Brad Atkin, CPA, CISA, CITP, SOC – Shareholder, IT Advisory and Security Group – Doeren Mayhew

Our cybersecurity team commonly sees a disconnect between what business leaders believe their information technology (IT) departments do and what is actually happening behind the scenes in IT.  Such gaps in communication and understanding contribute to larger-scale failures in oversight.

Blind trust in IT departments can mean major costs for business leaders—more than $690 million, to be exact. According to the Ponemon Institute, this is the average cost for small to mid-sized businesses to recover from a data breach. This $690 million does not include the cost of reputational damage caused by a data breach. Worse yet, 60 percent of companies are forced to close their doors within six months of a breach. Studies have demonstrated investing proactively in cybersecurity is significantly less expensive than recovering from a cyberattack.

But while many business owners are aware of the changing cyber environment, many don’t fully understand the ramifications of a cyberattack, or how to better protect their company. As experts in operations and finances, most owners put their faith in their IT department experts to protect the company from cybercriminals. But how can business leaders without an IT background overcome the disconnect and safeguard their companies against cyberattacks?

How Much Time Does IT Spend on Security?

IT departments’ performance is typically assessed via the level of technology functionality, i.e., whether Internet access, email and printers are working correctly. But a robust IT department should be providing much more than these basic, tangible services. Given the current digital landscape, IT development should figure prominently in a company’s overall goals. IT departments should manage technology governance and infrastructure and, among other things, implement policies for employee systems use, regulate hardware, run software patches and updates, provide cyber-awareness training, control user access and communicate budget and resource needs.

Is your management team investing enough in cybersecurity? Does your IT department have the skills and knowledge needed to protect your business against lurking cyber threats? The increased frequency of cyber threats means that the old “keeping the lights on” approach to IT must give way to one in which cybersecurity is a top priority with dedicated resources to support it. Cybersecurity due diligence is needed to close the gap between perception and reality when it comes to your IT department’s performance and scope.

Sizing up your IT department and cybersecurity program

It can be difficult to evaluate which aspects of your company’s cybersecurity are sound and which need further development. An independent expert can help you identify gaps and provide direction on a robust plan that incorporates your company’s needs and is written in a layperson-friendly manner. Qualified experts can:

Assess your IT team’s capacity and skills. Your IT staff may be computer experts, but that doesn’t mean they’re cybersecurity experts. Experts can help you ensure your staff is appropriately trained to handle cybersecurity, and guide you on the appropriately allocating resources to support these efforts.

Compare your company to industry frameworks and best practices. The right expert can analyze how your IT operations measure up against industry standards, like NIST and ISO. If your policies are not in line with best practices, this expert can help you revise existing policies or create new ones.

Prioritize risks and create a cybersecurity roadmap. Whether caused by design flaws or careless user behavior, each business has unique weaknesses that should be addressed to reduce risk. A cybersecurity expert can bring these problems to light and build a prioritized cybersecurity roadmap for addressing them, taking into consideration your company’s capacity in terms of time and resources, as well as risk tolerance.

Perform phishing test exercises. By simulating real-life scenarios to deceive your employees, experts can show you which employees are vulnerable to threats as well as your company’s overall cybersecurity awareness level. Phishing exercises simulate the most common form of cyberattacks and train your employees in what to look for.

Explore user access and segregation of duties. Making sure access to sensitive information is limited to individuals who need it is of utmost importance. An expert can review your existing user-access controls and leverage system knowledge to ensure your employees’ access to data and permission levels are appropriately controlled.

Scan your network for system patching and configuration weaknesses.  Vulnerability scanning is a tool expert’s employ to reveal holes an attacker could use to gain access to your organization and its data. IT teams often deploy patches to address known threats, however, a robust patch management process is more than auto-installing third-party patches. Experts perform scans from outside and within your network and provide you with a targeted remediation plan for eliminating weaknesses identified in your existing systems.

Knowledge Builds Trust and Security

You may have all the confidence in the world in your IT department, but would you bet your business on your team’s cybersecurity credentials? Your company’s bottom line depends on a cybersecurity-savvy IT department. The first step to achieving that goal is knowledge: find out how your IT department’s time and resources are being spent, and how effective they are at protecting your company against cybersecurity threats. An independent cybersecurity expert can help you take that first step and create a plan for moving forward. Whether expert analysis reveals your trust in your IT department is well-founded or identifies critical gaps in your cybersecurity program, the knowledge you will gain is invaluable.

To get a clear picture of your current cybersecurity status and help safeguard your data in the future, contact Doeren Mayhew’s cybersecurity advisors and learn more about the CYBERCLAW™ IT Security Solutions suite.