guarding the front door, but now everyone in the house is running around opening windows and leaving backdoors unlocked.
2. You don’t own the cloud
Organizations used to build their own data infrastructure. Business owners would decide on the strengths and capabilities they needed and then hand it off to the CTO to build it. When we built our own data centers, we were free to make them meet our security needs, too.
But you aren’t building the cloud. “You're no longer doing it,” said Kevin L. Jackson, founder of GovCloud Network. “You're going to somebody else's data center.” The cloud works because it is decentralized; that means you no longer own the infrastructure. Outsourcing networking mechanics to a cloud service provider doesn’t replace the need for ongoing due diligence. Hard-won network security can be breached through your cloud provider’s security inadequacies.
We’re still guarding the front door, but now everyone in the house is running around opening windows and leaving backdoors unlocked.Share this quote
3. Security isn’t an expense, it’s an investment
Connectivity makes organizations more efficient and profitable than ever, but that connectivity comes with more cybersecurity risks. Connectivity is so important that it has changed how business owners should view their IT departments: good security isn’t an expensive drain on resources, it’s an investment in future profitability.
Many CFOs have been finding themselves more involved with IT conversations exactly for this reason.
The cost of cloud hosting and server migration can be a high, ongoing expense that organizations have to plan for financially, according to Danessa Lambdin, VP of Cybersecurity Solutions at AT&T. This is especially important considering the huge costs that can come from a large data breach.
“I think you're going to see a larger role in this area for the CFO,” Lambdin said, “given their compliance and risk management responsibilities for the corporation—and just the implications of a breach on the business. I think you'll see that more and more sitting in that CFO’s space.”
Since CFOs usually lack technical expertise, this means that they’ll need to work closely with technology or information–focused executives like the CTO or CSO. Without their input, a CFO is likely to make a financial-based decision that doesn’t cover technical requirements. This is often a bad long-term financial decision because of the costs associated with data breaches.
4. The cybersecurity problem is worse than you think
Security is getting harder, thanks to more network vulnerabilities and more attackers—including well-funded state-financed attackers—trying to find a way in. But there’s also a growing disconnect between business and security groups.
For example, 65% of respondents to the AT&T survey said that they have adequate in-house talent to address their cybersecurity needs—but 80% of those respondents also admit to suffering an attack during the previous year.
Senior executives are particularly confident, with 70% of C-level respondents saying they’ve got enough IT talent. When the same question goes to IT workers closer to the front lines, only 56% say that the organization’s needs are covered.
For example, 65% of respondents to the AT&T survey said that they have adequate in-house talent to address their cybersecurity needs—but 80% of those respondents also admit to suffering an attack during the previous year.Share this quote
5. Security is a culture problem, not just a tech problem
Because every member of an organization can unknowingly breach a network’s security with a smartphone, a printer, or a camera, everyone in the organization is responsible for security. This means that employees outside of IT need to be trained on current best practices and how attackers may try to break in. Only 61% of organizations in the AT&T 2017 Global State of Cybersecurity require cybersecurity training for all employees.
However, even those 61% who require training may not be doing enough. One-time training is not adequate, according to Greg Hill, AVP of Emerging Security Solutions at AT&T. “Introduce continuous measurement processes after any security awareness training,” Hill said. “You have to be able to measure how well your employees grasp the new security concepts.”
For everyone to benefit from the efficiencies of the new digital workplace, we all have to accept responsibility for managing risks.
To learn how to make your organization ready to face cybersecurity threats, view the AT&T Cybersecurity Insights report.
AT&T Cybersecurity Insights, Vol. 7
Our latest report, "Cybersecurity for today’s digital world," can help you manage cyber risk as you transform your business.