Cyber Security – It’s Not Just an IT Issue
posted Aug 1, 2016 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
It seems that every day we read or hear about the latest breach in an organization’s data, whether it be a large retail chain, a health insurance provider or the Democratic National Committee. The frequency and severity of cyber-attacks continues to expand and evolve. Industry-specific regulatory requirements as well as federal and state legislative acts relating to cyber risks continue to be introduced.
An Enterprise Wide Problem
Experts throughout the Cyber Security field caution that the issue is not “if” your organization will be subject to a successful cyber-attack but rather “when”.
It is for this reason alone that organizations need to understand that the issue of Cyber Security is not just an IT problem where you can simply implement a firewall here and an SIEM product there and your fears are allayed. Cyber Security is an Enterprise Wide Issue that needs to be addressed from by all facets of an organization.
Where does mitigation start?
Mitigation starts at the top where Boards and Senior Executives should establish a working Cyber Security Committee as part of its overall governance structure. This Committee should be comprised of key representatives from all functional units (Finance, Legal, Operations and, of course, IT) and establish a formal charter memorializing their responsibilities. The Committee will then oversee the development of the Cyber Security Risk Management Program as part of the overall enterprise risk assessment initiative.
But it doesn’t stop there...
I am a firm believer that the weakest link in an organization’s cyber security program is its people. Indeed, there are countless instances where an employee, can innocently cause significant financial (and, maybe, reputational) harm to the organization by responding to a phishing email or inadvertently downloading malware. Cyber Security Awareness training is a must and should be current and continuous throughout the year.
Organizations can harden their systems as much as they want, but until the entire enterprise is involved in preserving the integrity of the systems environment, we will continue to see the “bad guys” succeed.
Contact any member of our Information Technology Consulting Team for more information.