The reality of cybercrime requires permanent organizational change
Because cybercrime isn't going anywhere soon, every business needs to consider changes within its organization to institutionalize its emphasis on data security. This is not a problem that can be handled within a few particular operational or administrative silos.
Here are just a few things to consider
- BYOD policies: A Bring-Your-Own-Device policy, which refers to allowing employees to use their own laptops, tablets and other mobile devices instead of company-issued ones, has become common practice in many organizations. However, permitting BYOD opens up new security issues because your IT department has potentially less control over how company data is accessed. With BYOD, many additional doors are being used to access corporate databases, etc., so it can be harder to keep your data secure. Because of the ubiquity of cybercrime, IT departments need to approach BYOD with a heightened awareness of new security vulnerabilities.
- Employee Training - Generally a topic for Human Resources, IT needs to now be involved in designing ongoing employee training to teach employees how to be vigilant about data security, password hygiene, and similar topics. Employee errors, such as opening phishing emails, are one of the largest causes of data breach events in the business world.
- Operations and IoT technology - Another area where there should be a re-focusing of attention involves the Internet of Things (IoT). The IoT has, at least in part, been introduced operationally, with Line of Business managers (LOB) discovering new specific applications for IoT devices, adopting them, and then being responsible for their maintenance and security. Such devices are introduced as-needed to address discrete needs throughout the organization. As a result, IoT devices have tended to function in operational silos. The unintended consequence is that the IT department, traditionally responsible for security issues, is left out of the loop. This means that data security is un-coordinated across all of the IT facets of the organization and security vulnerabilities are being overlooked. C-level tech leaders need to recognize this and adapt accordingly.
- The corporate mission - In order to give appropriate recognition to the threat that cybercrime represents to the health of a business, companies should consider including security as a core part of their mission. Both B2B and B2C customers take security very seriously, so companies should realize their mission is not to "provide X product or service," but "securely provide X product or service." To paraphrase a car maker's phrase from many years ago. "Security is Job One."