For years, cybersecurity was considered the business of the IT department. In the corporate structure, it made sense. IT was in charge of the computers and the network, cybersecurity was a computer issue, thus cybersecurity was an IT issue.
No longer. Today, it's a due diligence issue – with that due diligence taking place internally on the organization’s IT system, and not just externally, as has been done traditionally.
The experience of recent years – in which hackers have wreaked havoc on corporations – has turned cybersecurity into a topic that corporate executives need to take seriously. As a result, companies now spend large sums and expend significant resources to protect themselves from cyberattacks.
This typically includes buying security systems, hiring a chief information security officer (CISO), and running educational seminars for employees on the dangers of responding to phishing messages. Today, they are much more willing to treat cybersecurity as an important business issue – and that's a welcome change from just a few years ago when cybersecurity wasn't even necessarily on the C-suite's radar.
But cybersecurity must function as more than just “another” business issue. The impact of a successful cyberattack could potentially cripple a company in numerous ways. If hackers get ahold of a company’s financial data or customer information, it could lead to a world of damage - far beyond financial loss.
The consequences could include negative PR that could cost the company future business deals, fines if regulators determine that it did not follow the necessary guidelines to protect its systems, and a decreased share price. Indeed, these are but a few of the potential consequences. To avoid these scenarios, organizations need to evaluate their resources (financial as well as manpower) along with their risks and develop a cybersecurity plan that will block the attack routes that lead to business-critical assets, while reducing the organization’s risk and optimizing its cybersecurity resources.
The risks are great, but resources are limited – so organizations need to determine how to balance the two. Start by conducting cyber-due diligence on their own organizational assets. Usually, companies associate due diligence with bringing in someone or something – a new hire, or an organization – into the organization. However, companies need to think of their respective systems as being “outside” –
under the potential threat of external bad actors. We need due diligence on the assets we think we can trust, and companies must determine and understand what the main risks and secondary issues are:
- What's at stake: How does the company use data? Who accesses that data and how? Where and how does the data get stored and move around the network? By assessing data inventory, companies will gain deeper insights into which areas need strengthening, and which areas are most vulnerable.
- Where are the vulnerabilities: Armed with information on vulnerabilities, security teams can consider ways to mitigate them. Audit the security systems in use and have been used in the past and determine the track record of each. Security leaders can then deliver clear information to executives about the vulnerabilities, as well as their plans to mitigate them.
- How to protect: When organizations are cognizant of the risks they face, they can better determine the resources they need to invest in cybersecurity.
Everyone in corporate life practices due diligence. No one would hire a top executive without doing due diligence on his or her background, and no one would enter into an acquisition without doing the necessary financial due diligence. Companies need to consider this level of due diligence for cybersecurity. Malware that infiltrates an organization’s servers can sit there for years – and when unleashed, it could bankrupt the organization. Don’t think of cyber due diligence as another good idea – it’s a necessity.
Reuven Aronashvili, founder and CEO, CYE