Who Owns It: Cybersecurity Compliance?

 Why Cybersecurity Compliance Doesn’t Belong In The IT Department’s Hands

What if you discovered that all of the hard work, investments and time you’ve put into growing your business is at risk due to a failure of your outsourced IT company, or possibly even your well-meaning (but overburdened) in-house IT department? If you were exposed to that level of risk, wouldn’t you want someone to tell you about it?

This article is that wake-up call.

 

Over the last several years, the risks associated with cyber security attacks have grown in magnitude. They are no longer a low-probability hazard that will result in a minor inconvenience. Businesses of all sizes and types are getting hacked and losing hundreds of thousands of dollars, or even multiple millions, in addition to suffering significant reputational damage and loss of customer goodwill. For some, it’s a business-ending event. For nearly everyone else, it’s a significant financial disaster that can negatively impact profits and revenue for years.

 

Yet too many CEOs and small business owners are still abdicating critical decisions regarding risk tolerance and compliance policies to their IT company or IT department when these decisions never really belonged there. For many organizations, they rely on the basic risk assessments offered by external IT companies as enough information to base what amount to policy decisions.  It is not enough. They do a commendable job assessing one facet of risk, typically the technology side of things, yet leave the people and process components to their own devices.  

 

Here's a good example: Let’s suppose you have an employee who refuses to comply with your data security and password policies. They also consistently avoid taking the proscribed cyber security awareness training. These deficiencies put your company at risk for a cyber-attack and compliance violation. This is clearly a People and Process problem. Should your IT manager or IT company discipline this employee?

 

Is it sensible for the CEO to abdicate a response to what is purely a culture problem to their IT department? If you say yes, the question is, when was the last time you met with them to specifically address this issue and direct them on how to monitor and manage it? Likely never – or once, a very long time ago.

 

Therein lies the problem. Most CEOs would agree that it’s not up to the IT department to make that call. And yet, many of these same CEOs leave it entirely up to the IT department (or outsourced IT company) to handle the situation and make decisions about what is and isn’t allowed, how much risk they want to take, etc.

 

Worse yet, many CEOs aren’t even aware that they SHOULD have such policies in place to ensure their company isn’t compromised or at risk – and it’s not necessarily your IT person’s job to determine what should or shouldn’t be allowed. That’s clearly the responsibility of the CEO. Culture starts at the top.

 

As another example, many companies have invested in cyber liability, ransomware, or crime insurance policies to provide financial relief in the event of a cyber-attack. The logic here is to cover the exorbitant legal, IT, and related cleanup costs that result when such an event occurs. Yet our experience shows that most insurance agents and brokers do not understand and cannot convey to the CEOs to whom they are selling a policy what the IT requirements needed to secure a policy. Therefore, they never advise their client to make sure they get with their IT provider or internal IT to ENSURE the right protocols are in place, or risk having coverage denied for failure to comply with the requirements in the policy they just sold them.

 When a cyber event occurs and the claim gets denied, whose fault is it? The insurance agent for not warning you? Your IT department or company for not putting in place protocols they weren’t even briefed on? Ultimately, it’s on you, which is why you as the CEO must make sure that decisions impacting the risk to your organization are informed ones, not decisions made by default.

 

Of course, a great IT company will bring these issues to your attention and offer guidance, but most are just keeping the “lights” on and the systems up, NOT consulting their clients on enterprise risk and legal compliance.

If you want to make sure your organization is prepared for and protected from the aftermath of a cyber-attack, call (413) 786-9675 or click here  to schedule a private consultation with one of our compliance advisors about your concerns. It’s free of charge and may be extremely eye-opening for you